Wireguard VPN?

General discussions and questions abound development of code with MicroPython that is not hardware specific.
Target audience: MicroPython Users.
Post Reply
User avatar
tve
Posts: 43
Joined: Wed Jan 01, 2020 10:12 pm
Location: Santa Barbara, CA
Contact:

Wireguard VPN?

Post by tve » Thu Jan 09, 2020 7:21 pm

Crazy idea for brainstorming: one of my goals is to secure micropython so all communication can be encrypted (applies to boards with wifi or ethernet). The obvious path is https, mqtts, wss, perhaps ssh to replace telnet.
A friend asked "how about setting up wireguard instead?" Sounds odd and crazy, but really?

Pros:
  • encapsulates all protocols such that one doesn't have to struggle with each one
- reduce attack surface by not exposing any port other than the WG one (and ARP)
- allows for portability and tunneling: device can talk to its servers even if they're many routing hops away as long as the VPN can be routed

Cons:
- implementation requires wrestling with LwIP to introduce a new interface and add WG code, probably make the inside-VPN interface the default
- requires a routed network inside the VPN so there's more up-front set-up involved: need VPN server, set-up keys, set-up subnet, route subnet, perhaps run DHCP within subnet
- unless multiple WG servers are supported with some fail-over this reduces availability

I run one server as "IoT hub" with MQTT and stuff so I'd run a WG server either there or on my router (which already runs WG).
Overall, this sounds like an intriguing option which I haven't heard about before. I'm not seeing why it wouldn't be doable, assuming
mbedtls has the required cipher suites. Thoughts?

Post Reply