[Swan-dev] simple setup

Paul Wouters paul at nohats.ca
Mon Oct 8 22:07:14 UTC 2018


On Mon, 8 Oct 2018, Daniel Kahn Gillmor wrote:

> I agree with the goals of this thread.  I've been nudging Paul for over
> a year now with the hopes of getting something running that "just works"
> with something as close to an "{apt|dnf} install libreswan" as possible.

Thanks for doing that. We are still working on making OE easier to use.

> I agree with Kim that a web interface is *not* the way to go.  wireguard
> configuration files are pretty simple, dumb .ini-file style configs that
> identify peers by public key.

Note that it is not a fair comparison, as wireguard does a lot of
configuration out of band, such as DNS servers. It also hardcodes ports
and keys.

> Below is the most complex example from wg(8):
>
>           [Interface]
>           PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
>           ListenPort = 51820
>
>           [Peer]
>           PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
>           Endpoint = 192.95.5.67:1234
>           AllowedIPs = 10.192.122.3/32, 10.192.124.1/24

So this translates to:

conn peer-to-peer
 	left=%defaultroute
 	leftrsasigkey=0xXXXXXXXXXXX
 	leftsubnets=10.192.122.3/32,10.192.124.1/24
 	right=192.95.5.67
 	rightrsasigkey=0YYYYYYYY
 	auto=start

(assuming I'm reading the meaning of AllowedIPs right)

That 7 lines versus 7 lines. It's really not that more complicated. It
is a myth. In fact, the whole demultiplexing / port usage of WG is more
complexity :P

The one thing I do dislike is our %defaultroute and %any values. It
would be nice if we could orient based on the private/public key and
pickup the IPs automatically. Still, that only saves you 1 line.

> Can libreswan offer something comparably simple for users whose goal is
> a "VPN"?  Or, if libreswan sees that targeted use case as not-in-scope,
> is there some other use case that libreswan can offer a comparably
> compelling minimalist configuration?

I'm not sure how we can be more minimum then this, it is the same as
wireguard.

Clearly we need a better marketing strategy and fancy website so people
will understand it better. But again, IKE/IPsec is not harder then
wireguard. We just have many more different kinds of deployments and
additional optional features.

Now, when you are talking about a real remote access VPN, I do agree
it is a little more complicated then desired:

conn vpn.nohats.ca
 	left=%defaultroute
 	leftcert=letoams.nohats.ca
 	leftsubnet=0.0.0.0/0
 	rightid=@vpn.nohats.ca
 	right=vpn.nohats.ca
 	rightsubnet=0.0.0.0/0
 	narrowing=yes
 	ikev2=insist
 	leftmodecfgclient=yes

It would be nice if this could become:

conn vpn.nohats.ca
 	type=remote-access-vpn
 	leftcert=letoams.nohats.ca
 	right=vpn.nohats.ca

Paul


More information about the Swan-dev mailing list