On 2023-03-31, Janne Johansson <icepic.dz@gmail.com> wrote:
> Den fre 31 mars 2023 kl 00:03 skrev Polarian <polarian@polarian.dev>:
>> So whenever you do research into the topic of what protocol to use for
>> tunneling the idea of VPN will always come up. L2TP is considered
>> obsolete and insecure, however I see a lot of ISPs still use it to pass
>> traffic from one source to another.
>> Now the two questions come up, privacy or speed. Being OpenBSD privacy
>> is the number one priority, and as far as the benchmarks and studies
>> show, wireguard has the fastest encryption and also security.
>> On the other hand, it appears L2TP, although insecure as a VPN, is still
>> a very fast method of passing traffic around.
>>
>> What protocol (and software) do you guys recommend me to deploy? and
>
> I would suggest going with wireguard, but even if you don't agree it
> sounds kind of easy for you to build both and benchmark them to see if
> the added security of wireguard actually makes a noticeable impact or
> not. My guess is "probably not".
The only known L2TP _client_ implementation for OpenBSD is xl2tpd which
works in conjunction with pppd. It's a pain to configure, rather slow
and a bit flaky, also pppd only supports IPv4 (v6 support was added
upstream after most non-Linux OS support was removed),
(npppd speaks L2TP, but it's server side only).
For unencrypted tunnels OpenBSD has a whole range with kernel support
- gre(4) covers a number of related common layer 2 and 3 protocols,
gif(4) L3 and has a slightly lower per-packet overhead (fewer bytes of
header), etherip(4) for L2, vxlan(4), with varying use cases.
The issue with those for OP's use case is that both sides need
configuring with the IP address of the other so, even if crypto isn't
needed, I'd suggest wg or iked to get automatic handling of IP address
changes.
No comments:
Post a Comment