FreeBSD Home NAS, part 3: WireGuard VPN, routing, and Linux peers(rtfm.co.ua)

170 pointsby todsacerdoti3 days ago4 comments

age123456gpg3 days ago
You can get yourself a vanity key using https://github.com/AlexanderYastrebov/wireguard-vanity-key tool:
```
   % wireguard-vanity-key -prefix=NAS/
   private                                      public                                       attempts   duration   attempts/s
   EiBsDB8zt/G4+VWGvxW2ZznNXYmcslcIyJimNR2PpF4= NAS/aex8+IFzLePBYVNGMsSo/1/XeUZcam+Hn8wbNB4= 22619537   0s         112587360
```
- hnarn2 days ago
  While it's cool, something about vanity keys in general stroke me the wrong way. I feel like in principle you should never use a very short part of a public key for ocular identification, and it attempts to solve something that should be solved outside of wireguard, i.e. the "friendly naming" of public keys.
- bschmidt250022 days ago
  [dead]
rpcope13 days ago
Wireguard is cool, but there's some reasons it's worth considering OpenVPN (why I still use OpenVPN anyways). First, OpenVPN has kernel mode now (called DCO, which I think Netgate maybe has upstreamed to FreeBSD); I've found it's performance on hardware with AES-NI on Linux is actually often better than wireguard. Second, there's a lot of quality of life things that just work on OpenVPN that you've got to use a ton of duct tape to make work with Wireguard, a major one being handling DNS record change (think especially dynamic DNS, which is likely if this is IPv4 and a residential connection). This is a huge pain with Wireguard, but just works on OpenVPN. Similarly if you have multiple WAN links, like I do, for OpenVPN it's just two connection stanzas and it largely just works. Again for Wireguard you're adding lots of duct tape to make it work right. I know Wireguard is the new hot thing, but it leaves a lot to be desired in the resiliency and features department.
- paranoidrobot2 days ago
  One of the major advantages for Wireguard over OpenVPN (for me) is that it's quite difficult for random port scans to detect it.
  With OpenVPN it's hanging out there responding to everyone that asks nicely that yes, it's OpenVPN.
  So anyone with a new exploit for OpenVPN just has to pull up Shodan and now they've got a nice list of targets that likely have access to more private networks.
  Wireguard doesn't respond at all unless you've got the right keys.
  Also, fwiw - we're approaching 11 years since it was announced, and 5 years since it was accepted into the Linux/BSD kernels.
  - rsyring2 days ago
    > With OpenVPN it's hanging out there responding to everyone that asks nicely that yes, it's OpenVPN.
    I believe asing UDP mode and a ta.key go a long way towards making OpenVPN invisible to port scans. Double check docs for details.
- ZeWaren2 days ago
  I use wireguard as my main VPN to connect to my homelab from my phone and my laptops.
  I also have an OpenVPN as a backup option, running behind sslh. My same port on my router (443) serves both a webserver hosting photos, and that OpenVPN instance. This allows me to VPN into my home in most firewalled office networks.
  - bayindirh2 days ago
    Why not using tailscale/headscale, which removes the requirement to expose home network to internet at all?
    lurking_swe2 days ago
    i’m assuming because of the “web server hosting photos”. Probably Immich if i had to guess?
    tailscale is fine if you’re somewhat tech savvy, but it’s annoying to show all your friends and family how to “correctly” access your web server. Too much friction. First download the tailscale app, sign in, blah blah. Then you also are unnecessarily bogging down everyone’s smartphone with a wire guard VPN profile which is…undesirable.
    I like tailscale and use it for some stuff. But for web servers that i want my whole family (and some friends) to easily access, a traditional setup makes much more sense. The tradeoff is (obviously) a higher security burden. I protect the web apps in my homelab with SSO (OIDC), among other things.
    bayindirh2 days ago
    I prefer to gatekeep "entry points" with Tailscale. A server can have HTTP/S exposed to the world, but its SSH can stay behind Tailscale to enable defense in depth.
    Keeping Tailscale as the only security layer will be foolish of course, but keeping the entry points hidden from general internet is a useful additional layer, if you ask me.
    As a matter of principle, I like keep the number of open ports to a minimum. Let it be SSH or VPN, it doesn't matter. I have been burned enough times.
    waynesonfire2 days ago
    I've applied the same principal to my network. Though, I do have plans to re-open some additional ports beyond just SSH / VPN.
    Thinking through how I would achieve this introduced me to the concept of a DMZ-zone. The DMZ places publicly accessible services in a highly locked down environment.
    bayindirha day ago
    DMZ is a very old concept, and applying it is easy when everything is in a single room, connected to a single network, and everything can be isolated there.
    When the network is distributed on multiple sites, things get exponentially harder if you don't own a dark fiber from site to site and have essentially a single network.
    I personally manage enough servers to scratch that itch, so I yearn for simplicity. If Tailscale gives me that isolation for free (which it does), I'd rather use that for my toy network rather than an elaborate multi-site DMZ setup.
- justsomehnguya day ago
  Wireguard is cool transport protocol.
  OpenVPN is a proper VPN protocol with a serious performance troubles if you misstep even once.
  Wireguard fanboys just never use it more than on a couple of devices where they could manually tinker everything what is needed, they never provided a VPN solutions for even dozens of users.
bschmidt250172 days ago
[dead]
bschmidt250022 days ago
[dead]