Follow

can create a point-to-point VPN network. Is that something that could be used to replace a connection?

Is there a concealable near future where we "wireguard" in to remote servers to administer them instead of SSHing in? If so, what would be the advantages/disadvantages of this versus current practice with SSH?

(I'm very open to the idea that I've misunderstood something fundamental and this question is really dumb/not-even-wrong)

@codesections I "wireguard" into my home network and then SSH into my Pi and server devices. Are you saying I can just wireguard into the device running wireguard?

@cavaliertusky @codesections Correct me if I'm wrong, but this seems not at all what a VPN is for, so I would be very surprised if this became a thing. VPNs (including WG) put client devices on a (virtual, private) network with an IP address that is isolated and distinct from any host you'd want to SSH into. Wireguard client configs even explicitly specify the IP address the client gets.

@codesections Not really. SSH also covers stuff like authenticating users. Say you set up a wireguard connection to a server, and now you want to access it. As whom?

@tek

> Say you set up a wireguard connection to a server, and now you want to access it. As whom?

Interesting. On a practical/human level, I would think the answer to "as whom" is "as the person who owns the private key that allows access".

SSH grants access to anyone with the key+username. I would have thought wireguard configured with the same key+username-without-a-password would result in the same access.

Or is the issue that that setup would involve not setting a PW for local use?

@codesections Wireguard doesn't work at that level. It doesn't authenticate users. It uses crypto to protect network traffic between two machines. You could browse a website, or open a database connection, or whatever between the two and have it protected. It doesn't directly support any of those protocols, though. It just carries the traffic.

@codesections Basically, wireguard replaces ipsec in a lot of ways. It gives you a secure transport layer. You still need to implement the protocols that run on top of that layer.

@tek I've been enjoying playing with Tinc lately but it doesn't seem like it gets as many eyeballs as, say, OpenVPN. I'm not sure what Wireguard will do (never used it) but I'm excited.

@trish I think it's going to get way more eyeballs than all the rest combined, starting very soon. The docs show it being so easy to set up that I imagine it's going to become the standard way to connect stuff in the very near future.

@tek I mean I like that with Tinc I can set up the config files so I have some relays / NAT puncher servers and then my computers are supposed to automatically find each other no matter what.

I guess with Wireguard in the kernel it'll be easy to implement such a thing in user space, commanding the kernel part what IPs to connect to?

@trish Exactly. Now that it's "official", I think we'll have wonderful tooling soon.

@codesections SSH lets you tunnel ports, but a VPN can give you bridges access to multiple hosts (or even multiple subnets) as if you were directly connected

@chucker

> SSH lets you tunnel ports, but a VPN can give you bridges access to multiple hosts

Yeah, I get that. But a VPN can *also* be configured to grant access to a single host, right? (that's what I meant by "point-to-point")

I get that VPNs can do a lot of things that SSH can't. But I'm asking the opposite question: Can SSH do anything that a VPN can't/is there any reason to prefer SSH over an easy-to-setup wireguard VPN?

(I suspect that there is and that I'm confused)

@codesections

@chucker

> But a VPN can *also* be configured to grant access to a single host, right? (that's what I meant by "point-to-point")

Sure.

>Can SSH do anything that a VPN can't/is there any reason to prefer SSH over an easy-to-setup wireguard VPN?

An SSH server is arguably even easier to setup, especially with regard to authentication in openssh. Getting that right is often a mess in VPNs (not familiar with wireguard in particular, though).

@codesections it doesn't replace ssh. But you could use telnet over a p2p connection instead of ssh.

@codesections
I use WG to "mask" SSH, meaning that I have to be connected to the vpn to get to the ssh port (firewall rule)

@MikeG1 @codesections

SSH connects two programs, the client and the server/deamon.

Wireguard connects two computers. Through that connection, multiple programs can communicate.

You are comparing a train with a seat on a train.

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.