This is just a reflection on the terrible journey from port forwarding, to one-off tunnels, and finally an actual VPN. See Part 2 for the TLDR on a simple Wireguard config.
You want to access your machine at home. Maybe you want to host something. Your box is behind a NAT of course, so you open a port on your router.
Well, you don’t have a static IP at home. So, you check into dynamic DNS. Your router might even support some services. You don’t want to pay for it though, and the free ones are all pretty sketchy looking.
Okay, so this sucks, I’ll just get a VPS. They are affordable now - not a lot of power, not a lot of space, but really affordable.
Oh neat, my VPS provider has an API. Now I can write my own script for dynamic DNS. Boom, cron to the rescue. Shoot, I just forwarded the one port. That’s okay I can just forward more ports over SSH.
A few dozen
ssh -L commands later you don’t even have to check the man for
the order of the bind and host ports anymore. A few thousand more and you start
to be much less enthusiastic about this “solution”.
You might start using
sshuttle before you realize, this is
insane. SSH was not meant for this. “Why don’t I just setup an actual VPN?”
Time to eat some alphabet soup - PPTP, IPSEC, L2TP, IKEv2. Right, so OpenVPN.
Let’s configure OpenVPN. Ay dios mio. Configuring OpenVPN is not so fun.
openssl is really not fun, either.
Then you finally figure out that you do not want to route all of your traffic through your VPS; it is just slow enough to be noticeable and annoying. I just want some sort of “peer-to-peer” VPN.
OpenVPN supports it, but what alternatives are there. Tinc VPN looks cool. That CVE list does not. Alright, what about n2n. “Super nodes” and “edge nodes” make sense, but not a ton of adoption going on.
Any of this sound familiar?
Queue the orchestra. After over a decade of this, there is finally an elegant VPN solution — Wireguard!
Btw, on an unrelated issue: I see that Jason actually made the pull request to have wireguard included in the kernel.
Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.