There's the private CA route but its a pain to setup the certs on all (mobile) devices and Android makes it very scary and hard.
Here's a list of supported providers: https://go-acme.github.io/lego/dns/
And in case you're curious, the API perms dance to do specific-record updates: https://github.com/armorfret/terraform-aws-r53-certbot/blob/...
“Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.com). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”
RE: https://kieranhealy.org/blog/archives/2013/06/09/using-metad...
Tailscale is really targeting the business market, especially since their product is basically free for personal use. In a corporate environment, I imagine that the client logs are actually hugely valuable to the corporate customers themselves. It lets them see who is accessing what and is super critical when doing a post-mortem after a hack. (also no actual traffic content is logged)
But I still keep client logging disabled for my personal use.
There's an unmerged PR for the Android client: https://github.com/tailscale/tailscale-android/pull/695
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
It's almost as if these people are offended someone would not use tailscale. Do you also find stories about people hiking and comment "I just look up scenic locations on google"? Why would you think your +1 to the easy, commercial route is at all interesting to a forum literally having Hacker in the name?
But given both are in Go I would not expect RCEs to be common in either.
Some of my notes:
* I have multiple servers outside the LAN that have WG connections back to specific interior systems for things like metrics/log-shipping, monitoring, and backups. All of those are "point-to-point" (the cloud-hosted systems have multiple Peers for different internal systems). This means that they can only talk to the things I expect them to, w/o me needing to also handle that at the firewall level.
* The Wireguard Mac and iOS apps are very solid. I use them heavily on multiple devices, and they can be trained for OnDemand activation based on SSIDs. This means that when my phone tries to load my NVR dashboard, it uses Wireguard if I'm mobile and doesn't if I'm at home (which saves me a hop through the cloud hub). The iOS app is reliable enough that I set it up once on my partner's phone so they could access the cameras and then never had to think about it again.
* Because the only things you need to set up a peer link are shared pubkeys and to agree on IPs, wiring up my endpoints via Puppet was super smooth and adding/adjusting has likewise been smooth. My systems generate a keypair during setup, publish their public key where the other nodes can find it, and all I have to do is update the map of "hey, this server get this WG-internal IP, and this is who should link to it".
Appropriate netmasks in the routing tables do this regardless of physical interfaces. For example, if your local network has netmask 255.255.255.128, the local link is prioritised over the tunnel link which could have netmask 255.255.255.0, but you have to decide which nets/subnets are useful to you.
The goal is “I want my phone to always connect to a given hostname. When I’m on my home WiFi, that connection should be direct. When I’m not, that connection needs to bounce through the WireGuard tunnel”.
The target system isn’t even on the same subnet of my home LAN as my phone. So short of injecting custom routes, netmasks aren’t helping me at all. But even if they were, short of running split horizon DNS, I’d need my WireGuard subnet to be a superset of my home LAN, and for my home LAN to be a portion of that, and also my WireGuard subnet can’t conflict with whatever network I’m on. So I’ve now made a bunch of complex constraints and my home LAN is taking constraints from my remote access flow.
Or I just tell WireGuard to route the IP of the LAN-side system and to disable itself if I’m home.
Yes, it does require your local networks to be subnets of the VPN. If you can't control dhcp, then you can add static alias IPs to the local interfaces and thus have "another" local subnet for this purpose. In these cases, the wireguard link might need two addresses (AllowedIPs: 10.x.x.x/31) where one of them is configured on the local interface with the local subnet mask, the wireguard ip configured with the wider VPN mask.
Adding IP aliases doesn't seem to be possible on phones though ...
The access limits are better served by firewalls than limiting tunelling
So the big feature I need is any sort of gateway which works over port 80 or 443 natively - ideally at a subpath so it's easy put behind a reverse proxy.
However it's arranged generally rovust VPN requires being able to send TCP over a well known port - which Wireguard by default doesn't do.
So I'm currently looking for an Android VPN app which can multiplex via a long live lived TLS connection.
I still use wireguard for simple point to point tunnels into my datacenter rack but anything important I use Nebula.
I switched to Tailscale. It has an ample free tier for individuals and everything just works. It is really a good product.
I have some doubts about its capacity to scale, from a maintenance perspective. The interface is sometimes tiring (especially search) and some decisions are a bit counterintuitive. I, however, really hope they are doing fine because it is fantastic.
The Plan B is to host Headscale
I ask because using Wireguard for internal LAN connections is excessive in many (most?) situations. I get zero trust, but not trusting anything on your LAN introduces way too many operational hurdles and overhead.
It stops at the first IPv4 address it encounters, which means it'll go over an 464XLAT proxy instead of using a direct AAAA connection on networks like T-Mobile.
So far, I’m thinking of something like FRP to proxy incoming UDP from internet to the private network. I’m not sure if that works if only outgoing 443 is open at private network.
znpy•4mo ago
It’s so nice to edit openvpn configuration, maybe some ccd file, restart the openvpn server and see clients reconnect one by one and pick up new options (eg: nee routes etc)
slau•4mo ago
I’d rather use wireguard and get 800 mbit/s.
dpedu•4mo ago
shadowpho•4mo ago
akerl_•4mo ago
Thankfully we never had to try them for real to see how horribly that would have gone under real load.
shadowpho•4mo ago
magicalhippo•4mo ago
shadowpho•4mo ago
I was using either AES-256-GCM or AES-256-CBC.
It could also be default configs not set right. Brief google search tells me to tweak myriad of buffers and config options… Some saying without changing buffers they were limited to 100mbps for example. Lots said changing to udp/changing mtu/buffer/etc helped…
I agree with you that it should be fine/fast enough. That was my expectation too! However my testing in real life showed it not to be and it’s a common issue for openvpn. The easiest solution seems to be wire guard rather then tweaking random stuff with no idea what’s bottlenecks
akerl_•4mo ago
Wireguard is creating a series of point-to-point links with crypto that's basically impossible to mess up.
OpenVPN sets up a hub and spokes and has far more baggage carried around with it.
PunchyHamster•4mo ago