[tech] WireGuard (was: Re: [wheel] Forge+Sponge Minecraft Server)

[David Adam]

On Tue, 5 Nov 2019, Scott Young wrote:
> On Sat, 2 Nov 2019, at 6:04 PM, Callan Gray wrote:
> > Will the club be open during exam period? It might also be helpful if someone
> > could generate me a vpn key as described in https://wiki.ucc.asn.au/VPN
> 
> I'm afraid this will be unhelpful to Callan as I'm no longer a current student
> or located in Western Australia, but it reminds me that it would be cool if UCC
> made WireGuard available as an alternative to the older VPN software documented
> on the wiki, which I found to be painful to configure when I tried at various
> times between 2007 and 2013.

There was a golden period where strongSwan worked for iOS, macOS, Windows 
and Android (though better with the app), but it's been pretty flaky since 
the move to AD.

> I've recently set up a few small scale VPNs using WireGuard and it's been very
> educational for me. Creating a script that allows users to add new WireGuard
> interfaces or peers without needing root access seems like a good UCC project
> and service, but since I lost root access in the recent wheel purge, I've been
> experimenting on my own hardware instead.

Likewise; WireGuard has been really impressive and I've been using it on 
my VPN.

I don't think there's been any serious work on dynamic setup for 
WireGuard; there's https://git.zx2c4.com/wg-dynamic/about/docs/idea.md but 
that's not close to ready (and is only dynamic around network addresses, 
not authentication). A cursory search turns up 
https://github.com/yanosz/wireguard-rest but that would need a reasonable 
amount of integration work done as well.

One thing the current strongSwan VPN setup provides is strong 
accountability and auditing; connections are logged to PostgreSQL via 
RADIUS. I don't think the OpenVPN stuff was ever set up for that, though I 
could be wrong - I don't know what the masquerading setup is like. 
Wireguard doesn't really have any concept of active or inactive 
connections.

[DAA]