Virtual private networks with WireGuard

Posted Mar 7, 2018 14:12 UTC (Wed) by bavay (subscriber, #60804)
In reply to: Virtual private networks with WireGuard by amworsley
Parent article: Virtual private networks with WireGuard

I am absolutely naive with VPNs, so my questions might be totally off, but one thing I find potentially dangerous is the ability to silently loose a VPN connection. If you are transmitting sensitive data over a link that you know is most probably under surveillance, you absolutely don't want the VPN to disconnect and your data transfer to resume over the non-VPN network (when accessing public IPs). Is it something that is addressed at the VPN level or should it be addressed at another level? Does WireGuard offers something to prevent it?

Mathias
PS: Yes, the data transfer itself is also encrypted, but better safe than sorry and encapsulate it within a VPN alongside masses of uninteresting data

Virtual private networks with WireGuard

Posted Mar 7, 2018 14:45 UTC (Wed) by smurf (subscriber, #17840) [Link]

Wireguard does not "lose a connection" the way a VPN link dies. The connection and the rest of the kernel setup are is still there, packets simply get dropped until the connection is re-established.

I've been using it for months on my office VPN. Zero problems, it's a breeze to set up compared to OpenVPN (and much faster).

Virtual private networks with WireGuard

Posted Mar 10, 2018 0:20 UTC (Sat) by coolhandluke (guest, #114151) [Link] (1 responses)

In the case where all traffic absolutely *must* go over a VPN (or else not be sent at all), I have previously configured firewall rules (both on the host itself as well as its upstream router, for an additional layer of defense) to only permit outbound IP traffic destined to the VPN gateway and drop any other traffic.

This ensures that traffic will not be sent out if the VPN link dies for any reason.

Whether or not this approach is an acceptable solution for you obviously depends on your specific requirements.

Virtual private networks with WireGuard

Posted Mar 12, 2018 22:46 UTC (Mon) by james (subscriber, #1325) [Link]

I've seen people go one stage further and configure the router without a default gateway, just with routes to the public IP addresses of the VPN concentrators.

Those routes to the VPN concentrators are the only routes over the WAN link(s): even without a firewall, the router won't know which way to send packets to the Internet until the VPN is up. Then routing protocols (configured to talk to the internal addresses of the VPN concentrators) can add more routes.