On Thu, Nov 21, 2024 at 03:16:25PM -0700, Devin Reade said:
So my main question is whether there are compelling reasons to be considering wireguard (or other options) over ipsec? I'm guessing that assuming stability is good for both that the respective approaches to dynamic IP changes may be a deciding factor.
I've been running GRE over IPsec tunnels for OpenBSD to OpenBSD systems for close to 20 years and IPsec tunnels for roadwarrior Windows, macOS and i{,pad}OS clients for at least 10. I've found it to be a bit complex to configure (though iked(8) made it a lot better) but once it works it works and it is fairly widely supported by native tools.
One of the key requirements for me has been a strong preferance for native tooling instead of relying on third-party code.
I've started to switch some tunnels to wireguard now that it is native in OpenBSD, but those are only to systems (mostly MikroTik RouterOS and Linux devices) that have native wireguard support and poor IPsec support.
In the case you have both endpoints with dynamic IP addresses, I don't really know how you will handle that. You may need some external machinery to update and reload configurations and DNS. I don't think either tunnel type will provide you with pros or cons there, except that reloading iked(8) will bounce all your tunnels but reconfiguring a wg(4) interface will only affect the tunnel(s) terminating on it.
I would stay far away from OpenVPN. I've never had good luck with it. As far as I can tell the only upside is that there are a lot of third-party applications for a lot of systems that are extremely easy to setup.
A quick perusal seems to indicate that ipsec, at least, plays well with carp and friends.
OpenBSD certainly has the most integration with IPsec, the new sec(4) may even relieve the need for running something like GRE on top.
-- Please direct replies to the list.
