On Thu, Nov 21, 2024 at 03:16:25PM -0700, Devin Reade said:
>So my main question is whether there are compelling reasons to
>be considering wireguard (or other options) over ipsec? I'm
>guessing that assuming stability is good for both that the
>respective approaches to dynamic IP changes may be a deciding
>factor.
I've been running GRE over IPsec tunnels for OpenBSD to OpenBSD systems
for close to 20 years and IPsec tunnels for roadwarrior Windows, macOS
and i{,pad}OS clients for at least 10. I've found it to be a bit
complex to configure (though iked(8) made it a lot better) but once it
works it works and it is fairly widely supported by native tools.
One of the key requirements for me has been a strong preferance for
native tooling instead of relying on third-party code.
I've started to switch some tunnels to wireguard now that it is native
in OpenBSD, but those are only to systems (mostly MikroTik RouterOS
and Linux devices) that have native wireguard support and poor IPsec
support.
In the case you have both endpoints with dynamic IP addresses, I don't
really know how you will handle that. You may need some external
machinery to update and reload configurations and DNS. I don't think
either tunnel type will provide you with pros or cons there, except that
reloading iked(8) will bounce all your tunnels but reconfiguring a wg(4)
interface will only affect the tunnel(s) terminating on it.
I would stay far away from OpenVPN. I've never had good luck with it.
As far as I can tell the only upside is that there are a lot of
third-party applications for a lot of systems that are extremely easy to
setup.
>A quick perusal seems to indicate that ipsec, at least, plays
>well with carp and friends.
OpenBSD certainly has the most integration with IPsec, the new sec(4)
may even relieve the need for running something like GRE on top.
--
Please direct replies to the list.
No comments:
Post a Comment