Wireguard is built into the Linux kernel now, it probably gets a far larger amount more use and code audits than other VPN’s. Not that two factor isnt nice, but as long as your environment supports two factor I dont see too big of an issue if the wireguard takes you into the dmz.
Can you share the remote install non admin scripts?
This. Pritunl is amazingly easy to setup and use.
Because the built-in Windows IPSec implementation breaks all the time.
IPSec has it’s use cases for Site2Site VPNs. But for client VPNs you want a simpler setup.
Windows 10 uses IKEv2 foremost, with SSTP as a fallback. SSTP is only semi-proprietary, but so are all the other “SSL” VPNs. And unlike, say, “AnyConnect” use of dTLS, SSTP has no UDP mode, so you’re always tunneling TCP inside TCP.
we don’t use AD now, but I’ve done a ton of automation work on AD in the past and this would be easy to automate with AD.
Mind sharing the GitHub link? We are thinking of implementing a wire guard vpn and a client provisioning script would be amazing.
Ah that old chestnut. I don’t need to audit the code because everyone else would have. Says everyone.
I think you’ll find there is a surprising amount of open source software and code that is in extensive use without ever having been audited by anyone but the person that wrote it.
Generate new WireGuard config files:
- This creates and writes the config files to a share on my windows server.
Endpoint WireGuard config for non admin users:
- This doesn’t install WireGuard it only configures it so deploy the .msi first.
- Place the endpoint config files in folders named after the hosts if you didn’t use my previous script.
- I run this using my endpoint admin account which isn’t as secure as I’d like. You could probably integrate LAPS instead but I could never workout how.
- Some extra info on how the registry changes work. https://git.zx2c4.com/wireguard-windows/about/
Its on my to-do list to evaluate replacing my solution with https://pritunl.com/ which is open source and looks easier to manage. So might be worth looking at that first.
Since when? I use it with sonicwall and it’s never had an issue
Would be great if someone would build that and pushes it to github.
https://github.com/angristan/wireguard-install
Pulled this a few months ago and changed the following:
- added qrencode -t ansiutf8 command
- added option to reroute internet traffic or just join the local area network
- added option to show display already created client configs
- changed path where configs are saved to a subfolder of the home dir (before they were just thrown to ~/)
This is the version i modified: https://pastebin.com/pLiM33Ef
I’d recommend to do a diff and look over the changed they made in comparison to what I did.
That’s very likely a valid point for oddball software that very few people use or care about.
Wireguard, with only 4000 lines of security critical code, not so much. Heck even I have glanced over it just out of curiosity because of all the hubbub (though I freely admit, me not finding anything is not indicative, but that is not the point here; the point is people will dig into it if it gets enough press. And wireguard has).
In any case, what’s the alternative? Speaking for myself, regardless of whether audits have happened or not, I still prefer open source for security critical functions. (I’m not a FOSS fanatic; I see the value of a lot of proprietary systems. But not for security specific stuff).
Sure, though people are actively attempting to hack it as well. Its not just whitehats that are auditing code.
But i think comparing something seldom used with something widely used, and something open againsnt something proprietary is silly anyways.
You have no real proof the code is good regardless, Microsoft didnt even implement AES correctly as was recently discovered. Id take the idea of people auditing code with blindly trusting some corporation offering something for free.
Look at step 8 onwards on this tutorial for a script sample to generate the client .ovpn file with certs built in.
It was just a general comment about assuming open source is safe. Agreed, the likelihood of something malicious not being picked up in a simple and popular open source utility like wireguard is exceptionally unlikely.
“didnt even implement AES incorrectly”
is there a typo in there by any chance? Not sure if you intended a double negative there…
I was talking about wireguard.
the comment you responded to was specifically about wireguard, in fact this whole thread is about wireguard.