Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
icelancer 16 hours ago

No RBAC is sad, though understandable. Wireguard is so much faster than OpenVPN. We use Wireguard for S2S but unfortunately need OpenVPN for our employees and contractors due to RBAC.

All posts and writeups we've found trying to shoehorn RBAC into Wireguard ultimately ends up with people saying "don't do this."

tptacek 11 hours ago | parent | next [-]

The point of the WireGuard design is to be agnostic to "upper-layer" concerns like this; it's a fast (optionally) kernel-resident secure transport that you can build whatever you'd like on top of. WireGuard isn't about RBAC and doesn't have a "don't do RBAC" position.

bogantech 8 hours ago | parent [-]

> The point of the WireGuard design is to be agnostic to "upper-layer" concerns like this;

And there will probably never be any standard (non-commercial) "upper-layer" because of this.

The project prides itself on being much simpler than IPSEC etc but that's easy when you leave out half of the functionality

tptacek 8 hours ago | parent [-]

That's a good thing. The higher up the stack you go, the less value there is in standardizing, and more painful the costs (of being constrained in implementation).

Also: it is much simpler than IPSEC. Pretty much everybody can get WireGuard working in minutes. It's approximately as easy as setting up SSH. That's simply not true of IPSEC.

Anyways, I think the jury is in on this one.

srockets 15 hours ago | parent | prev | next [-]

There’s a very good implementation of Wireguard with RBAC. It’s called Tailscale.

13 hours ago | parent [-]
[deleted]
gonzo 15 hours ago | parent | prev | next [-]

Kernel wirguard may be (and often is) faster than OpenVPN without DCO, but OpenVPN with DCO is oftent substantially faster than kernel WireGuard.

DCO is available for Linux, FreeBSD and Windows.

ahalimah 10 hours ago | parent | prev [-]

I like Defguard for this https://defguard.net/

sintax 7 hours ago | parent [-]

Not played with this yet, but https://github.com/firezone/firezone is another example.