Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
icelancer a year ago

No RBAC is sad, though understandable. Wireguard is so much faster than OpenVPN. We use Wireguard for S2S but unfortunately need OpenVPN for our employees and contractors due to RBAC.

All posts and writeups we've found trying to shoehorn RBAC into Wireguard ultimately ends up with people saying "don't do this."

tptacek a year ago | parent | next [-]

The point of the WireGuard design is to be agnostic to "upper-layer" concerns like this; it's a fast (optionally) kernel-resident secure transport that you can build whatever you'd like on top of. WireGuard isn't about RBAC and doesn't have a "don't do RBAC" position.

bogantech a year ago | parent [-]

> The point of the WireGuard design is to be agnostic to "upper-layer" concerns like this;

And there will probably never be any standard (non-commercial) "upper-layer" because of this.

The project prides itself on being much simpler than IPSEC etc but that's easy when you leave out half of the functionality

tptacek a year ago | parent [-]

That's a good thing. The higher up the stack you go, the less value there is in standardizing, and more painful the costs (of being constrained in implementation).

Also: it is much simpler than IPSEC. Pretty much everybody can get WireGuard working in minutes. It's approximately as easy as setting up SSH. That's simply not true of IPSEC.

Anyways, I think the jury is in on this one.

bogantech a year ago | parent [-]

> Pretty much everybody can get WireGuard working in minutes.

You can get anything working in minutes, even IPSEC if you are using static keys with no authentication or authorization involved

tptacek a year ago | parent [-]

If you've done it a bunch before. People coming to WireGuard cold can get it set up in minutes. That's why it won: because it's much, much simpler.

srockets a year ago | parent | prev | next [-]

There’s a very good implementation of Wireguard with RBAC. It’s called Tailscale.

a year ago | parent [-]
[deleted]
ahalimah a year ago | parent | prev | next [-]

I like Defguard for this https://defguard.net/

sintax a year ago | parent [-]

Not played with this yet, but https://github.com/firezone/firezone is another example.

gonzo a year ago | parent | prev [-]

Kernel wirguard may be (and often is) faster than OpenVPN without DCO, but OpenVPN with DCO is oftent substantially faster than kernel WireGuard.

DCO is available for Linux, FreeBSD and Windows.