ditch IPSec for Wireguard?!

[n1ete]

yesterday i setup a wireguard server in a joyent zone fairly easy and thought this would a nice feature enhancment to replace ipec with it in Danube. What do you guys think?

[YanChii]

Generally it's good idea to have something simpler than IPSec.

However.

From Wireguard docs:

WireGuard works by adding a network interface (or multiple), like eth0 or wlan0, called wg0 (or wg1, wg2, wg3, etc).

That means it works on the level of routing. We use IPSec as a transparent L2 network mesh (it transparently encapsulates packets (sent by kernel) through the already-existing external0 interface, not creating new interfaces or routes). Therefore it looks that we cannot easily use Wireguard. Moreover, we would have to rewrite a lot of existing automation for creating IPSec (https://github.com/erigones/esdc-ce/tree/master/ans/overlays, https://github.com/erigones/esdc-ce/blob/master/bin/esdc-overlay).

I hate saying no to good ideas. Really. But we also need to guard our energy. There's a LOT that can be done and without external help (by code contributions) our development time is limited...

Jan

[n1ete]

thanks for your answer, i feared some minor challenges like this. leveraging opnsense with WG for now. since joyent zones run without overhead, it could be possible to create extra tunnel zones maybe an idea...

[YanChii]

Yes. Using SunOS zones for routing, firewall and VPN is good idea. We also use them in our internal infrastructure. It's just less user friendly and you need someone that knows what to do there to set up things. We've chosen OPNSense instead of SunOS zones because of features that would otherwise need to be implemented from scratch (and to be supported by us which also takes time).