Title: What are the VPN available on OpenBSD | |
Author: Solène | |
Date: 11 December 2021 | |
Tags: openbsd vpn nocloud | |
Description: I made a list of available VPN that could be used on | |
OpenBSD, wheter they are from base or packages, and gave the pros and | |
cons for each protocol. | |
# Introduction | |
I wanted to write this text for some time, a list of VPN with | |
encryption that can be used on OpenBSD. I really don't plan to write | |
about all of them but I thought it was important to show the choices | |
available when you want to create a VPN between two peers/sites. | |
# VPN | |
VPN is an acronym for Virtual Private Network, is the concept of | |
creating a network relying on a virtual layer like IP to connect | |
computers, while regular network use physical network layer like | |
Ethernet cable, wifi or light. | |
There are different VPN implementation existing, some are old, some are | |
new. They have pros and cons because they were done for various | |
purpose. This is a list of VPN protocols supported by OpenBSD (using | |
base or packages). | |
## OpenVPN | |
Certainly the most known, it's free and open source and is widespread. | |
Pros: | |
* works with tun or tap interfaces. tun device is a virtual network | |
interface using IP while tap device is a virtual network interface | |
passing Ethernet and which can be used to interconnect Ethernet | |
networks across internet (allowing remote dhcp or device discovery) | |
* secure because it uses SSL, if the SSL lib is trusted then OpenVPN | |
can be trusted | |
* can work with TCP or UDP, this allow setups such as using TCP/443 or | |
UDP/53 to try to bypass local restrictions | |
* flexible in regards to version difference allowed between client and | |
server, it's rare to have an incompatible client | |
Cons: | |
* certificate management isn't straightforward for the initial setup | |
## WireGuard | |
A recent VPN protocol joined the party with an interesting approach. | |
It's supported by OpenBSD base system using ifconfig. | |
Pros: | |
* connection is stateless, so if your IP change (when switching network | |
for example) or you experience network loss, you don't need to | |
renegotiate the connection every time this happen, making the | |
connection really resilient. | |
* setup is easy because it only require exchanging public keys between | |
clients | |
Cons: | |
* the crypto choice is very limited and in case of evolution older | |
clients may have issue to connect (this is a cons as deployment but may | |
be considered a good thing for security) | |
OpenBSD ifconfig man page anchored to WireGuard section | |
Examples of wg interfaces setup | |
## SSH | |
SSH is known for being a secure way to access a remote shell but it can | |
also be used to create a VPN with a tun interface. This is not the | |
best VPN solution available but at least it doesn't require much | |
software and could be enough for some users. | |
Pros: | |
* everyone has ssh | |
Cons: | |
* performance are not great | |
* documentation about the -w flag used for creating a VPN may be sparse | |
for many | |
## mlvpn | |
mlvpn is a software to aggregate links through VPN technology | |
Pros: | |
* it's a simple way to aggregate links client side and NAT from the | |
server | |
Cons: | |
* it partly obsolete due to MPTCP protocol doing the same but a lot | |
better (but OpenBSD doesn't do MPTCP) | |
* it doesn't work very well when using different kind of internet links | |
(DSL/4G/fiber/modem) | |
## IPsec | |
IPSec is handled with iked in base system or using strongswan from | |
ports. This is the most used VPN protocol, it's reliable. | |
Pros: | |
* most network equipment know how to do IPsec | |
* it works | |
Cons: | |
* it's often complicated to debug | |
* older compatibility often means you have to downgrade security to | |
make the VPN work instead of saying it's not possible and ask the other | |
peer to upgrade | |
OpenBSD FAQ about VPN | |
## Tinc | |
Meshed VPN that works without a central server, this is meant to be | |
robust and reliable even if some peers are down. | |
Pros: | |
* allow clients to communicate between themselves | |
Cons: | |
* it doesn't use a standardized protocol (it's not THAT bad) | |
Note that Tailscale is a solution to create something similar using | |
WireGuard. | |
## Dsvpn | |
Pros: | |
* works on TCP so it's easier to bypass filtering | |
* easy to setup | |
Cons: | |
* small and recent project, one could say it has less "eyes" reading | |
the code so security may be hazardous (the crypto should be fine | |
because it use common crypto) | |
## Openconnect | |
I never heard of it before, I found it in the ports tree while writing | |
this text. There is openconnect package to act as a client and ocserv | |
to act as a server. | |
Pros: | |
* it can use TCP to try to bypass filtering through TCP/443 but can | |
fallback to UDP for best performance | |
Cons: | |
* the open source implementation (server) seems minimalist | |
## gre | |
gre is a special device on OpenBSD to create VPN without encryption, | |
it's recommended to use it over IPSec. I don't cover it more because I | |
was emphasing on VPN with encryption. | |
gre interface man page | |
# Conclusion | |
If you never used a VPN, I'd say OpenVPN is a good choice, it's | |
versatile and it can easily bypass restrictions if you run it on port | |
TCP/443. | |
I personnaly use WireGuard on my phone to reach my emails, because of | |
WireGuard stateless protocol the VPN doesn't draw battery to maintain | |
the connection and doesn't have to renogicate every time the phone gets | |
Internet access. |