💾 Archived View for perso.pw › blog › articles › openbsd-vpn.gmi captured on 2024-05-26 at 14:57:29. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-05-24)

-=-=-=-=-=-=-

What are the VPN available on OpenBSD

Comment on Mastodon

Introduction

I wanted to write this text for some time, a list of VPN with encryption that can be used on OpenBSD. I really don't plan to write about all of them but I thought it was important to show the choices available when you want to create a VPN between two peers/sites.

VPN

VPN is an acronym for Virtual Private Network, is the concept of creating a network relying on a virtual layer like IP to connect computers, while regular network use physical network layer like Ethernet cable, wifi or light.

There are different VPN implementation existing, some are old, some are new. They have pros and cons because they were done for various purpose. This is a list of VPN protocols supported by OpenBSD (using base or packages).

OpenVPN

Certainly the most known, it's free and open source and is widespread.

Pros:

Cons:

WireGuard

A recent VPN protocol joined the party with an interesting approach. It's supported by OpenBSD base system using ifconfig.

Pros:

Cons:

OpenBSD ifconfig man page anchored to WireGuard section

Examples of wg interfaces setup

SSH

SSH is known for being a secure way to access a remote shell but it can also be used to create a VPN with a tun interface. This is not the best VPN solution available but at least it doesn't require much software and could be enough for some users.

Pros:

Cons:

mlvpn

mlvpn is a software to aggregate links through VPN technology

Pros:

Cons:

IPsec

IPSec is handled with iked in base system or using strongswan from ports. This is the most used VPN protocol, it's reliable.

Pros:

Cons:

OpenBSD FAQ about VPN

Tinc

Meshed VPN that works without a central server, this is meant to be robust and reliable even if some peers are down.

Pros:

Cons:

Note that Tailscale is a solution to create something similar using WireGuard.

Dsvpn

Pros:

Cons:

Openconnect

I never heard of it before, I found it in the ports tree while writing this text. There is openconnect package to act as a client and ocserv to act as a server.

Pros:

Cons:

gre

gre is a special device on OpenBSD to create VPN without encryption, it's recommended to use it over IPSec. I don't cover it more because I was emphasing on VPN with encryption.

gre interface man page

Conclusion

If you never used a VPN, I'd say OpenVPN is a good choice, it's versatile and it can easily bypass restrictions if you run it on port TCP/443.

I personnaly use WireGuard on my phone to reach my emails, because of WireGuard stateless protocol the VPN doesn't draw battery to maintain the connection and doesn't have to renogicate every time the phone gets Internet access.