Since I got my AARP card I’ve really leaned in on this grumpy old man stuff. Change is great … when I inflict it on political opponents, to their detriment. Otherwise I’m pretty much channeling the old man yelling at a cloud, especially when working on Proxmox.
I begrudgingly learned about Netplan four or five years ago and I have come to accept that it works as well as the previous /etc/networks configuration method. I have insisted on OpenVPN and I tend to run it in a fail closed manner under tmux, because attempting to get systemd to use it have been frustrating at best.
A couple years ago I read about WireGuard and conceptually it seemed great. I got it running with a Proton endpoint when it was new, and this mistake survived about 48 hours before I ripped it out and went back to OpenVPN. HOWEVER … WireGuard performance from both Mullvad and Proton is now excellent, and having just learned how to use NetworkManager I am never, ever going back.
Here’s why you want to use WireGuard:
Tiny code base, does just one thing and does it well.
Configured in kernel like firewall rules.
Eliminates OpenVPN’s dialing metaphor, it’s just there.
Here’s a Mullvad config file for using an exit in Bulgaria, and their site just coughs this stuff up, you don’t need to do ANYTHING to get to it other than point and click.
[Interface]
# Device: Proper Falcon
PrivateKey = +L23mhpO8jssBNoR3NS2RWKKBRnzDvBB62pTv7osllc=
Address = 10.66.68.64/32,fc00:bbbb:bbbb:bb01::3:443f/128
DNS = 100.64.0.7
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = J8KysHmWZHqtrVKKOppneEXWks/PDsB1XTlRHpwiABA=
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 146.70.188.130:51820
I learned how to do this by following the WireGuard VPN Setup article over on the Qubes forum. Once I got it going on Qubes I looked at my desktop, the little light bulb above my head actually lit up IRL, and I had it running there in about fifteen minutes, including the time to figure out how to re-enable NetworkManager.
This has proven amazingly slick with Qubes. I can stick each environment into a virtual machine of its own and I can make as many VPN provider VMs as I want, at the cost of roughly 128MB each. Mixing and matching environment+exit can be done in a matter of seconds.
The only holdup I really have left on Qubes is figuring out how to use a USB tethered phone as the source of internet. This involves monkeying with a USB capable VM, something that Qubes excludes from use due to the raft of security problems that come with being able to connect every device type under the sun to the same bus.
I thought I would be doing some sort of Qubes boot camp in January, like the content on here from last September. Instead it’s largely complete ten days before it was to start. I need to hustle more work for 2024 and that comes first, but I already put feelers out on getting someone to cover the $550 cost of a Pixel 8 so I can get going on GrapheneOS next.