Menu
▾
▴
Re: [Astlinux-users] AstLinux Pre-Release: astlinux-1.3-3534-c5e366
|
From: David K. <da...@ke...> - 2017-12-04 16:24:09
|
I agree, for site-to-site Wireguard is perfect. With time more user friendly clients will emerge and a mechanism for managing IP addresses established to make that work easily as well. David. On Mon, Dec 4, 2017 at 11:05 AM, Lonnie Abelbeck <li...@lo...> wrote: > Hi David, > > Thanks for testing WireGuard, and you make good points. > > WireGuard and IPSec are similar in some ways, as the core code is in the > kernel and as such all addresses are manually assigned as you mention. > > IPSec has bolted on much "stuff" as time has gone on, Extended > Authentication (XAUTH) and Mode Configuration (MODE-CFG) to support dynamic > pools for client configuration via a user space daemon. > > I have tested a commercial VPN provider Mullvad.net which supports > WireGuard VPN "clients" where their "server" end automatically assigns a > 10.0.0.0/8 private /32 address for each client. A static one-time > configuration, works very nicely. > > Another approach would be to standardize on a IPv6 ULA "fd" address scheme > for the local client address, possibly generated from a hash of the > PublicKey. > > For site-to-site AstLinux constellations, there is no better VPN solution > than WireGuard, IMHO. > > It will take some time for Android, iOS, ChromeOS, etc. to provide > WireGuard solutions, but Android is almost there now, both user-space and > kernel implementations. > > Lonnie > > > On Dec 4, 2017, at 9:02 AM, David Kerr <Da...@Ke...> wrote: > > > Having played with Wireguard I think that it is very good underlying > technology to implement VPN. It seems to be very robust and tolerates > roaming (client's IP address changing) very well. But there are missing > pieces before it is ready for mainstream adoption. > > > > The biggest issue that I see is that client IP addresses (whether IPv4 > or IPv6) needed to be managed manually.... if you have a dozen clients > connecting in to the one server, each of these clients must have an IP > address manually assigned and configured at the client, and the server > needs to know what IP address was assigned and if there are any conflicts > (two clients use the same IP address) then I guess the results are > "undefined". Right now there is no way to have the server manage a pool of > IP addresses and push out to the client a IP address when it connects, > whether that IP is dynamically determined by the server or manually > configured for each client on the server. Wireguard could never be > deployed on a large scale without this. > > > > Managing IP addresses should not be a kernel task. So I suspect the raw > VPN technology will get embedded into the kernel and solving IP address > management will be left to some user space utility. I just don't know if > it will require some supporting capability in the kernel or not. > > > > David > > > > > > > > On Sun, Dec 3, 2017 at 3:44 PM, Michael Knill < > mic...@ip...> wrote: > > Great thanks Lonnie. Im looking forward to it. Very cool! > > > > Regards > > Michael Knill > > > > -----Original Message----- > > From: Lonnie Abelbeck <li...@lo...> > > Reply-To: AstLinux List <ast...@li...> > > Date: Monday, 4 December 2017 at 1:39 am > > To: AstLinux List <ast...@li...> > > Subject: Re: [Astlinux-users] AstLinux Pre-Release: > astlinux-1.3-3534-c5e366 > > > > Hi Michael, > > > > > Wow (WireGuard) looks super easy to set up. > > > > Indeed, the easiest VPN you ever have setup, particularly for > site-to-stie scenarios routing networks across the VPN. > > > > > > > So is it ready for production? > > > > I have had in production a remote AstLinux box (SIP / HTTPS) over > WireGuard for a few weeks now ... works perfectly, never missed a beat, > different ISP at each end. > > > > Officially, I would look for a 1.0.0 release and acceptance into the > mainline Linux kernel as milestones indicating WireGuard's > production-readyness ... should happen soon, but not yet. > > > > Definitely worth testing now. > > > > Lonnie > > > > > > > > On Dec 2, 2017, at 10:26 PM, Michael Knill <michael.knill@ipcsolutions. > com.au> wrote: > > > > > Wow looks super easy to set up. So is it ready for production? > > > > > > Regards > > > Michael Knill > > > > > > -----Original Message----- > > > From: Lonnie Abelbeck <li...@lo...> > > > Reply-To: AstLinux Developers Mailing List <astlinux-devel@lists. > sourceforge.net> > > > Date: Sunday, 3 December 2017 at 10:13 am > > > To: AstLinux List <ast...@li...> > > > Cc: AstLinux Developers Mailing List <astlinux-devel@lists. > sourceforge.net> > > > Subject: [Astlinux-devel] AstLinux Pre-Release: > astlinux-1.3-3534-c5e366 > > > > > > Announcing Pre-Release Version: astlinux-1.3-3534-c5e366 > > > > > > Particularly notable is the addition of the WireGuard VPN. > > > > > > The AstLinux Team is regularly upgrading packages containing security > and bug fixes as well as adding new features of our own. > > > > > > -- WireGuard VPN, new package; an extremely simple yet fast and modern > VPN that utilizes state-of-the-art cryptography. > > > http://doc.astlinux-project.org/userdoc:tt_wireguard_vpn > > > > > > -- Asterisk 13 version bump to 13.18.3 > > > > > > These pre-release images are for those who would like to take > advantage of the AstLinux development before the next official release, as > well as providing testing for the project. > > > > > > The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can > be found under the "Development" tab of the AstLinux Project web site ... > > > > > > AstLinux Project -> Development > > > http://www.astlinux-project.org/dev.html > > > > > > While these images are considered 'stable', the lack of testing will > not make these images suitable for critical production systems. > > > > > > If you should come across an issue, please report back here. > > > > > > AstLinux Team > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot______ > _________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > |
