[Swan-dev] simple setup

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Oct 9 05:34:42 UTC 2018 

On Mon 2018-10-08 18:07:14 -0400, Paul Wouters wrote:
> Now, when you are talking about a real remote access VPN,

I'm assuming this means an "encrypted internet proxy" -- is that right?

> I do agree it is a little more complicated then desired:
>
> conn vpn.nohats.ca
>  	left=%defaultroute
>  	leftcert=letoams.nohats.ca
>  	leftsubnet=0.0.0.0/0
>  	rightid=@vpn.nohats.ca
>  	right=vpn.nohats.ca
>  	rightsubnet=0.0.0.0/0
>  	narrowing=yes
>  	ikev2=insist
>  	leftmodecfgclient=yes
>
> It would be nice if this could become:
>
> conn vpn.nohats.ca
>  	type=remote-access-vpn
>  	leftcert=letoams.nohats.ca
>  	right=vpn.nohats.ca

What does it take to get there from here?  and doesn't this minimal
setup (as nice as it looks) require some interaction with a certificate
authority to get the certs right in the first place?  (not to mention
certificate maintenance) -- or do we have a story for automated
certificate management that i'm not aware of?

Also, how is a novice admin supposed to know what "left" and "right"
mean here?  Wireguard's [Interface] vs [Peer] stanzas make it pretty
clear which part corresponds to the local machine and which part
corresponds to everybody else.

I note that the conf.ini-style syntax wireguard uses is probably
marginally visually simpler for most admins (thanks to inheritance from
years of microsoft, in addition to adoption by systemd) than libreswan's
indented stanzas, but i'm sure that's also a matter of taste, and not a
religious war i want to fight right now. :)

I want to see libreswan get to this level of simplicity and ease of use!
i'm asking these questions to try to push in that direction, not trying
to throw shade.  If there's some way to get us closer to this, that'd be
great.

Good, opinionated defaults could go a long way here, and we can "bundle"
them with just such a type= argument so that we're not worried about
shifting an already-deployed base.

          --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20181009/ad89c2e5/attachment.sig>

More information about the Swan-dev mailing list