Testing "exotic" p2p VPN
18 points by cheese
18 points by cheese
I’m sharing a couple Tailscale nodes with friends and it’s been great
I really like the ACL design and having something like src autogroup:shared can access dst autogroup:internet in the config so that it’s explicit to me where they only get internet access and not my ssh stuff (I trust them but you know, just in case)
I tried to get Tinc working for the purpose of playing games with a friend once and struggled with it.
Granted that was when I still used Windows at home. No idea how the experience differs on Linux.
I had used Tinc on EdgeRouter X to connect several layer 2 only PLC over a layer 3 network. Was quite easy to setup and worked flawlessly.
Tinc is nice for the auto-discovery part but (AFAIK - haven't checked for the 4 or 5 years) it was outdated cryptography-wise. (from a quick check, their news page doesn't indicate any update on that part).
country that has blocked Wireguard by signatures
Does anyone know how this could work in practice? I suppose through some form of packet inspection, but technically?
The beginning of the handshake from the peer that initiates it is an easy signature to detect. Look at section 5.4.2 here. You're not going to get a lot of false positives from blocking that, and people that want to block it may well not care at all about that anyway.
The protocol makes no attempt to be stealthy. You'd need to layer it over something else for that.
We use zerotier at work and it works well, but I do have the same reservations as the author re: making a half-baked open source product.
In testing we could not get nebula to connect behind certain NAT situations, and we really need people to be able to connect wherever they might be located.
I had the same problem with Nebula. I ended up with headscale with tailscale clients for now. I'd prefer pure OSS, but I wasn't willing to work that hard after Nebula failed.
Instead of a normal CLI, you need to configure an internal sshd and connect via SSH to localhost. Maybe it's more secure, but it's utterly disgusting.
What do you need the sshd for? I've run nebula on my own infra for a while and never used the sshd interface to configure anything. Isn't that the point of the NixOS configuration?