using wireguard protocol vs individual ssl connection?
I have a bunch of linodes serving specific functions, with various levels of allowed access to the outside internet.
A few of them are apache servers that will be making http rest api calls to each other.
A few others are a postresql instances that will be providing a db connection to the apache servers.
My question is, I'm wondering if I can just save myself a lot of work and potential for error if I wire them all up onto a Wireguard local network for communicating with each other? Instead of ensuring I have ssl certs and the hassle of letsencrypt certbot on firewalled servers.
Has anyone had experience with this type of setup? Was it reliable? How was performance?
The main concern I had is trying a newish method versus the tried and true for securing comms between servers.
This post is a followup to another question I asked: https://www.linode.com/community/questions/19105/network-latency-performance-within-data-center#answer-70488
Any insight is much appreciated.
Thank you!
1 Reply
Yes, I think it's a good idea. I'm using similar setup with static IPsec in transport mode, something along the lines of this http://www.process.com/docs/multinet5_5/install_admin/chapter_29.html
and use ansible to manage the keys and deploy to the individual servers.
Regarding performance and latency, this setup may perform better than using TLS on each individual connection, because you skip the TLS negotiation on each connection (even with proper TLS caching there is some overhead).
Be careful though because your apps will have to rely on encryption on a different layer, e.g. if your VPN setup failed to start or is misconfugured, your apps will happily talk plain-text. Some kind of monitoring may be warranted here.