Letās say the only service I want to use over public Wi-Fi logged in is Nextcloud. Otherwise Iām just reading news sites and I donāt care whether anyone is watching me doing so. Do I need a VPN? All in all, Iām not sure: https://defensivecomputingchecklist.com/#publicwifi
Activate two-factor authentication on your Nextcloud instance and make sure it has a proper SSL certā¦
No-one can guarantee safety, of course, with anything that involves on online connection. Personally Iād recommend the added security of a good VPN, particularly for public access points. I think itās far more more probable that a bug in the Nextcloud stack, or a misconfiguration, would expose you to an attack. Iād have a lot more confidence in an openVPN connection not being compromised, and at the very least, itās an extra barrier for an attacker to deal with.
However as long as the connection is done via modern https, I would call this secure as well. Depends on how sensitive the data is in the end. A VPN is a second layer of course. I would recommend WireGuard over OpenVPN nowadays.
AFAIK, Wireguard hasnāt hit 1.0 yet, and still is not officially recommended for production use. Iād like to see it audited and mature for a while before switching. Once itās proven dependable, it certainly has many advantages, not the least the far smaller codebase, which is a big plus for security.
I know of these restrictions, but run Wireguard on my private VPN 2 month now. It is rock solid and really easy to install.
Sure, thereās a lot of folks out there making use of it. Iām just saying that while it may be stable in terms of performance, we donāt yet have much basis to know quite how solid it is in terms of security.
That will be resolved very shortly, matter of monthsā¦Linus Torvalds pulled WireGuard VPN into the 5.6 kernel source tree | Ars Technica
It wonāt make it into 20.04 LTS, but should be backported shortly after.
Next Linux 5.6 also has native WireGuard, next Debian etc etc. Sure for professional use I would also wait for official stable release but for private use IMO the much easier configuration allows especially less experienced users to setup a secure VPN easily, compared to OpenVPN where one always needs to take care proper configuration.
Howās that going to change matters? Wireguard is a new VPN option, an effective one, but itās still a VPN?
By the way, you can use Wireguard already today, I run it on my Pihole.
Howās that going to change matters?
How solid a product is in terms of security (Wireguard in this case) is mostly a perception issue.
Wireguard has proven to be useful - and much more efficient - for years.
And the perception will change the moment Linus blesses it to be in the kernelā¦
Iād say itās a bit more than a perception issue. With OpenVPN, itās mature, widely deployed in production, and has had a proper security audit.
With Wireguard, itās still not quite at version 1.0, has no audit, and their official position still says this:
Some parts of WireGuard are working toward a stable 1.0 release, while others are already there. Current snapshots are generally versioned ā0.0.YYYYMMDDā or ā0.0.Vā, but these should not be considered real releases and they may contain security quirks
So, if security is the concern, thereās a pretty decent basis to say that sticking to OpenVPN for the time being is probably wise.
Strictly speaking, you are right, of course. But this should count for something
ā¦compared to the horrors that are OpenVPN and IPSec, itās a work of art.
ā¦Linus
Iām running it on my router (DD-WRT firmware) for over a year.
Just the convenience factor makes you wonder why this hasnāt happened years agoā¦
Wireguard might not have had a proper audit.
But OpenVPN by now canāt be properly audited due its sheer size and āhoardingā mentalityā¦
Linux 5.6 with Wireguard 1.0 has been signed off by Linusā¦
TLS/SSL and VPN uses same or different encryption. Both can be a security problem.
Do not use TCP/IP ā¦ use IPoAC
Ubuntu 20.04LTS released, WireGuard already there
Will also be backported to 18.04LTSā¦(!)