Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tomjen3 10 months ago

I had hoped that this included a way to configure wireguard to get clients from some other place: It would be really nifty if you could configure it to read from LDAP or similar.

Jnr 10 months ago | parent | next [-]

Tailscale (also using wireguard for transport) and similar overlay networks kind of do that.

With Tailscale there is a central server, you can sign in with single-sign-on, that server enables automatic mesh configuration and helps nodes communicate specifics for port knocking, routing, dns, etc. And there are derp servers (think of them like TURN servers) that can be used as proxies when direct communication can't be established.

Altogether this is easier to set up than Wireguard, but the central server is not open source (but there is Headscale, and open source implementation), and it is not as well supported on routers (it is supported on OpenWRT though and probably can be set up using containers on Mikrotik).

irunmyownemail 10 months ago | parent [-]

With Wireguard I own or control everything. Why would I surrender any of that to Tailscale?

Jnr 10 months ago | parent [-]

Would be great if someone made something with the polish of Tailscale and made it completely free and open source, but I don't think it is happening any time soon. Wireguard itself has been an unbelievably great gift to the whole IT ecosystem and Jason will forever be cemented in my hall of fame.

But he did intend for Wireguard to be used in all sorts of solutions and Tailscale is one of them.

Tailscale apps themselves are open source for open source platforms (linux, android) and the 3rd party management server Headscale is open source, enabling you to maintain control.

rudasn 10 months ago | parent | prev | next [-]

Yeah, that's the biggest pain point I think. Syncing configs once changes are made (new peers, new access rules, pre shared key rotation etc).

It's one of the reasons I'm working on wirehub[0], as a way to distribute configs to both end users (share a link) and machines (have a script to periodically pull from wirehub).

Not the perfect solution, but one that does not require additional clients/agents/software to be installed.

[0] https://wirehub.org

feurio 10 months ago | parent [-]

I've built a proof-of-concept WireGuard VPN for work (SSO with mTLD portal/OIDC, BGP/WG tunnels to link edge servers into the network) and the team love it - better than the Cisco VPN they'd have to use otherwise.

Only problem is the config - I'd love a simple alternate WG app (for macOS/Windows) that could pull a config from a remote endpoint (checking signing) and bring up a WG tunnel with the config presented.

I've written a Golang client which shows up in the macOS menu bar and handles all this, but it's using the Brew WireGuard command line tools and needs sudo, etc., etc., so it's not really suitable for the average user.

rudasn 10 months ago | parent [-]

There are quite a few open source wg clients out there, maybe you can get some ideas from those. Defguard, netbird come to mind.

I just want to avoid all that custom client stuff.

I don't have a solution, but I was experimenting on having a unique network url that would show different content depending if you're hitting it via the wireguard connection or not. Pretty basic stuff, just firewall rules and nginx proxying. Add the (hub) endpoint to client's AllowedIPs and route traffic on the hub depending on the networ interface and port the traffic is coming from.

So the client would connect to the wg network and open up the network page (eg. home.rudasn.wirehub.org).

If the connection is established, they would see a welcome message or whatever (if they need to update their config maybe a link to get their new one).

If the connection is not via the wg tunnel, they would see a message to first connect to the wireguard vpn. And if it's their first time, directions on how to install the official client and get their config from their admin (via wirehub.org or whatnot).

It's nice to have that automated via a custom client, but I don't think it's such a huge issue - if you would only update configs for client devices sporadically and have the server peers polling for updates every x seconds.

The downside of custom client apps is another security layer to consider, which nobody has the time for.

tumdum_ 10 months ago | parent | prev [-]

NordVPN meshnet is just like that.