Request for Feedback: WireGuard Implementation on NethSecurity

Hello NethSecurity users!

We are reaching out to gather feedback on the implementation of WireGuard on NethSecurity. Many of you have already requested the possibility of using WireGuard, and we are working to meet your request. NethSecurity currently supports WireGuard, but it is only accessible via LuCI, the old OpenWrt interface.

We have a working prototype from the CLI: Road Warrior WireGuard CLI configuration by gsanchietti · Pull Request #888 · NethServer/nethsecurity
The implementation, allows an admin to generate QR code that can be scanned directly from the iOS or Android app.

Before proceeding further, we would like to ask a few questions to understand the direction to take:

  1. Are you interested only in the Road Warrior mode, or also in the tunnel mode?
  2. For tunnel mode, would you prefer a star topology or point-to-point like the OpenVPN tunnels?
  3. Should it be integrated with existing users, or do you think it should be something separate?
  4. Would you consider using it if we initially released a command-line-only version, properly documented, and then gradually released a well-designed, complete interface?

Your feedback and suggestions are highly appreciated!

Thank you!

5 Likes

I’d like to mention @Jclendineng @devfx11 @EddieA @Axel @Exospecie @NLS @Zaman @MichaelS @carsten @Lawrence_Burnett @rasi
who where involved on a old topic on ns7
@hucky @mz05er @thyte

1 Like

Thanks for the mention. Cannot help since I already use different tunneling solutions.

I can try to help in a few days :slight_smile: this time i am teaching IT Sec

1 Like

I’m more then willing to help testing.
Regarding your questions:

  1. “Are you interested only in the Road Warrior mode, or also in the tunnel mode?”

    can you elaborate what the difference is between Road Warrior and tunnel in regards to WireGuard ?

  2. “For tunnel mode, would you prefer a star topology or point-to-point like the OpenVPN tunnels?”

    Meshing networks together can be done with roules and routes, does it not ?
    Later if the WireGuard interface is shown in the NethSecurity GUI it can be done via “Zones and policies” an “Interfaces and devices”. Nothing to do extra here, in my opinion.

  3. depends on answer for 1.

  4. “Would you consider using it if we initially released a command-line-only version, properly documented, and then gradually released a well-designed, complete interface?”

    command-line

There is no a real difference on a VPN point of view, it’s something more related to the UI: in a tunnel mode you’re configuring a net2net VPN, so you must specify the networks behind the firewalls connected with the VPN.
In a Road Warrior scenario, the client is just a PC and not a firewall that must route an entire network. In this case a typical Road Warrior scenario can be a user account.

Yes, you’re totally right! :heart_eyes: But for most users these two extra steps are often hard to understand. Since WireGuard can handle it automatically, we are evaluating to integrate them in the VPN configration.