Matt Mossholder via plug on 2 Aug 2025 19:45:48 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] VPN Recommendation Wanted

I'm not seeing anything in that RFC that supports what I think your position is.  It sounds like your point is that a VPN is full mesh, while a tunnel is point-to-point, but that isn't stated anywhere in the RFC you provided.

virtual private network (VPN)
      (I) A restricted-use, logical (i.e., artificial or simulated)
      computer network that is constructed from the system resources of
      a relatively public, physical (i.e., real) network (e.g., the
      Internet), often by using encryption (located at hosts or
      gateways), and often by tunneling links of the virtual network
      across the real network. (See: tunnel.)

      Tutorial: A VPN is generally less expensive to build and operate
      than a dedicated real network, because the virtual network shares
      the cost of system resources with other users of the underlying
      real network. For example, if a corporation has LANs at several
      different sites, each connected to the Internet by a firewall, the
      corporation could create a VPN by using encrypted tunnels to
      connect from firewall to firewall across the Internet.

This definition says (to me) that a VPN has at least two endpoints, and -can- have more, but doesn't require more than 2 nodes.  Effectively, I take it as a VPN is an aggregation of one or more links, which are almost always encrypted (Please ignore the telcos that try to tell you unencrypted links like MPLS are VPNs. That is just them trying to co-opt the term).


     --Matt

On Sat, Aug 2, 2025, 4:53 PM brent saner via plug <plug@lists.phillylinux.org> wrote:
On Sat, Aug 2, 2025, 16:25 Jonathan Caicedo <jonathan@jcaicedo.com> wrote:



I don’t want to split hairs - whatever you think WireGuard is or isn’t - it can help fulfill Casey’s needs - so it’s worth including in the conversation. 


I'll stick with the IETF on this, thanks. RFC 4949.

All VPNs are tunnels. Not all tunnels are VPNs. No VPN is a peer-to-peer tunnel. No peer-to-peer tunnel is a VPN. Yes, everyone calling WireGuard a VPN is still wrong. Inattention to detail, lax terminology usage, and insistence upon their proliferation leads to breakage. Welcome to prod.

Using a VPN vs. a peer-to-peer tunnel has direct impact on the context of the client and the scope of the link *which is why there is a distinction in the first place*.

A P-to-P, *by default and intent*, is a 1:1 connection.

A VPN, *by default and intent*, is a 1:(n<->n) connection.

The former requires inherent trust of a single foreign host. The latter requires inherent trust of multiple - potentially an unknown number- of foreign hosts.

Learn something instead of doubling down on being incorrect.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug