Fazal Majid's low-intensity blog

TL:DR I try way too many backpacks so you don’t have to

I have many bags. So many I no longer keep an inventory in a spreadsheet but use a relational database to track. For a very long time, I preferred messenger bags but at age 36 I started developing muscle spasms in the right shoulder. After a few years of off and on physical therapy, I figured out it was the asymmetric load from the shoulder bag that was causing it (even though the load was on the left shoulder). This left me no option but to switch to backpacks exclusively, despite their less than ideal looks.

There are many reviews on the web, including on YouTube, but most are influencer shills who will not disclose the flaws of the bags, or simply don’t use the evaluation copies long enough to find out. Some sites like Carryology have inherent conflicts of interest because they share ownership with a manufacturer (Bellroy), and surprise surprise, those dominate the Best Of rankings, go figure.

You can get more honest feedback on the many Reddit bag-related forums (r/backpacks, r/ManyBaggers, r/onebag) or on blogs, but it does require wading through post after post.

Table of Contents

EDC Loadout

Here are my reviews on backpacks I have actually owned and used. But before we start, you need to know what I carry in them to assess whether my needs are congruent to yours:

• 13″ MacBook Air
• Sometimes a 17″ LG Gram 17 instead (running Linux, of course)
• 12.9″ iPad Pro 2020
• A Tech Dopp Kit
• A full-size mirrorless camera with mid-size lens (Nikon Z7, Fuji X-T4 or Leica M11)
• Apple AirPod Max or Sony WH-1000XM3 noise-cancelling headphones in their case
• London Undercover folding umbrella (I live in rainy London now…)
• Sometimes a Bluetooth mechanical keyboard (Keychron K7 in its fitted leather case)
• Zeiss Victory Pocket 8×25 binoculars, or if this is a serious birdwatching trip, Swarovski NL Pure 8×42
• a water bottle
• a first-aid kit

Features I look for

• Comfort
  • The quality of the straps (specially relevant for women and their distinct upper-body anatomy)
    • How well are they contoured and padded?
    • Whether they have a sternum strap or not
  • The material on the back, is it breathable, specially in warmer climes?
  • Does the weight rest in the right position on your back?
• Quality of materials
  • Water-resistance (taped seams, AquaGuard zippers)
  • Abrasion resistance
  • Is the material too rough and will it scuff your clothes, e.g. certain grades of Cordura?
  • Is it pleasant to the hand and looks good?
  • Better technical materials like Dimension Polyant X-PAC or DSM Dyneema combine strength with light weight
  • Zippers: YKK is a good choice, or higher-end brands like RiRi. No-name zippers are a red flag: what other corners did they cut?
  • Quality of stitching, e.g. bar-tacking in stress points
  • Quality of hardware, e.g. metal instead of plastic, or premium hardware like Fidlock or Austri-Alpin buckles
  • Velcro is usually a bad sign, it is noisy, collects lint
• Capacity
  • Bag makers are surprisingly bad at estimating the capacity of their bags, even though there is an official ASTM standard for this
  • Resist the temptation to overpack
• Organization
  • Ease of access and packing using a full-clamshell design
  • Beware of excessively organized bags
    • When you don’t need all of the organization, it still adds weight and reduces the usable space in compartments.
    • Several smaller compartments are less versatile than a single larger, less organized but more flexible compartment that can take odd-sized items like a camera, full-sized headphones, bike helmet or shopping
    • I have never understood the point of cell phone pockets in a bag. By the time you take the bag off, open it and extract your phone, surely the call has gone to voice mail?
  • Laptop compartment
    • Is the laptop suspended? If not, and you put the backpack down on the floor abruptly, the laptop will hit the hard floor and sustain damage
    • Are there metallic zipper teeth that could scratch your laptop?
    • Are the zippers waterproof, e.g. YKK AquaGuard? If not, water could get in and damage your laptop

EDC (Every Day Carry) and Work Bags

Rofmia × Cathedral Shift Daypack V2 ★★★★★

This is a limited edition version of their Dyneema Daypack V2 in Dyneema Leather. Amazing material, but twice the price and less practical as it is heavier and less water-resistant, but the things we do for bragging rights…

Dyneema Leather has the crinkled Tyvek-like look of Dyneema. It is too thin to have the luxurious hand feel of leather, but it is certainly a kind of leather.

The bag is incredibly light, has interesting touches like a triple zipper and a collapsible internal water pocket. Sternum strap with fidlock, as could be expected for the price. It is by far my favorite EDC bag when it is not raining, and I got the regular Dyneema one for when it is.

Able Carry Daybreaker 2 ★★★★

My current work backpack. It’s thin and tall, with slightly less capacity than the Rofmia Daypack V2. Because of this, and the top-heavy nature of the stash pocket, it is very hard to keep from toppling when set on the floor. The weight savings over my previous work bag, the Black Ember Citadel, are appreciable, almost a kilogram and the bag is an outstanding value even in its more expensive X-PAC X42 version. It doesn’t have a dedicated laptop sleeve, but I can fit a work 16" MacBook Pro in a thick Waterfield Designs SleeveCase and my personal 13" M1 MacBook Air in a leather sleeve within the provided pocket.

It has many convenient lash points to secure things inside and outside the bag, for instance I keep my umbrella in the inside water pocket and secure the handle at the top with a silicone tie. It’s a feature I wish more companies would imitate.

DSPTCH Ridgepack Dyneema ★★★★★

A very light minimalist backpack with a distinctive silhouette. The large main compartment lets you organize as you see fit and is very versatile, with a laptop sleeve if you need one. A full clamshell YKK Aquaguard zipper ensures water-resistance, but it is also harder to open than conventional zippers (pro tip: fold back the rain flap that shields them to make opening it easier). One corner cut that should not have in a bag this price: the plastic hardware and using a cheap Duraflex buckle in the sternum strap instead of a Fidlock. One strange touch is the detachable clips at the top of the shoulder straps. They serve no discernible purposes and make them susceptible to twisting, and probably reduce durability. Made in the USA.

DSPTCH RND Daypack Dyneema ★★★

A larger work-oriented backpack with a separate laptop compartment and large capacity. It has the same disappointing cheap hardware as in the Ridgepack and the same shoulder strap clips. The bag does not have a full clamshell opening, that makes it harder to pack or to access contents

Black Ember Shadow 26L ★★★★

This bag has the same apparent capacity as my 19L Brown Buffalo, I would say it is a 20L bag, certainly not 26L. Less structured than their Citadel, with more usable space. The material is a fine-denier ballistic of some sort, not a slick coated tarp-like fabric like on the Citadel. The built-in nonremovable tech organizer, somewhat reminiscent of the Peak Design Tech Pouch in its alternating pocket design, is a polarizing feature. It does obstruct the opening of the bag a bit, and the retaining strap could be secured to the flap better.

Black Ember Citadel Minimal R2 ★★★

A handsome, very organized bag, perhaps too much so. Unlike the Aer Tech Pack 2, it actually has a usable main compartment (as long as your laptop pocket is not too stuffed), and the quality of materials is better. Bonus points for the full-clamshell design and sternum strap. Very water-resistant (IPX7 rated, in fact). I still prefer the less structured Shadow.

Timbuk2 Parkside ★★★★

A basic laptop backpack issued to me by my employer, and the name evokes nostalgia as I used to live in the Parkside neighborhood of San Francisco, where Timbuk2 is based. Deceptively capacious. Nothing particulary remarkable or outstanding about it, but it’s a great value

UCON Acrobatics Alan bag, Olive ★★

My only roll-top backpack. Made of green neoprene. Tall but slim, moderate capacity, very water-resistant, but limited organization inside. Ultimately I hardly ever use it because the roll-top design, combined with a narrow and very tall bag, makes it hard to pack.

Tumi Mission Bryant leather backpack ★★★★

This was my daily work bag for a long time. It was made by Tumi before their acquisition by Samsonite after which quality has reportedly gone downhill. Bought on sale from Vente-Privée.com. Very good quality, large capacity, but currently in storage since I moved to the UK.

Knomo Albion, brown & black ★★★★

I have both the black and brown versions of this handsome full-grain leather bag from British brand Knomo, well known for its elegant women’s laptop bags, but that also has a line for men. The design is simple with fairly limited organization, but it has ample capacity and looks good, and the price is an outright steal for the quality (I paid $100 for my first on Massdrop and £134 for the second from their Covent Garden shop). Sadly it is discontinued, but some new-old-stock is still available online.

Capra Leather Tamarao Backpack, Hunter Green ★★★

A very large but very slim leather backpack made by Colombian artisans. I got the large one in hunter green (you can never be too rich or too green is my motto), it is really more of a dark olive green, and reasonably close to the product photos on my calibrated monitor.

The bag is much sleeker than I expected, about 10cm thin. Because it is the large size, the laptop pocket fits my LG Gram 17 perfectly, admittedly it is fairly small for a 17″ laptop. I am 1m81/6′, and I wouldn’t recommend the large size for someone shorter.

The leather quality is very good, I haven’t had the time to verify its water resistance. The visible stitching looks saddle-stitched to my untrained eyes. I opted for the baggage passthrough loop. It is made of black suede like the back lining of the bag, I am not sure it is that worthwhile an option.

The straps are straight and padded with suede, very basic and not contoured to fit your body shape. I think they were designed to look good when you carry the back by the hand strap.

The interior lining is a black linen material, not the medium gray shown on their website. On the plus side, that means stains won’t show, but it also means stuff is harder to find inside, although I am not sure how much that matters in a relatively small capacity bag like this.

Something to keep in mind: the bag doesn’t have an internal frame and the leather is soft, not stiff, so you would expect it to flop if not filled or at least with large items like a laptop or large sketchbook to keep its structure. I’m not sure what the purpose of the two zippers is on the back panel, they both open on the same small compartment. I suppose you could roll a jacket or sweater and slide it in there.

GoRuck GR1 Slick 26L ★★★

GoRuck bags have an enviable reputation for durability, but the tacticool (MOLLE and morale patch velcro) are a bit much for someone whose military service is 30 years in the past. The Slick version, available from Huckberry, drops those. It is a very large bag, with MOLLE inside you can attach admin pouches or organizers to, a much better approach than velcro in my opinion, even if it does take a while to attach. The laptop section is very well protected. That said it is very crude, from the sandpaper-like Cordura material, to the very plain zipper pulls (basically paracord tied at the ends with heat-shrink tubing) and other details.

The Brown Buffalo Conceal Backpack V3 ★★★★

I have the 19L version in X-PAC. The build quality is excellent, but the design is perfectible, and an already expensive bag is made more so by the fact no laptop sleeve is included. The front side-loading compartment is awkward to load a 13″ laptop into, and the velcro inside the main compartment (to attach organizers or the laptop sleeve) is the completely wrong approach as far as I am concerned. The two deep pockets are quite good, though, large enough to hold a big water bottle or full-sized keyboard. Unfortunately after the reboot of the company, the new versions have dropped the best features and kept the questionable ones.

Chrome Hondo Welterweight Backpack ★★

Very boxy backpack. I now use it primarily to stow some electronics test & measurement equipment (oscilloscope, power supply).

JanSport Mono Superbreak Mystic Pine ★★★

Cheap and cheerful (literally, a bright green) but has a surprisingly good warranty. Can’t be beat for value.

Aer Tech Pack 2 (no stars)

I had the Tech Pack 2, used it for a couple of weeks then got rid of it. It is very heavy, very stiff, and excessive organization means you end up with a lot of tiny inflexible compartments that won’t accommodate bulkier items like a DSLR or full-sized headphones. What’s worse, the tiny opening makes it very hard to access stuff, and unlike my Flight Pack X-PAC there is no bright orange lining to make things easy to find.

Timbuk2 Blue Backpack ★★

A cheap and cheerful Timbuk2 backpack, don’t remember the model and it is probably discontinued anyway. Not much to say about it.

Moleskine Green Leather classic backpack ★★

A medium-sized backpack in an olive drab leather. The interior lining is a bit floppy and doesn’t seem all that durable. The bottom of the bag is molded EVA foam and looks tacky in comparison with the rest of the design.

Compact backpacks

Mission Workshop Spar harness VX ★★★★

Very small backpack I bought on a hot summer day where wearing my usual jacket was not an option. Can barely hold a 12″ MacBook in its laptop sleeve, a 13″ MacBook Air or 12.9″ iPad Pro is out of the question. Surprisingly comfortable straps. Also available in a sling harness that can be swapped with the backpack harness.

Arktype Design Dashpack Green waxed canvas LE ★★★

Very slim bag that discourages overpacking. The side-access compartment is on the small side and it is hard to insert a 13″ laptop without it catching. There is some MOLLE on the bottom, but not obnoxiously so. The rear compartment is designed to be used with the bag horizontal as you swing it, but that is not how I use a bag so it works at cross-purposes. Mine is the very short-lived green limited edition, a forest green in waxed canvas, quite good-looking. Sadly, I must dock points for the lack of a sternum strap. The compression straps on the side are completely useless and obstruct access to the water bottle pockets.

Baron Fig Venture Slimline Backpack ★★★

A very slim backpack, meant to hold a laptop or notepad and not much else. Very basic straps (canvas webbing, no padding or sternum strap, and simplistic adjustment buckles, albeit metal). It’s made of canvas so I would expect zero water-resistance. I suspect if you are tall enough you can actually wear it concealed under your jacket or raincoat like the old Betabrand Under-the-Jack Pack.

Moleskine Green Leather Device Bag ★★

A small, very thin bag that is part vertical briefcase and part backpack. Nice green color, but little else to recommend it.

Porsche Design Backpack ★★★

One of the first bags I got. Small, trapezoidal design, quite elegant but the materials are fairly ordinary and the leather grab handle has cracked.

Camera Backpacks

Gura Gear City Commuter

Gura Gear is known in the photography community as making very high quality bags that are also very lightweight thanks to the use of technical materials like X-Pac that are surprisingly uncommon in camera bags. The Kiboko City Commuter is a more compact and EDC-like version of their well-regarded Kiboko backpacks. It certainly does the job but I am not that fond of the roll-top compartment at the top, and the two wing flap compartments are deceptive as they do not give access to the equipment, which is good for security but makes for cumbersome access. The regular Koboko is probably a better option.

Peak Design Every Day Backpack ★

I have the Everyday V2. It’s not a good EDC bag at all and only a middling camera bag. The mesh fabric on the side flaps does not feel right. If you like the concept of mixed camera and EDC bag the Gitzo Century Traveler backpack is a much better option, with clever design touches like a tripod carrier and lens cap stash pocket.

Gitzo Century Traveler Backpack ★★★

A very interesting photo backpack, a much better execution of the Peak Design EDC backpack concept in my opinion. Has some smart touches like a tripod holder designed for the Gitzo Traveler mini-tripod (hence the name), or a stash for your lens cap.

The camera section has a removable insert whose sides can be unzipped for quick access from the sides of the backpack, a better design than the Peak Design. Unfortunately it has very limited space for stuff other than the camera and laptop, which limits its usefulness as a travel or EDC bag.

Travel Backpacks

Able Carry Max ★★★★

A large bag for when that is called for, even if I doubt it actually has 30L capacity, seems more like the 26L GoRuck GR1. It is made of quality materials (X-PAC, but with a more abrasion-resistant Cordura bottom), and available in colors other than boring black (I have it in green, even if is more of a dark khaki). Like the daybreaker, it has convenient lash loops.

The water bottle pocket is excellent, large enough to hold a champagne bottle, or more to the point, a large folding umbrella.

Aer Flight Pack 2 ★★★

I have the X-PAC version (starting to sound like a refrain?). It is a good travel bag, the bright orange lining makes it easy to find things in, the design is not stiff and cramped like the Tech Pack 2. However the convertible design (so you can use it as a briefcase) is a bad idea, that means it cannot be a full clamshell and as neither fish nor fowl the design is compromised.

Bedouin Foundry Pequod ★★★

This bag features top-quality materials as befits the price, leather, Dyneema and Austri-Alpin Cobra paragliding buckles. There is no way this is a 30L bag, 20L at most if that. Interesting tapering shape towards the bottom. It’s best seen as a duffel that can also be worn as a backpack. Not incredibly practical but a looker.

Network-capable Epson printers like my new ET-16600 have a web-based user interface that supports HTTPS. You can even upload publicly recognized certificates from Let’s Encrypt et al, unfortunately the only options they offer is a Windows management app (blech) or a manual form.

When you have to upload this every month (that’s when I automatically renew my Let’s Encrypt certificates), this gets old really fast, and strange errors happen if you forget to do so and end up with an expired certificate.

I wrote a quick Python script to automate this (and yes, I am aware of the XKCDs on the subject of runaway automation):

#!/usr/bin/env python3
import requests, html5lib, io

URL = 'https://myepson.example.com/'
USERNAME = 'majid'
PASSWORD = 'your-admin-UI-password-here'
KEYFILE = '/home/majid/web/acme-tiny/epson.key'
CERTFILE = '/home/majid/web/acme-tiny/epson.crt'

########################################################################
# step 1, authenticate
jar = requests.cookies.RequestsCookieJar()
set_url = URL + 'PRESENTATION/ADVANCED/PASSWORD/SET'
r = requests.post(set_url, cookies=jar,
                  data={
                    'INPUTT_USERNAME': USERNAME,
                    'access': 'https',
                    'INPUTT_PASSWORD': PASSWORD,
                    'INPUTT_ACCSESSMETHOD': 0,
                    'INPUTT_DUMMY': ''
                  })
assert r.status_code == 200
jar = r.cookies

########################################################################
# step 2, get the cert update form iframe and its token
form_url = URL + 'PRESENTATION/ADVANCED/NWS_CERT_SSLTLS/CA_IMPORT'
r = requests.get(form_url, cookies=jar)
tree = html5lib.parse(r.text, namespaceHTMLElements=False)
data = dict([(f.attrib['name'], f.attrib['value']) for f in
             tree.findall('.//input')])
assert 'INPUTT_SETUPTOKEN' in data

# step 3, upload key and certs
data['format'] = 'pem_der'
del data['cert0']
del data['cert1']
del data['cert2']
del data['key']

upload_url = URL + 'PRESENTATIONEX/CERT/IMPORT_CHAIN'

########################################################################
# Epson doesn't seem to like bundled certificates,
# so split it into its componens
f = open(CERTFILE, 'r')
full = f.readlines()
f.close()
certno = 0
certs = dict()
for line in full:
  if not line.strip(): continue
  certs[certno] = certs.get(certno, '') + line
  if 'END CERTIFICATE' in line:
    certno = certno + 1
files = {
  'key': open(KEYFILE, 'rb'),
}
for certno in certs:
  assert certno < 3
  files[f'cert{certno}'] = io.BytesIO(certs[certno].encode('utf-8'))

########################################################################
# step 3, submit the new cert
r = requests.post(upload_url, cookies=jar,
                  files=files,
                  data=data)

########################################################################
# step 4, verify the printer accepted the cert and is shutting down
if not 'Shutting down' in r.text:
  print(r.text)
assert 'Shutting down' in r.text
print('Epson certificate successfully uploaded to printer.')

Update (2020-12-29):

If you are having problems with the Scan to Email feature, with the singularly unhelpful message “Check your network or WiFi connection”, it may be the Epson does not recognize the new Let’s Encrypt R3 CA certificate. You can address this by importing it in the Web UI, under the “Network Security” tab, then “CA Certificate” menu item on the left. The errors I was seeing in my postfix logs were:

Dec 29 13:30:20 zulfiqar mail.info postfix/smtpd[13361]: connect from epson.majid.org[10.0.4.33]
Dec 29 13:30:20 zulfiqar mail.info postfix/smtpd[13361]: SSL_accept error from epson.majid.org[10.0.4.33]: -1
Dec 29 13:30:20 zulfiqar mail.warn postfix/smtpd[13361]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1543:SSL alert number 48:
Dec 29 13:30:20 zulfiqar mail.info postfix/smtpd[13361]: lost connection after STARTTLS from epson.majid.org[10.0.4.33]
Dec 29 13:30:20 zulfiqar mail.info postfix/smtpd[13361]: disconnect from epson.majid.org[10.0.4.33] ehlo=1 starttls=0/1 commands=1/2

Update (2021-08-01):

The script was broken due to changes in Let’s Encrypt’s trust path. Seemingly Epson’s software doesn’t like certificates incorporating 3 PEM files and shows the singularly unhelpful error “Invalid File”. I modified the script to split the certificate into its component parts. You may also need to upload the root certificates via the “CA Certificate” link above. I added these and also updated the built-in root certificates to version 02.03 and it seems to work:

• lets-encrypt-r3-cross-signed.pem 40:01:75:04:83:14:a4:c8:21:8c:84:a9:0c:16:cd:df
• isrgrootx1.pem 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
• lets-encrypt-r3.pem 91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a

They are available from the Let’s Encrypt certificates page.

TL:DR If you use Apple’s calendar client software, do not run the server on an IP and port shared with any other SSL/TLS services.

I run my own CalDAV calendar server for my family and for myself. For a very long time I used DAViCal, but it’s always been a slight annoyance to set up on Apple devices because they don’t like DAViCal’s https://example.com/davical/caldav.php/majid URLs. What’s more, recent versions of iCalendar would pop up password prompts at random, and after re-entering the password a couple of times (once is not enough), would finally go on and work. The various devices would also all too often get out of sync, sometimes with the inscrutable error:

Server responded with “500” to operation CalDAVAccountRefreshQueueableOperation

requiring deleting the calendar account and recreating it by hand.

I tried replacing DAViCal with Radicale today, with the same flaky user experience, and I finally figured out why: Apple uses at least a couple of daemons to manage calendar and sync, including dataaccessd, accountsd and remindd (also CalendarAgent depending on your OS version). It seems some or all of them do not implement Server Name Indication (SNI) consistently. SNI is the mechanism by which a TLS client indicates what server it is trying to connect to during the TLS handshake, so multiple servers can share the same IP address and port, and is an absolutely vital part of the modern web. For example many servers use Amazon Web Services’ Elastic Load Balancer or CloudFront services, which are used by multiple clients, if Amazon had to dedicate a separate IP address for each, it would break their business model¹.

Sometimes, those daemons will not use SNI, which means they will get your default server. In my case, it’s password-protected with a different password than the CalDAV one, which is what triggers the “enter password” dialog. At other times, they will call your CalDAV server with dubious URLs like /.well-known/caldav, /principals/, /dav/principals/, /caldav/v2 and if your server has a different HTTP password for that and sends back a HTTP 401 status code instead of a 404 Not Found, well, that will also trigger a reauthentication prompt.

Big Sur running on my M1 MacBook Air seems to be more consistent about using SNI, but will still poke around on those URLs, triggering the reauthentication prompts.

In other words, the only way to get and Apple-compatible calendar server running reliably is to dedicate an IP and port to it that is not shared with anything else. I only have one IP address at home where the server runs, and I run other vital services behind HTTPS, so I can’t dedicate 443 to a CalDAV server. Fortunately, the configuration will accept the syntax example.org:8443 to use a non-standard port (make sure you use the Advanced option, not Automatic), but this is incredibly sloppy of Apple.

TL:DR Don’t trust VPN services, roll your own with this easy script.

Rationale

There are many reasons to use a Virtual Private Network. Perhaps you are on an unsecured WiFi network. Perhaps you don’t want your Internet Service Provider to snoop on your browsing history using Deep Packet Inspection and compile a marketing dossier on your. Perhaps like my daughter you want to access video content on Netflix that is not available in your country. Perhaps you want to bypass the nanny state content filters the British government mandates.

Most VPN services are untrustworthy. You depend on the VPN provider’s assurances to protect your privacy, which completely defeats the purpose of a VPN. The only way you can be sure is to run your own, but baroque network protocols engendering complex software makes it difficult to do so even for the technically savvy.

Streisand was one of the first efforts to automate the process, using cloud virtual servers as the hosts operating the VPN. Trail of Bits implemented Algo to simplify it and remove some questionable choices Streisand made (although, to be fair, the Streisand project seems to have jettisoned many of them and converged on WireGuard).

Edgewalker is similar, but awesomer:

• It is based on OpenBSD, widely considered the most secure general-purpose OS, rather than Linux.
• Like Algo, it implements IPsec/IKEv2/MOBIKE rather than OpenVPN (read the Algo announcement for the reasons why).
  • IPsec/IKEv2 works out of the box on iOS, iPadOS and macOS.
  • In theory on Windows as well, although I have no idea how to make it work or simplify setup, any help is welcome.
• It also implements WireGuard (recommended for Linux and Android, along with travel VPN-capable routers like the GL.iNet Mango)
• It uses QR codes to simplify installation as much as possible on the client devices.
• It uses Let’s Encrypt so your IPsec certificates just work (WireGuard does not rely on PKI)
• It uses its own Unbound DNS server with DNSSEC validation support, for better privacy
• It has no dependencies on Ansible, Python or anything else exotic you need to add on your own machine, other than a SSH client.
• It is just a shell script with little bits of Python thrown in like Acme-Tiny, and easily auditable.

While you can run the script again as your Let’s Encrypt certificates expire (although it generates new credentials each time), I recommend simply destroying the VM and creating a new one. Of course, if you are running on physical hardware, you will want to rerun the script. If using WireGuard only, you don’t need to rerun the script as WireGuard keys do not expire and there are no certificates.

Prerequisites

You need:

• A Let’s Encrypt account and key (I’m working on setting this up automatically for you, in the meantime you can use Step 1 on this page to do that for you).
• An OpenBSD machine reachable from the Internet (it can be a physical machine you own, or a cloud VM like Vultr).
• The ability to add a DNS record for the machine’s IP address (IPv4 only for now).
• The 80x25 OpenBSD console does not support UTF-8 and cannot display the QR code in a single screen. Use a different terminal, or enter the profile URL by hand.

If you have a firewall in front of the OpenBSD machine, it needs to allow the following inbound traffic (possibly using static port mappings if you use NAT):

• SSH (TCP port 22) so you can actually log in to your machine.
• HTTP (TCP port 80) and HTTPS (TCP port 443) to allow Let’s Encrypt certificate issual and allow you to get the Apple-format Profiles that will ease setup on your iDevice.
• UDP ports 500 (IKE), 1701 (IPsec) and 4500 (IPsec NAT traversal).
• Optionally IPsec protocols ESP (IP protocol number 50, hex 0x32)) and AH (decimal 51 hex 0x33) and ESP for maximum efficiency, although many firewalls won’t support this.
• UDP port 51820 (WireGuard).

Instructions

• Clone the Github repository into one of your own, or copy the file edgewalker.sh somewhere you can download it without it being tampered with in transit, in practice that means HTTPS.
• Edit the first lines in the script edggewalker.sh (X509 and USERNAME). Not strictly necessary, but make it your own.
• Log in as root on your OpenBSD machine, then:

  pkg_add wget
  wget -c https://raw.githubusercontent.com/YOUR_GITHUB_ACCOUNT_HERE/edgewalker/main/edgewalker.sh
  sh -e edgewalker.sh
  

• The script will ask you for:
  • The DNS name of your OpenBSD machine.
  • To copy-paste your Let’s Encrypt account key in PEM format.
• It will then obtain Let’s Encrypt certificates, generate a QR code that you can use to download the profile on your iDevice to set up the VPN.

Credits

• The OpenBSD team, for making their wonderful security-focused OS.
• Reyk Flöter for making OpenIKEd, a breath of fresh air in the unnecessarily convoluted world of VPN software.
• Jason A. Donenfeld for inventing WireGuard.
• Let’s Encrypt, for making certificates cheap and easy.
• Daniel Roesler for the fantastic Acme-Tiny.

Demo

I created a fresh OpenBSD 6.8 VM vpn42.majid.org on Vultr, and here is what the experience looks like:

Here is how to install the VPN on an iPhone:

Here is how to create a suitable VM on Vultr: