Wireguard VPN?
Posted: Thu Jan 09, 2020 7:21 pm
Crazy idea for brainstorming: one of my goals is to secure micropython so all communication can be encrypted (applies to boards with wifi or ethernet). The obvious path is https, mqtts, wss, perhaps ssh to replace telnet.
A friend asked "how about setting up wireguard instead?" Sounds odd and crazy, but really?
Pros:
- allows for portability and tunneling: device can talk to its servers even if they're many routing hops away as long as the VPN can be routed
Cons:
- implementation requires wrestling with LwIP to introduce a new interface and add WG code, probably make the inside-VPN interface the default
- requires a routed network inside the VPN so there's more up-front set-up involved: need VPN server, set-up keys, set-up subnet, route subnet, perhaps run DHCP within subnet
- unless multiple WG servers are supported with some fail-over this reduces availability
I run one server as "IoT hub" with MQTT and stuff so I'd run a WG server either there or on my router (which already runs WG).
Overall, this sounds like an intriguing option which I haven't heard about before. I'm not seeing why it wouldn't be doable, assuming
mbedtls has the required cipher suites. Thoughts?
A friend asked "how about setting up wireguard instead?" Sounds odd and crazy, but really?
Pros:
- encapsulates all protocols such that one doesn't have to struggle with each one
- allows for portability and tunneling: device can talk to its servers even if they're many routing hops away as long as the VPN can be routed
Cons:
- implementation requires wrestling with LwIP to introduce a new interface and add WG code, probably make the inside-VPN interface the default
- requires a routed network inside the VPN so there's more up-front set-up involved: need VPN server, set-up keys, set-up subnet, route subnet, perhaps run DHCP within subnet
- unless multiple WG servers are supported with some fail-over this reduces availability
I run one server as "IoT hub" with MQTT and stuff so I'd run a WG server either there or on my router (which already runs WG).
Overall, this sounds like an intriguing option which I haven't heard about before. I'm not seeing why it wouldn't be doable, assuming
mbedtls has the required cipher suites. Thoughts?