MESSAGE
| DATE | 2025-12-08 |
| FROM | Ruben Safir
|
| SUBJECT | Re: [Hangout - NYLXS] [artix-general] Proton VPN
|
On Mon, Dec 08, 2025 at 09:45:15AM +0200, aqua wrote:
> On 2025-12-08 04:33, Ruben Safir wrote:
> >any experience with ANY VPN in artix?
>
> I self-host a wireguard instance to route traffic to/through my lan,
> though my approach is to do it on the router level instead of the
> hosts as
> it makes it easier when you have multiple hosts. Still, the same
> logic seems
> to apply.
>
I need it to be specific to the client and I want the cryptography.
So I need a VPN provider, I believe. As I understand it, a VPN client
would create a new network device that you would set as the default gateway.
The desktop is on the private internal space and the gateways currently
use packet forwarding and MASQ. I don't want to disturb these systems.
> Here are some notes I've written. It's mostly focused on the exact
> setup I
> have (opnsense on x86, with some cheapo and some less cheapo
> mikrotiks). You
> can also do this on openwrt, afaik it requires some additional
> packages to be
> installed so beware if your router has an 8/16MB flash and not much ram.
>
> Hope this helps. ^_^
>
> ## How wireguard works on a high level
> To use wireguard you create an interface and assign peers to it.
> Peers are
> configurations for remote wireguard servers, and IP addresses and
> subnets that
> are routed by them.
>
I'll look at wiregaurd but I don't see how that will help route packets
in an annonymous way. I want to annonymize my public bound internet
connection and that requires an off site network relay and cryptrophing
the packet loads
> ## wireguard point-to-point bridge
> I mostly use wireguard on routers to create bridges between LANs. To
> give an
> exmaple, here are two LANs we want to route traffic between:
>
> - LAN1: 192.168.0.0/24
> - LAN2: 192.168.1.0/24
>
> On router1, wg0 would listen on `$WAN1IP:$port`, and needs to have a
> config for
> peer2 with `AllowedIPs=192.168.1.0/24`.
>
> On router2, wg0 needs to have a config for peer1 with
> `EndpointAddress=$WAN1IP`,
> `EndpointPort=$port`, and `AllowedIPs=192.168.0.0/24`.
>
> Depending on router software, you might also need to set up static
> routes (ex:
> mikrotik needs this, opnsense does it automatically for you), and
> also firewall
> rules to allow traffic between subnets.
>
> note: it is useful to set a keepalive on the peers if only one of
> them has a
> public IP, since the one behind NAT needs to initiate the connection.
>
> ### Rule notes
> On mikrotik switches, you don't need anything because they don't
> seem to drop
> packets by default. Firewall to them seems to mean "door in the field".
>
> Mikrotik routers do a little better, so you need to allow incoming
> packets from
> LAN2 on router1 and from LAN1 on router2.
>
> OpnSense makes sense, and you need to do the same thing for your LAN
> on your
> wireguard interface (`IPv4/6 $wireguard_net allow dest *`).
>
> ### performance notes
> Latency-wise, there is little to no noticeable impact in my use case.
>
> Bandwidth-wise: wireguard does encrypt traffic, and does have a
> noticeable
> impact on low-end hardware. A mikrotik hex poe lite (100mbps router)
> with a
> single core mipsbe cpu at 650MHz can handle about 60mbps at most.
> Interestingly
> enough, same cpu is also used on some of the 10g mikrotik switches,
> with the
> same resulting bandwidth (since it's a cpu bottleneck). A dual core
> cpu at
> about 700-800MHz can maintain 100mbps.
>
> Memory use: not much. I haven't really checked, but none of the
> machines I've
> tested this on experienced memory issues.
>
> Software used for bandwidth: iperf3.
>
> ## roadwarrior setup
> Basically just the same thing as the point-to-point tunnel, just one
> of the
> endpoints is the actual device, and you route `0.0.0.0/0`, aka all
> the packets,
> through it. The opnsense wireguard peer generator outputs a config
> for this:
> ```
> [Interface]
> PrivateKey =
> Address = 10.0.0.123/32
> DNS = 192.168.0.1
>
> [Peer]
> PublicKey =
> Endpoint = $WAN1IP:$port
> AllowedIPs = 0.0.0.0/0,::/0
> ```
>
> ## Sources
> -
> -
> -
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout
|
|
