[Discuss] Wireguard [Was Re: dovecot: "Disconnected (no auth attempts in 0 secs)"?]

[dsr at randomstring.org (Dan Ritter)]

Matthew Gillen wrote: 
> On 12/18/2020 10:29 AM, Dan Ritter wrote:
> > That's one of many possible ways to use it.
> > 
> > Other uses:
> > 
> > - point-to-point VPN tunnel
> > - hub-and-spoke VPN with routing
> > - site-to-site VPN with routing
> > - full-mesh VPN (requires external tools to keep all the config
> >   manageable)
> > 
> >> However, I have yet to get it working the way I want.  Anyone played
> >> with it?  ( https://www.wireguard.com/ ;
> >> https://arstechnica.com/gadgets/2020/11/wireguard-for-windows-0-3-1-is-the-release-youve-been-waiting-for/
> >> )
> > 
> > Extensively, but not on Windows. I use it personally and at work
> > on Linux and MacOS.
> 
> Excellent!  Where I got stuck was the IP layer.  Suppose I want the
> hub-and-spoke VPN with routing option from you list above, on the 'hub',
> how do you configure the IP interfaces?  Can you bind it to an existing
> "internal" interface?  Do you need separate interfaces for every peer?

Wireguard requires its own interfaces, traditionally named
wg0... but they can have any name you desire.

One interface serves per routing policy, so you could have a few
thousand machines accessible via wg0 if they were all going to
be treated the same way, and then another few thousand on wg1
because, say, you wanted to restrict access to them in a
different way. We did this with one interface for remote laptops
and a different interface for remote VMs (our usage there is
limited by policy; they're mostly external monitoring systems.)

> Also very curious what you're using for "external tools", because right
> away I saw that it might be manageable for a home network, but would be
> a nightmare at scale.

It's actually less of a nightmare than, say, OpenVPN or IPsec,
because the config to support each remote node is so limited in
both complexity and size. Shell scripts will work.

[Peer]
# laptop assigned to Michelle
PublicKey = U9Gz3sTIZlB124Gp3yRPr5O/0KeLDUbUh6zKopbqeG4=
AllowedIPs = 10.10.1.5/32

[Peer]
# laptop assigned to Melvin
PublicKey = FOojDLJ/tOfiZXCya6wBm5god5Fb2diT9/Nt98jmsgY=
AllowedIPs = 10.10.1.6/32

That's all you need to set into a wg0.conf skeleton. Keep a very
simple CSV with name, publickey, IP and always replace both
private and pubkey when someone reports a machine missing or
crashed or what-have-you.

-dsr-