Letās say the only service I want to use over public Wi-Fi logged in is Nextcloud. Otherwise Iām just reading news sites and I donāt care whether anyone is watching me doing so. Do I need a VPN? All in all, Iām not sure: https://defensivecomputingchecklist.com/#publicwifi
No-one can guarantee safety, of course, with anything that involves on online connection. Personally Iād recommend the added security of a good VPN, particularly for public access points. I think itās far more more probable that a bug in the Nextcloud stack, or a misconfiguration, would expose you to an attack. Iād have a lot more confidence in an openVPN connection not being compromised, and at the very least, itās an extra barrier for an attacker to deal with.
However as long as the connection is done via modern https, I would call this secure as well. Depends on how sensitive the data is in the end. A VPN is a second layer of course. I would recommend WireGuard over OpenVPN nowadays.
AFAIK, Wireguard hasnāt hit 1.0 yet, and still is not officially recommended for production use. Iād like to see it audited and mature for a while before switching. Once itās proven dependable, it certainly has many advantages, not the least the far smaller codebase, which is a big plus for security.
Sure, thereās a lot of folks out there making use of it. Iām just saying that while it may be stable in terms of performance, we donāt yet have much basis to know quite how solid it is in terms of security.
Next Linux 5.6 also has native WireGuard, next Debian etc etc. Sure for professional use I would also wait for official stable release but for private use IMO the much easier configuration allows especially less experienced users to setup a secure VPN easily, compared to OpenVPN where one always needs to take care proper configuration.
Howās that going to change matters? Wireguard is a new VPN option, an effective one, but itās still a VPN?
By the way, you can use Wireguard already today, I run it on my Pihole.
How solid a product is in terms of security (Wireguard in this case) is mostly a perception issue.
Wireguard has proven to be useful - and much more efficient - for years.
And the perception will change the moment Linus blesses it to be in the kernelā¦
Iād say itās a bit more than a perception issue. With OpenVPN, itās mature, widely deployed in production, and has had a proper security audit.
With Wireguard, itās still not quite at version 1.0, has no audit, and their official position still says this:
Some parts of WireGuard are working toward a stable 1.0 release, while others are already there. Current snapshots are generally versioned ā0.0.YYYYMMDDā or ā0.0.Vā, but these should not be considered real releases and they may contain security quirks
So, if security is the concern, thereās a pretty decent basis to say that sticking to OpenVPN for the time being is probably wise.