Show HN: A WireGuard Powered Remote Shell (github.com)
Time to announce Noisy Sockets Shell, the first in a series of WireGuard powered applications I'm working on. Noisy Sockets Shell is an SSH replacement that uses WireGuard for authentication and encryption, and WebSockets for communication.
CLI and browser client available.
86 comments
[ 4.5 ms ] story [ 199 ms ] threadThat’s what I do currently with some of my hosts.
.. but that doesn't gain all that much tbh.if anything the only hesitation I'd have on listening to * and relying on firewall rules is if the service comes up before its configured. but exposing sshd isn't even that bad
https://www.freedesktop.org/software/systemd/man/latest/syst...
SSH can sometimes authenticate intent, like Yubikey touch.
Using wireguard for authentication is a mistake. The category of mistake is usually referred to as ambient authority, often exploited via a confused deputy.
In one sense, this is no different than adding a public key to ~/ssh/authorized_keys.
If you control the key, you control the authentication.
> I heard that ssh is kinda of an unnecessary step
What makes SSH different is the encrypting part. The keys were only introduced to be used by the encryption algorithms. Users and multiple identities were a core detail of nixes much before SSH
I said that even rsh would do because will can ignore all the weird outdated stuff and just login with an user and password, same as a local login. In that case telnet would also work.
However, I truly believe that cryptographic keys are way superior to passwords. And going back to them would be a huge step back
The flow I've seen is "Wireguard server has its listening port open. Clients (with all ports closed) connect to the server on its open port."
After that, all connections can still happen. Server -> client, client -> server.
> NAT Traversal: The NAT entry created by the client's outgoing connection allows the server to send packets back to the client.
> VPN Tunnel: The established VPN tunnel enables bidirectional communication, allowing the server to reach the client without the client needing an open port.
It’s clunky to distribute and rotate ssh keys, but much easier to do that with WireGuard credentials.
The shell implementation is already under the MPL-2.0 and worth a look at for anyone who's interested https://github.com/noisysockets/shell
A 4-year-old version of security-critical software. You understand why this is less than compelling?
Maybe, but we don't know until we hire a lawyer to check it out. And we don't.
On the other hand, I don't think you can afford a lawyer to defend your bespoke license either.
In either case, the license is meaningless.
How would an adversary do this without the private key?
Wireguard uses ChaCha20Poly1305, an AEAD scheme. The first A stands for Authenticated.
Authentication just means proving who or what you are. Secret keys, whether they be passwords or encryption keys, are one of the primary ways to do this. Just because the key is also used for something else in addition to, or as part of, that process doesn't change it from being authentication.
This has some really interesting use cases (like not having to use HTTPS to get a bidirectional secure communication channel... not being limited by firewalls... not requiring an OS to upgrade its tcp/ip stack...). Normally I'm a pessimist but I kinda like this thing (the library, not the remote shell). Just needs a less clunky way to discover and route to services, a simpler way to configure a connection to the remote host, and extensible authentication/authorization (public keys pose management problems and don't fit some use cases).
That custom license may stop people from using the remote shell. Luckily the library is just MPL 2.0
[1] https://noiseprotocol.org/noise.html#introduction [2] https://github.com/noisysockets/noisysockets
The fundamental thesis behind noisy sockets is, "What if your network endpoints were processes instead of machines?"
And as you say bypassing the host networking stack actually brings a lot of benefits (eg. avoiding those VPN leak shenanigans), it's actually interesting when you squint enough it begins to even look vaguely something like QUIC (in that you have multiple encapsulated streams/channels/sockets going over UDP with their own congestion control).
Peer discovery and NAT traversal are next on my list. I'm going to implement a kind of userspace lighthouse peer that will advertise peer endpoints to the network. I'm still trying to think about how I will deal with TURN/DERP. I suspect I'll tunnel WireGuard over WebSockets and just have each peer listen on UDP/TCP. Maybe one day that will allow even an in browser peer with WASM (which I'm sure someone will find an interesting use case for).
Also on the list is fine grained authentication/authorization (interestingly netstack has an iptables implementation), some of it will be opensource and some of it will be source available (sorry for the SSO tax).
I would also suggest looking at ZeroMQ if you haven't yet; their design & implementation is really fantastic. They implement the bare bones in the library, and then you can go implement your own components with it for whatever architectural topology you want. So for example, you could make a closed-source paid product of a connection broker using the library, and somebody else could make one for free as open-source. Both have their use-cases, and they're both compatible with all the other apps in the ecosystem. This benefits you as it legitimizes the product and grows the ecosystem, and encourages more use due to its flexibility
Some kind of paid connection broker / app platform actually sounds like a solid way to build a sustainable business out of something like this.
I'm trying to avoid the tailscale model of having to lock up the control plane.
Since QUIC exists, most people (including virtually all client-side apps) will just use that. But QUIC is still TLS and HTTP, which is unnecessary for a lot of use cases and adds complexity. I think if you created developer-friendly tooling/libraries/servers/etc that were dead-stupid-simple, people would use that over TLS/HTTP, for anything other than a web browser. Android apps and tunneling applications might use it on the client side, and MQTT would be a great use case on the backend.
The one thing I think would be a stumbling block to the simplicity is the use of public keys. It's just super clunky compared to basic username/password or PSK auth. I don't have any suggestions here, I know Wireguard is pretty much wedded to public keys, but anything you can do to eliminate the many problems/limitations with public keys would help drive adoption.
I think you can lock up the control plane if you want for an implementation, but keep the interfaces loosely coupled and part of an open standard with the library having simple hooks for everything. That way those that have some money and just need a fix now, will pay for your thing, and those that can't will write their own implementation and grow the ecosystem which you can then market off of.
Like, Terraform could have been a closed-source tool, but the fact that anyone can write a provider means Hashi didn't have to write them all, and as more providers and modules were written, the tool cemented itself ever more as indispensable. (Which pisses me the hell off because Terraform sucks so bad, but it was a good business strategy heh)
Last thought: I would also quietly advertise the library as as "TCP evolved" or something similar, because that's how I see this. Assuming you deal with NAT, I would absolutely use a protocol like this over TCP by default for all my applications. QUIC was almost there but the TLS and HTTP is so unnecessary for 99% of applications.
A great use case in the enterprise is wrapping old but mission critical systems that don't support modern encryption or authn requirements with WireGuard. SSH is a demo for that use case- there's a lot of proprietary TCP data protocols out there in the legacy enterprise world!
Right now it doesn't support a multi-user daemon mode, kind of similar to mosh. But in the future because the server is able to cryptographically verify the source of connections, it's only a matter of time until I implement something akin to a per user `~/ssh/authorized_keys`.
With noisysockets I'm effectively building out a suite of WireGuard powered "apps". Which are small, unprivileged, programs you can attach to a WireGuard network and will act as virtual peers.
It seems like it could do some of the same usecases.
One thing it does have in common with mosh, is excellent roaming support. And the other major selling point is that the remote shell protocol is browser compatible. No need for things like "Shell In A Box".
You can use timing of packages send to e.g. extract passwords.
(hence why SSH clients normally take additional precautions)
The custom license is a pretty basic derivative of the FSL-1.1 with MPL-2.0 instead of Apache (for a weak copyleft), I think I might keep the custom license in place (I'll make the very minimal changes from the stock FSL-1.1 clear).
But adding an AGPLv3 license for those with ambiguity concerns is totally okay with me (it's ultimately more restrictive than the source available license in a lot of ways).
Thank you for the great suggestion.
But you don't have to trust me, the AGPLv3 starts immediately.
I'll update the source headers in the following days.
Thanks!