Do I need WireGuard?

GLiNet2022 · 2022-06-13T23:52:40.595Z

I have a Beryl and I really like it. On my last vacation, I was able to use it successfully, connecting at many hotels.

These questions about WireGuard maybe elementary to some of you but bare with me because I am doing my discovery and research.

Basically, I understand WireGuard is the latest protocol and faster, more secure, etc than OpenVPN.

When would I use WireGuard? Is WireGuard used with a Client App, my router or regular usage? Or is it used when setup a VPN home server? Thanks

LupusE · 2022-06-14T05:58:30.104Z

In fact, you don’t need WireGuard. You need a secure line. And WireGuard is one of many tools to archive this.

I’m into IT since over 20 years. I’ve got my troubles with IPSec, with OpenVPN and others. Today I’m playing around with WireGuard. And there are 2 Parts:

If you’re using an install script it is fast and easy to setup. But on the downside you ave no idea what is happening on the system.
If you’re installing it by yourself, you’ll need a deeper understanding about routing, masquareding, DNS, DHCP … on your server operating system.

I’m about to explore path 2. Maybe I’ll use the OPNsense WireGuard implementation. Or change to a GL.iNet Flint as home Endpoint.
There are various commercial providers, with different endpoints, as well. But honestly, I don’t trust them as much as I trust my home network.

And If you’re only interested in ‘keep the eyes of the hotel staff from my data’, there is always TOR as alternative. Not very good for buying drugs or weapons, but secure enough for a hotel, open network at a cafe or a camping ground.
A good read (non technical) about this topic: The Untold Story of Silk Road, Part 1 | WIRED

WireGuard is just a tool. Like it or not.
But if you need data privacy, it is up to you. Just use the tool that is working for you.

Last words: As I am a little longer lost in the Internet, I know how we’re waited day to download a mp3 over 56kbit/s. I know how to manage my bandwidth. Today I’ve got 600Mbit/s fiber to my home and download like one mp3 per week.
Faster is not better. Availability is.

limbot · 2022-06-14T07:27:10.788Z

Yes there’s two “main” protocols for VPNS; OpenVPN and Wireguard. Wireguard is a much more efficient piece of code and as such normally results in better VPN speeds than OpenVPN
Most people use a VPN for 2 main reasons:

To appear to be in a different country and to get around geoblocked content (e.g. stream Netflix content not available in your country)
To encrypt data so that people can’t “sniff” your data.

Using your Beryl without a VPN gives you a the advantage of other devices on the public network you’re connected to not being able to see or send your devices behind the Beryl data not intended for them.If you do a scan with say Fing (and Android app) on a public network you’ll probably see 100s of devices and more scarely they can see your devices.
With the Beryl as an endpoint in the Hotel, then you setup a Wireguard client on the Beryl and every device that attaches to the Beryl will then be encrypted as it talks to the Wireguard server; either a commercial one (e.g. Mullvad) or one you’ve setup on your own infrastructure.

Hope that makes some sense

GLiNet2022 · 2022-06-14T07:57:02.272Z

Both posts are good and thank you.

I do have a question for Limbot. I understand 1,2 & 4 as you always make it easy to understand. Dissecting #3, are you saying if they scan with Fing, They can see my Beryl? At that point, is the security compromised? Are you referring to the SSID? Even if they get that of my Beryl, can they penetrate the security of the router?

groentjuh · 2022-06-14T08:09:39.799Z

@limbot, I would add your mentioned reasons (which is close to the Geoblock):

Give yourself access to a secure network, which contains servers/services not accessible directly from the internet. Like having access to the NAS inside your home-network.

On good hotel networks “Client isolation” is enabled preventing different devices from seeing each other. That would also prevent you from seeing your own other devices!

@GLiNet2022, as for finding your Beryl is inside a hotel wifi: That is not an issue. The beryl is made to be connected directly to the internet (technically the whole world can find it then!) and it therefore configured to handle that (has a firewall and such!)

I personally mostly use a VPN to secure that wifi-connection and give myself access to things not directly accessible from the internet.

Wifi goes through the air, so everybody can listen in. In case it is unsecured, it is simply visible for everybody to see your traffic. In case it is secured with a password, it will often still be visible for others who know the wifi-password (as long as they can capture the 4-way handshake between you and the AP). So the security of (passworded) wifi networks is as good as its password is kept secret! (Think of it as the front door and giving out the key to every guest…)

GLiNet2022 · 2022-06-14T08:14:33.017Z

I still don’t understand the need to have a VPN to secure the WIFI connection but that is OK. The best way to learn is just do it.

Lets say if I want to move forward and try out the WireGuard (installing the client on the router as directed by Limbot), do I have to pay for a subscription to Mullvad to test this out? Yes, I can setup my own VPN but I think I am not there yet in knowledge. Thanks

limbot · 2022-06-14T08:17:02.805Z

GLiNet2022:

Dissecting #3, are you saying if they scan with Fing, They can see my Beryl?

Fing does a scan across the whole network for all devices, you’ll see routers, access points, end devices like printers, phones and it’ll give you the name and MAC address of all the devices (if I remember correctly I haven’t used for a while). So if you say connected your 6 devices to the public WiFi, all those devices could easily be “found” by other people on that network and potentially a malicious actor could try and gain access to your devices.

If you sit behind your Beryl, as @groentjuh says, you have a firewall between your 6 devices and the rest of the network. Someone doing a Fing search would only see your Beryl, but not all your devices behind the Beryl. The firewall protects all your devices from being seen and accessible to anyone else on the network. The VPN would then also protect your data by encrypting it. It’s another layer of protection

GLiNet2022:

Lets say if I want to move forward and try out the WireGuard (installing the client on the router as directed by Limbot), do I have to pay for a subscription to Mullvad to test this out?

You can do month by month with Mullvad, so no long term lock in contracts, so worth giving a go. They have an article here which might explain VPN better than I can

GLiNet2022 · 2022-06-14T08:27:48.297Z

limbot:

The VPN would then also protect your data by encrypting it. It’s another layer of protection

Actually Limbot, I always love how you break it down and explain. I think one of the key points that I am looking for “Another Layer of Protection” and you provided that. The firewall and VPN are ultimate protection but one without the other should be sufficient right? Well at least that is true for the firewall. Thanks

groentjuh · 2022-06-14T12:11:49.703Z

A firewall and a VPN protect different things.

A firewall prevents bad guys from entering your network from the outside. So if there is a bad actor on the hotel wifi, he cannot reach the devices connected to your Beryl. The firewall in the Beryl prevents that!

The data from the devices connected to the Beryl will still pass through the hotel network. If a bad actor can get intercept that or/and modify that, bad things still can happen. A VPN will encrypt traffic between the Beryl router and the VPN server. Encrypted traffic cannot be understood or modified, so in that case a bad actor cannot do anything with that.

So they are very different things!

1_Erik_21 · 2022-06-17T15:57:12.405Z

the thing with vpn is that you can also use it to fake your location that way you can watch a youtube video that its not available in you country