A somewhat nice solution for that is Iroh (QUIC P2P w/ hole punching): https://www.iroh.computer
They also provide a solution to discoverability: https://www.iroh.computer/docs/concepts/discovery
Which boils down to storing ECC signed arbitrary data on the mainline DHT.
Two showcase Iroh utilities that are actually useful in practice:
Social VPN, Remobo, NeoRouter, GBridge, Wippien, PeerVPN. Remember any of these?
Just checked — none of the domains are working.
I'll need to add EasyTier - https://github.com/EasyTier/EasyTier
https://github.com/nwtgck/piping-server
I really think of ways on how I can use this which seems an amazing almost uncensorable-ish tech on how to connect two pc's. Like sometimes my brain just thinks "pipes (piping server) just for email". Its a bit of an obsession...
Something like a VPN could theoretically be created where the piping server well "pipes" it in an encrypted manner through internet.
I would love to create something like this just for the funzies but what I am more interested about is the transport layer.
Like I want something which can be independent of udp or whatever and the only thing I am worried about is how I will transport them to the other pc and then I can then lets say send them over piping server, send them over matrix or signal if need be too idk.
Is there any foss projects that can help me just hook up into things in a similar manner as to what I am asking?
I want a implementation independent-ish transport layer so that I can experiment with things which I can just pipe if I can be really really honest.
I also want more people to look into it as I use sometimes piping-server as a way to transporting files between podman containers even though its a bit slow just to try it out and honestly, just having the fun of installing curl and then being ready to go makes it so much more easier to transport files out of the box... and I want to experiment more with it, its been an obsession for almost an year on and off thinking about piping servers and how elegant they are. I used them of sorts to break an intel nat once, but since then we got some better options if somebody wants to know how to break any nats without any root without any emulation but maybe I want to create a blog post about it someday but I am lazy.
The "obfuscation" in Amnezia's fork does not shrink the available MTU (important for QUIC as it requires a minimum MTU of 1280 while WireGuard itself needs +80 bytes or so for route encapsulation). Amnezia's fork modifies the 4 WireGuard header values (which must be pre-agreed between peers) & occassionally appends (to handshake packets) or sends randomly generated "junk" data.
This seems to be a strong misunderstanding? The ssh interface is for debugging only. You can disable it and configuration is solely handled by the daemon configuration file.
I operate a small (few dozen hosts) network on Nebula with mostly NixOS hosts, so I have some applicable experience. Nebula was primarily chosen because it allows me to, among other things, assign fixed prefixes to hosts and have a full declarative config.
The CA approach is also an important part here as all your peers effectively have the CA cert in their config file and use it to verify other peers. The CA signs a cert for each host that contains the IP prefixes that a peer may handle packets for.
You don't configure a host via a CLI, instead you provide it a signed cert for the privkey + CA cert + private key + lighthouses and that's it. The daemon listens on the IPs from the cert and the lighthouses offer a public exchange where peers advertise their IPs (and associated endpoints for p2p).
It would be like complaining Vaultwarden is bad because the Bitwarden project is not fully open source even though Vaultwarden is fully open source and has most of the features implemented.
And Headscale kind of ticks all the other boxes mentioned, except "not headscale", because:
* p2p mesh network - it is a mesh network. And even when mesh is blocked, you can use multiple relay servers (derp) which will relay to the mesh from closest location. And you can host your own derp servers.
* Open source and selfhosted - check
* Not Wireguard (Signature-based blocking) - in cases where wireguard is blocked, the derp relay servers run over https and are usually not blocked based on signatures. For example, I use it with Traefik proxy in TCP mode so I could run derp and other http services on the same 443 port and it works great. So - check?
Packaged in nixpkgs - checkOn top of that, if you add Headplane admin UI you get nice graphical management, very similar to the one of Tailscale.
jasonjayr•36m ago
I keep telling myself I should switch it to a wireguard mesh, but the configuration of tinc + the "right defaults" make it pretty neat. It's fun to watch as you roll out a configuration to one node in the mesh, and ping times drop suddenly once it can make a direct connection with the optimal route.
I keep my provisioning script + the public keys in git; so deploying it to a new machine is a git pull, generate key, push public key, and pull on the other nodes. I have about 17+ hosts on it; not using it for very high bandwidth, but I couldn't do what I do without it.
HumanOstrich•3m ago
[1]: https://github.com/gsliepen/tinc/issues/443#issuecomment-184...