 |
Title: What are the VPN available on OpenBSD |
|
Author: Solène |
|
Date: 11 December 2021 |
|
Tags: openbsd vpn nocloud |
|
Description: I made a list of available VPN that could be used on |
|
OpenBSD, wheter they are from base or packages, and gave the pros and |
|
cons for each protocol. |
|
|
|
# Introduction |
|
|
|
I wanted to write this text for some time, a list of VPN with |
|
encryption that can be used on OpenBSD. I really don't plan to write |
|
about all of them but I thought it was important to show the choices |
|
available when you want to create a VPN between two peers/sites. |
|
|
|
# VPN |
|
|
|
VPN is an acronym for Virtual Private Network, is the concept of |
|
creating a network relying on a virtual layer like IP to connect |
|
computers, while regular network use physical network layer like |
|
Ethernet cable, wifi or light. |
|
|
|
There are different VPN implementation existing, some are old, some are |
|
new. They have pros and cons because they were done for various |
|
purpose. This is a list of VPN protocols supported by OpenBSD (using |
|
base or packages). |
|
|
|
## OpenVPN |
|
|
|
Certainly the most known, it's free and open source and is widespread. |
|
|
|
Pros: |
|
* works with tun or tap interfaces. tun device is a virtual network |
|
interface using IP while tap device is a virtual network interface |
|
passing Ethernet and which can be used to interconnect Ethernet |
|
networks across internet (allowing remote dhcp or device discovery) |
|
* secure because it uses SSL, if the SSL lib is trusted then OpenVPN |
|
can be trusted |
|
* can work with TCP or UDP, this allow setups such as using TCP/443 or |
|
UDP/53 to try to bypass local restrictions |
|
* flexible in regards to version difference allowed between client and |
|
server, it's rare to have an incompatible client |
|
|
|
Cons: |
|
* certificate management isn't straightforward for the initial setup |
|
|
|
## WireGuard |
|
|
|
A recent VPN protocol joined the party with an interesting approach. |
|
It's supported by OpenBSD base system using ifconfig. |
|
|
|
Pros: |
|
* connection is stateless, so if your IP change (when switching network |
|
for example) or you experience network loss, you don't need to |
|
renegotiate the connection every time this happen, making the |
|
connection really resilient. |
|
* setup is easy because it only require exchanging public keys between |
|
clients |
|
|
|
Cons: |
|
* the crypto choice is very limited and in case of evolution older |
|
clients may have issue to connect (this is a cons as deployment but may |
|
be considered a good thing for security) |
|
|
 |
OpenBSD ifconfig man page anchored to WireGuard section |
|
Examples of wg interfaces setup |
|
|
|
## SSH |
|
|
|
SSH is known for being a secure way to access a remote shell but it can |
|
also be used to create a VPN with a tun interface. This is not the |
|
best VPN solution available but at least it doesn't require much |
|
software and could be enough for some users. |
|
|
|
Pros: |
|
* everyone has ssh |
|
|
|
Cons: |
|
* performance are not great |
|
* documentation about the -w flag used for creating a VPN may be sparse |
|
for many |
|
|
|
## mlvpn |
|
|
|
mlvpn is a software to aggregate links through VPN technology |
|
|
|
Pros: |
|
* it's a simple way to aggregate links client side and NAT from the |
|
server |
|
|
|
Cons: |
|
* it partly obsolete due to MPTCP protocol doing the same but a lot |
|
better (but OpenBSD doesn't do MPTCP) |
|
* it doesn't work very well when using different kind of internet links |
|
(DSL/4G/fiber/modem) |
|
|
|
## IPsec |
|
|
|
IPSec is handled with iked in base system or using strongswan from |
|
ports. This is the most used VPN protocol, it's reliable. |
|
|
|
Pros: |
|
* most network equipment know how to do IPsec |
|
* it works |
|
|
|
Cons: |
|
* it's often complicated to debug |
|
* older compatibility often means you have to downgrade security to |
|
make the VPN work instead of saying it's not possible and ask the other |
|
peer to upgrade |
|
|
|
OpenBSD FAQ about VPN |
|
|
|
## Tinc |
|
|
|
Meshed VPN that works without a central server, this is meant to be |
|
robust and reliable even if some peers are down. |
|
|
|
Pros: |
|
* allow clients to communicate between themselves |
|
|
|
Cons: |
|
* it doesn't use a standardized protocol (it's not THAT bad) |
|
|
|
Note that Tailscale is a solution to create something similar using |
|
WireGuard. |
|
|
|
## Dsvpn |
|
|
|
Pros: |
|
* works on TCP so it's easier to bypass filtering |
|
* easy to setup |
|
|
|
Cons: |
|
* small and recent project, one could say it has less "eyes" reading |
|
the code so security may be hazardous (the crypto should be fine |
|
because it use common crypto) |
|
|
|
## Openconnect |
|
|
|
I never heard of it before, I found it in the ports tree while writing |
|
this text. There is openconnect package to act as a client and ocserv |
|
to act as a server. |
|
|
|
Pros: |
|
* it can use TCP to try to bypass filtering through TCP/443 but can |
|
fallback to UDP for best performance |
|
|
|
Cons: |
|
* the open source implementation (server) seems minimalist |
|
|
|
## gre |
|
|
|
gre is a special device on OpenBSD to create VPN without encryption, |
|
it's recommended to use it over IPSec. I don't cover it more because I |
|
was emphasing on VPN with encryption. |
|
|
|
gre interface man page |
|
|
|
# Conclusion |
|
|
|
If you never used a VPN, I'd say OpenVPN is a good choice, it's |
|
versatile and it can easily bypass restrictions if you run it on port |
|
TCP/443. |
|
|
|
I personnaly use WireGuard on my phone to reach my emails, because of |
|
WireGuard stateless protocol the VPN doesn't draw battery to maintain |
|
the connection and doesn't have to renogicate every time the phone gets |
|
Internet access. |
