The refusal to use a control plane tells me the author would probably enjoy openvpn much more than vanilla wireguard.
It’s so nice to edit openvpn configuration, maybe some ccd file, restart the openvpn server and see clients reconnect one by one and pick up new options (eg: nee routes etc)
An issue with his remote setup is that the remote VPS decrypts packets from the remote laptop, then re-encrypts them for the LAN — this means that the remote VPS can see the plaintext of all those packets. He’ll need to layer TLS or something similar, or run Wireguard over Wireguard.
It's almost as if these people are offended someone would not use tailscale. Do you also find stories about people hiking and comment "I just look up scenic locations on google"? Why would you think your +1 to the easy, commercial route is at all interesting to a forum literally having Hacker in the name?
Or you can setup Yggdrasil by installing it on each machine and adding a few public volunteer peers to the configuration. My own summary of WireGuard->Nebula->Yggdrasil journey: https://news.ycombinator.com/item?id=43967082
I run a similar setup. I didn't end up going for a full router-side hub inside the LAN, to avoid extra hops for things when they're inside the network.
Some of my notes:
* I have multiple servers outside the LAN that have WG connections back to specific interior systems for things like metrics/log-shipping, monitoring, and backups. All of those are "point-to-point" (the cloud-hosted systems have multiple Peers for different internal systems). This means that they can only talk to the things I expect them to, w/o me needing to also handle that at the firewall level.
* The Wireguard Mac and iOS apps are very solid. I use them heavily on multiple devices, and they can be trained for OnDemand activation based on SSIDs. This means that when my phone tries to load my NVR dashboard, it uses Wireguard if I'm mobile and doesn't if I'm at home (which saves me a hop through the cloud hub). The iOS app is reliable enough that I set it up once on my partner's phone so they could access the cameras and then never had to think about it again.
* Because the only things you need to set up a peer link are shared pubkeys and to agree on IPs, wiring up my endpoints via Puppet was super smooth and adding/adjusting has likewise been smooth. My systems generate a keypair during setup, publish their public key where the other nodes can find it, and all I have to do is update the map of "hey, this server get this WG-internal IP, and this is who should link to it".
> it uses Wireguard if I'm mobile and doesn't if I'm at home (which saves me a hop through the cloud hub)
Appropriate netmasks in the routing tables do this regardless of physical interfaces. For example, if your local network has netmask 255.255.255.128, the local link is prioritised over the tunnel link which could have netmask 255.255.255.0, but you have to decide which nets/subnets are useful to you.
I did the p2p between any sensible nodes in my network then added routing layer via BGP so any node can "see" any other node regardless of underlying mesh.
The access limits are better served by firewalls than limiting tunelling
My solution to this is a pair of udp ports relayed to each other on a VPS via socat. Then you can point a home WireGuard server (behind cgnat etc) at one, and clients at the other, with no need to trust the vps
Having been travelling just now with Wireguard as my primary VPN the main thing I noticed is it's completely unusable on airport wifi.
So the big feature I need is any sort of gateway which works over port 80 or 443 natively - ideally at a subpath so it's easy put behind a reverse proxy.
FWIW I found using one wireguard interface/instance too restrictive. The problem is that wireguard is an L3 interface that has its own internal IP routing table, so only one node can serve as a default (horizon) route for the instance. So for my setup, on each node I have a separate wg interface for every peer node. Every packet that goes into a given interface is destined to come out to the one peer on the other side.
I use defined.net (managed Nebula) for my homelab and side project overlay networks, and it works great. They have a very generous free tier and I automate enrollment with a set of systemd units that I wrote. Configuration is very easy and the Nebula android app does what I need so I can access everything over my phone. A few friends use wg-easy to manage their wireguard setups, and they sing its praise.
I still use wireguard for simple point to point tunnels into my datacenter rack but anything important I use Nebula.
I used to run a similar setup. It was nice, but had to be maintained, and remote access is not exactly the thing I would like to see breaking.
I switched to Tailscale. It has an ample free tier for individuals and everything just works. It is really a good product.
I have some doubts about its capacity to scale, from a maintenance perspective. The interface is sometimes tiring (especially search) and some decisions are a bit counterintuitive. I, however, really hope they are doing fine because it is fantastic.
I ask because using Wireguard for internal LAN connections is excessive in many (most?) situations. I get zero trust, but not trusting anything on your LAN introduces way too many operational hurdles and overhead.
Remember that the iOS iPhone app does not handle domain names with an A and AAAA correctly.
It stops at the first IPv4 address it encounters, which means it'll go over an 464XLAT proxy instead of using a direct AAAA connection on networks like T-Mobile.
Is there an easy setup so that this could be done with VPS relaying the traffic but not decrypting it?
So far, I’m thinking of something like FRP to proxy incoming UDP from internet to the private network. I’m not sure if that works if only outgoing 443 is open at private network.
18 comments
[ 2.9 ms ] story [ 37.4 ms ] threadIt’s so nice to edit openvpn configuration, maybe some ccd file, restart the openvpn server and see clients reconnect one by one and pick up new options (eg: nee routes etc)
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
It's almost as if these people are offended someone would not use tailscale. Do you also find stories about people hiking and comment "I just look up scenic locations on google"? Why would you think your +1 to the easy, commercial route is at all interesting to a forum literally having Hacker in the name?
Some of my notes:
* I have multiple servers outside the LAN that have WG connections back to specific interior systems for things like metrics/log-shipping, monitoring, and backups. All of those are "point-to-point" (the cloud-hosted systems have multiple Peers for different internal systems). This means that they can only talk to the things I expect them to, w/o me needing to also handle that at the firewall level.
* The Wireguard Mac and iOS apps are very solid. I use them heavily on multiple devices, and they can be trained for OnDemand activation based on SSIDs. This means that when my phone tries to load my NVR dashboard, it uses Wireguard if I'm mobile and doesn't if I'm at home (which saves me a hop through the cloud hub). The iOS app is reliable enough that I set it up once on my partner's phone so they could access the cameras and then never had to think about it again.
* Because the only things you need to set up a peer link are shared pubkeys and to agree on IPs, wiring up my endpoints via Puppet was super smooth and adding/adjusting has likewise been smooth. My systems generate a keypair during setup, publish their public key where the other nodes can find it, and all I have to do is update the map of "hey, this server get this WG-internal IP, and this is who should link to it".
Appropriate netmasks in the routing tables do this regardless of physical interfaces. For example, if your local network has netmask 255.255.255.128, the local link is prioritised over the tunnel link which could have netmask 255.255.255.0, but you have to decide which nets/subnets are useful to you.
The access limits are better served by firewalls than limiting tunelling
So the big feature I need is any sort of gateway which works over port 80 or 443 natively - ideally at a subpath so it's easy put behind a reverse proxy.
I still use wireguard for simple point to point tunnels into my datacenter rack but anything important I use Nebula.
https://github.com/quickvm/defined-systemd-units
I switched to Tailscale. It has an ample free tier for individuals and everything just works. It is really a good product.
I have some doubts about its capacity to scale, from a maintenance perspective. The interface is sometimes tiring (especially search) and some decisions are a bit counterintuitive. I, however, really hope they are doing fine because it is fantastic.
The Plan B is to host Headscale
I ask because using Wireguard for internal LAN connections is excessive in many (most?) situations. I get zero trust, but not trusting anything on your LAN introduces way too many operational hurdles and overhead.
It stops at the first IPv4 address it encounters, which means it'll go over an 464XLAT proxy instead of using a direct AAAA connection on networks like T-Mobile.
So far, I’m thinking of something like FRP to proxy incoming UDP from internet to the private network. I’m not sure if that works if only outgoing 443 is open at private network.