[Discuss] Wireguard [Was Re: dovecot: "Disconnected (no auth attempts in 0 secs)"?]

[Dan Ritter]

Matthew Gillen wrote: 
> 
> 
> On 12/17/2020 12:47 PM, Kent Borg wrote:
> > P.S. I get *lots* of break in attempts (that's how I know my connection
> > is live), but my system has very few users, all with good passwords, so
> > I don't worry.
> 
> I've struggled with this; with so few users it seems silly to expose
> certain things to the whole world (from an IP point of view).
> 
> I've been poking at wireguard (new VPN-ish capability built in to linux
> kernel; I feel like wireguard is to VPNs what NoSQL DBs are to
> relational DBs)

No, wireguard is a first-class VPN transport, equivalent to
IPsec or OpenVPN, considerably better than using SSH as a
tunnel.

The key feature of wireguard is that it only does the minimal
amount of work necessary to send/receive encrypted packets, and
appears as a new NIC to the OS. It ignores all packets that
arrive for it without the proper encryption. It doesn't make
routing decisions itself, the OS does that. There are no knobs
to tweak; you can't make it insecure or incompatible by
accident.

>, which to my initial reading seems like the right
> solution:  server only exposes services to things on an "internal net",
> wireguard on the mobile devices makes sure that when talking to any
> services on that server that the connection gets tunneled through (with
> good crypto that isn't application-specific) to the 'internal' side.

That's one of many possible ways to use it.

Other uses:

- point-to-point VPN tunnel
- hub-and-spoke VPN with routing
- site-to-site VPN with routing
- full-mesh VPN (requires external tools to keep all the config
  manageable)

> However, I have yet to get it working the way I want.  Anyone played
> with it?  ( https://www.wireguard.com/ ;
> https://arstechnica.com/gadgets/2020/11/wireguard-for-windows-0-3-1-is-the-release-youve-been-waiting-for/
> )

Extensively, but not on Windows. I use it personally and at work
on Linux and MacOS.

-dsr-