context
I want to set up a new VPN (Virtual Private Network) infrastructure between my portable devices and my home, but it’s proving problematic. I currently use SSH, but that has performance limitations, and is blocked by Apple on iPhones. I want a direct link, I don’t want to have to depend on third parties.
wireguard
Wireguard is implemented in the kernel of Linux and OpenBSD, among other operating systems.
First of all, my home systems are behind a dynamic IP address: it changes every so often. I avoid the consequential issues by using a dynamic DNS service: my domains, such as dylanharris.org, work. It’s imperfect: when that dynamic IP address changes, it takes a few moments for the domain to catch up.
The problem is that wireguard configuration files cannot accept domain names. One has to use an IP address, and my home systems IP address is unstable. Now, actually, that wouldn't be too difficult to kludge away on a laptop, but it’s a pain on systems with poor user interface design, such as iOS. This isn’t a killer problem, but it is a dratted nuisance.
But there is a killer problem: the documentation. I have never encountered authoritative wireguard documentation. Everything I’ve seen has been clearly incomplete, even wrong. The fact there is no proper reference documentation anywhere, so far as my google foo can tell, says something rather unfortunate about the project.
Let me give you an example, from Ubuntu. You should know the wireguard configuration file has two sections, an [Interface] and one or more [Peer]s. The complete [Interface] documentation is:
The Interface section may contain the following fields: • PrivateKey — a base64 private key generated by wg genkey. Required. • ListenPort — a 16–bit port for listening. Optional; if not specified, chosen randomly. • FwMark — a 32–bit fwmark for outgoing packets. If set to 0 or “ff”, this option is disabled. May be specified in hexadecimal by prepending “0x”. Optional.
Then the separate Ubuntu wireguard introduction document gives an example of [Interface]:
[Interface] PrivateKey = eJdSgoS7BZ/uWkuSREN+vhCJPPr3M3UlB3v1Su/amWk= ListenPort = 51000 Address = 10.10.11.10/24
Do you see that? There’s a configuration parameter, a field, a necessary one, Address, that the supposédly authoritative reference documentation doesn’t actually get around to mentioning. It’s not the only omission: I gather from examples elsewhere there are other undocumented parameters, such as PostUp and PostDown.
The technical term to describe this kind of documentation is “shite”. To be fair to Ubtuntu, this is classic Linux quality, and is one of the key reasons my home network infrastructure uses OpenBSD.
Having said that, although OpenBSD documentation is usually very good, it’s not when it comes to wireguard. It is exactly the same as the Ubuntu documentation. Now, it’s true, the Address parameter is rejected by OpenBSD, so that part doesn’t lie. But the secondary documentation still gives the same false example, so there remains a significant documentation, un–OpenBSD–like, failure.
The point is that I have to trust VPNs with security stuff. Thus it is rather important to me that I don’t catch them lying. A lie by omission is still a lie. Wireguard documentation omits key information. Thus wireguard documentation lies. Thus I cannot trust wireguard. It may have a reputation of being a clever and wonderful VPN, but the incomplete nature of the documentation strongly suggests to me that there’s other stuff omitted that I really should know. I can’t trust it.
So wireguard is out.
nitrowall
Previously, I purchased a Nitrowall. This is a physical box with a VPN product installed. First of all, I never got it working. It could send packets out, but never received anything. I didn’t work out whether this was a problem with the box, the router (a Fritzbox), or my ISP. Whatever, a VPN that receives no data cannot work.
Secondly, I had a look inside it, and found that OPNSense, the VPN software used, ran everything as root. This is an absolute no–no for security software. If there is any compromise of a root account, then everything is lost. If an ordinary account is compromised, that’s still very bad, but the atttacker can’t, per se, hijack the computer. Yes, with VPNs, you need kernel level drivers to do the VPN–ing itself, that’s unavoidable, but the support stuff, such as the web interface, should never run as root.
So that VPN product is out.
PIA
For a while I used PIA. That worked. My problem with them is not technical, but legal. One of the reasons I want to use a VPN is to stop malicious third parties, such as advertisers, abusing my personal information to try and con me. If they don’t have that information, they can’t use it or abuse it Thus I want to use a VPN, among other things, to make it difficult for them to get that information, or at least ensure I profit more than they do from it.
But I also have to depend on the law. I’m in the EU, and that law is the GDPR. Certain forms of information abuse are illegal here. PIA is based in the States. Those forms of abuse that are illegal here are quite legal there. In information terms, the USA is dystopian. Unfortunately, the EU has a history of looking the other way when it comes to enforcing EU law on US organisations. As it happens, PIA give independent guarantees that they won’t abuse people’s information, and I have no reason to doubt their guarantee. It’s just, well, I prefer to have a guarantee in law to one in marketing. There’s a long history of businesses breaking promises when their financials turn nasty. One can see why, they have to do their best to survive, and if that means bringing in desperately needed income by doing the things they’ve promised not to do, then they’ll do it. If the choice is cheating customers or putting employees out on the street, then what should a decent boss do? (Employees on the street? As I’ve said, in some ways the USA is dystopian.) Now, I emphasise, I’ve seen nothing to suggest PIA is, or was, in that situation, but they’re based in the USA, where there’s no legal restriction to stop them selling my personal information to others. I can’t trust them because of where they are, not who they are.
SSH
The system I’ve been using for years, and I’ve been wanting to replace for years, is SSH tunnelling. When I’m travelling, especially outside the EU, I set up an SSH tunnel from my laptop to my home network, and connect to the outside world from here. This means all connectivity with my home services is protected by that SSH connection. But SSH is not efficient for certain things that VPNs can address easily. However, it has one core advantage over all the VPN solutions I’ve tried recently: it works, mostly.
The key problem with an SSH VPN is that it doesn’t work in iOS. A bad design compromise in iOS blocks SSH tunnels from being accessed by the software that should use it. I don’t understand why Apple want to prevent people using an SSH VPN, but, well, there you are. It so happens I’ve been considering replacing my iPhone for quite some time, and I think this might be the tipping point. I can’t use an android based device because I require information security (many claim android is secure, but they forget google made their fortune by stealing private information, e.g., when it comes to information security, android is desperately insecures), which leaves a third OS, such as grapheneOS. What, though, is a decision I have yet to make.
OpenVPN
I previously got OpenVPN working under OpenBSD, for use with PIA. I may go back to that.
SSL
VPN communication is sometimes blocked by paranoid, or more likely criminal, services. They block it because they want to see what’s being communicated. If they can see it, they can steal it. Thus a service that blocks VPN is untrustable. If I have any choice, I won’t go near such a service.
Sometimes, though, an abusive service is the only one available, and I have to go online for some reason. The solution, which I have not explored, is to route traffic over SSL. SSL is the basis of HTTPS, encrypted web traffic. It is unbiquitious, everyone uses it, so even a criminal service couldn’t get away with blocking it.
So this is something else to investigate.
Final Note
To be absolutely honest, if the organisations that steal private information actually paid royalties on the information they steal, then it wouldn’t be theft, & I wouldn’t have a problem with them. I create this information, it is mine, if people want to make money from it, they can damn well pay me royalties, just as others do with other stuff I create. It is this theft of my creations that I strongly dislike, just as I dislike the way laws have been so corrupted that this theft is entirely legal.