| >I have a static v6 IP on the WG server (home router, running OPNsense). Excuse my snark, but not everyone has a static v6 IP. I don't. >One time setup on the server Unless you happen to be behind a CGNAT or you're on a mobile network or or or or... >Installed just like any other distro package, plus one-time setup to generate the key and import it and the server's public key into systemd-networkd / NetworkManager. And if that won't work you're gonna be stuck debugging the network setup. I certainly do always end up debugging the VPN network stack eventually. >You generate a key on each device and register the public key with the server. There's literally nothing else to it. This won't scale to more than like 5 devices without being a major work item if a key was compromised or needs to be rotated (what if it turns out the RNG device was bad on your kernel at the time? Happened to SSH Keys on RPi's). >I set it up about two years ago and it's been working unchanged since. Not everyone is that lucky. |
My ISP doesn't have it either. (They've been promising it for 2 years but keep delaying working on it.) I have an HE tunnel.
Also you ignored the sentence after that, which I had written to hopefully preempt this response.
>Unless you happen to be behind a CGNAT or you're on a mobile network or or or or...
Your server needs to have a globally reachable IP, yes.
>This won't scale to more than like 5 devices without being a major work item if a key was compromised or needs to be rotated (what if it turns out the RNG device was bad on your kernel at the time? Happened to SSH Keys on RPi's).
Depends on which key, of course. If a device's key needs to be rotated, you only touch that device and the server. If you rotate the server's key, then yes you touch every device.
>And if that won't work you're gonna be stuck debugging the network setup.
>if a key was compromised or needs to be rotated
>Not everyone is that lucky.
Sure. I know these things that happen never or rarely (currently, never), so I'm okay with doing them manually when they happen instead of outsourcing. I don't make decisions for other people or claim that what I do is best for other people. You should make decisions for yourself by evaluating the pros and cons for yourself.