Compréhension basique de VPN et wireguard

Discuss
,
1

Bonjour,
Je découvre le concept de VPN mais ai du mal à comprendre toutes les finalités, et j’aimerais savoir si ces affirmations sont correctes (ce qui m’aidera à comprendre si ce que je fais a un sens). J’ai essayé de comprendre mais beaucoup de documentation sur le net est en Anglais, et très souvent le terme VPN est utilisé comme un terme global, alors qu’il pourrait signifier, entre autres, le protocole, le tunnel, un serveur, un client, un provider etc…
Je m’excuse par avance pour des questions peut être idiotes, ou mal structurées (ça reflète ma compréhension :sweat_smile:)

D’abord ma configuration:

  • J’ai découvert que ma Fritzbox a ajouté nativement Wireguard dans sa dernière mise à jour . J’ai donc créé des connections via la fritzbox, qui a généré des fichiers configs en suivant ce guide
  • J’ai installé wireguard_client sur mon serveur YNH, et lié la connection avec la fritzbox (en important le fichier config)
  • J’ai aussi installé sur mon smartphone android un client wireguard, aussi connecté à la fritzbox (autre fichier config)

Questions:

Serveur YNH

  • La fritzbox agit donc en tant que ‘serveur’ wireguard? ou juste un autre client et je n’ai que des “endpoints” qui communiquent?
  • En général, wireguard sert à la sécurité ou à la confidentialité?
  • est-ce que installer wg_client sur mon YNH a un sens, sachant que de toutes manières le serveur YNH communique déjà à l’extérieur via la fritzbox?
  • est-ce que cette connection permet de cacher le contenu/la nature des données à mon ISP? ou pas du tout puisque le tunnel n’est que dans le réseau local, et ce qui sort/entre de la fritzbox vers internet n’est pas affecté du tout?
    –>exemple client torrent sur mon YNH: je m’imagine que par défaut l’ISP peut voir la nature + le contenu des échanges (nature=torrent, contenu=linux mint iso). Est-ce que le vpn wireguard (YNH<->fritzbox) affecte l’un ou l’autre?

Smartphone:

  • lorsque j’utilise mon smartphone depuis l’extérieur avec le wg_client, effectivement c’est comme si j’étais à la maison, par exemple accès à un NAS qui n’est pas exposé à l’extérieur; est-ce que l’utilisation de ce VPN permet de cacher la nature du trafic?
  • j’ai cru comprende que ça sécurisait une connection, par exemple en se connectant sur un wifi public et activant la connection vpn vers ma box; en quoi consiste cette sécurisation?

VPN commerciaux:

  • j’ai maintenant un client VPN et un serveur VPN(?); quel est l’intérêt de payer pour par exemple NordVPN ou Mullvad?
  • comment ça s’integrerait dans ma configuration actuelle? (j’imagine que je devrais agir au niveau de la fritzbox en suivant cet autre guide, mais aurais-je encore besoin du client sur mon YNH?)

Par avance merci; si vous avez des resources (même en anglais) qui englobent vpn + selfhosting avec un breakdown simple et logique, je suis preneur.

(Question à venir, headscale vs wireguard… exposition de mon serveur YNH via ouverture de ports peut-il être remplacé par headscale…)

2

Bonjour alami,

My French is about enough to understand your story, but not enough to answer, so… More English :wink:

Critical for quite a few of your questions is the information that you did not provide by deleting the template that helps forum members help you, most importantly:

Where is your YNH? Is it at home or somewhere else? If somewhere else, in which country? I’ll refer to this point as “X” :stuck_out_tongue:

Wireguard is different from traditional VPN, in that all machines are peers (as opposed to having a VPN server such as OpenVPN and clients connecting).

The connection between the two machines is encryted: it is secure as well as confidential.

This depends on “X”

This depends on “X”, and on how people connect to your YNH

Indeed, the VPN nature of Wireguard makes your phone ‘virtually’ a part of your home (private) network. If you have music on your NAS, and are listening music on your phone over Wireguard while on the road, your ISP can see a constant stream of data out of your home, but not what kind of data it is. Knowledgeable persons might guess (“A constant bitstream of x kb/s, it might be a stream of a security cam or an MP3-player”) but not more than that.

In the same way as your ISP can not look into the data going in-and-out of your Fritzbox when it is secured by Wireguard.

When you use a WiFi point at a train station or a shop, the owner of the WiFi point could look at the data. When visiting https-sites, nothing legible is visible, but when accessing a POP3 server over a non-encrypted connection, they could read the mails that your phone downloads from the server.

Now that your phone is connected via Wireguard to your Fritzbox, all traffic flows through this channel. There is a small un-encrypted ‘envelope’ that has readable network information on the outside. The owner of the WiFi point could read that your phone is communicating with IP …, that is your home IP, but not what kind of communication.

This connection from your phone to your Fritzbox is called the ‘tunnel’: something goes in on one side, it comes out on the other side, but in the middle someone can only see a tunnel, not what is in it.

Before answering this question, what was ever your point for paying for these companies? For which goal do you use their services?
(In their case they run OpenVPN, which is a client/server architecture; as stated before, Wireguard is peer to peer: each side can connect to another)

I’m sure this does not answer all your questions. To help you further, it is important to know whether your YNH is at home or elsewhere, and what your object(s) with the VPN connection(s) are.

3

Thank you so much for answering, and you are right I should have stated more details about my setup:
It is a x86_64 pc that I have at home, on which I installed the latest yunohost version. I didn’t do much to deviate from what could be called a standard install, except installing gnome, as I administer it mostly from direct screen/keyboard. I also have access to it from outside my network from the web interface and via ssh.

As this replies to what/where “X” is, glad if you could help further. You already gave me some good insights, but also some more questions :wink:

I am then confused that these two exist:
Wireguard (server)
Wireguard client

To be clear I have not subscribed to NordVPN, Mullvad or any other commercial VPN. I am just wondering what all the fuss is about, when setting Wireguard is so easy. Maybe these offers are for people that are not into selfhosting? In my case, would there be any added value? (PS I saw for example that Mullvad is also compatible with wireguard (probably others too), but again I don’t understand what to do with this info)

4

Hi alami,

My bad. I found out in the mean time, that the helpful suggestion I was referring to, does not apply to threads started in the “Discuss” section. Thank you for elaborating :wink:

Hmm… You are quite right, that is confusing :smiley:

I think it the different packages only have different extra’s to help you set up a connection. Even though Wireguard works P2P, mostly you would designate your Yunohost a ‘server’ role, and call your phone a client while connecting to it.

Hahaha, yes, indeed :stuck_out_tongue:

Here I can only guess. You are probably know that in the United States internet is not as free as in Europe. Not only are there draconian measures against file sharing in the United States, for what I understand ISP’s there also spy on their customers’ surfing behaviour to sell this information to the highest bidder, and they (used to?) inject their customers’ traffic with advertisements.

In these cases VPNs are not used as ‘originally intended’ (to connect two separate LAN environments as if it was one undivided LAN), but to extend the LAN to one single computer outside the US, namely the gateway. In your own LAN, using default Fritzbox settings, the gateway is 192.168.178.1 ; this is the connection between your LAN and the outside world (and coincidentally, it is a router as well).

When using a commercial (or selfhosted, on a VPS for example) VPN, the role of gateway is played by the computer of the VPN provider. To ward against all three threats above, it would be a computer outside the US. Because the computer is (via VPN) part of the LAN, the ISP can not see what traffic goes over the ‘line’ (so, no spying and no injected advertisements); because the connection between this ‘extended LAN’ and the outside world is located outside the US, different laws regarding file sharing apply.

The whole use case is different than having a VPN connection from your phone to your home LAN, to browse photos on your NAS, for example. Mullvad or NordVPN can not help in that case.

Both solutions, internet access for your phone over VPN via your Yunohost or Fritzbox on the one hand, and Mullvad/NordVPN etc on the other hand, allow you to safely browse the internet when connecting to an insecure WiFi network.

In your case, with Yunohost at home, there is no functional difference between setting up a Wireguard connection from your phone to either Yunohost or Fritzbox. Both options give access to the home LAN and allow you to browse the Internet ‘as if you were at home’. When staying abroad, your bank would recognize traffic as coming from your home Internet connection, without safety measures for “international access” coming to life (for example, if your bank has such a thing). There is no use in setting up a Wireguard connection from Yunohost to your Fritzbox (there would be if your Yunohost was on a VPS).

1 Like