Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
icelancer 7 months ago

No RBAC is sad, though understandable. Wireguard is so much faster than OpenVPN. We use Wireguard for S2S but unfortunately need OpenVPN for our employees and contractors due to RBAC.

All posts and writeups we've found trying to shoehorn RBAC into Wireguard ultimately ends up with people saying "don't do this."

tptacek 7 months ago | parent | next [-]

The point of the WireGuard design is to be agnostic to "upper-layer" concerns like this; it's a fast (optionally) kernel-resident secure transport that you can build whatever you'd like on top of. WireGuard isn't about RBAC and doesn't have a "don't do RBAC" position.

bogantech 7 months ago | parent [-]

> The point of the WireGuard design is to be agnostic to "upper-layer" concerns like this;

And there will probably never be any standard (non-commercial) "upper-layer" because of this.

The project prides itself on being much simpler than IPSEC etc but that's easy when you leave out half of the functionality

tptacek 7 months ago | parent [-]

That's a good thing. The higher up the stack you go, the less value there is in standardizing, and more painful the costs (of being constrained in implementation).

Also: it is much simpler than IPSEC. Pretty much everybody can get WireGuard working in minutes. It's approximately as easy as setting up SSH. That's simply not true of IPSEC.

Anyways, I think the jury is in on this one.

bogantech 7 months ago | parent [-]

> Pretty much everybody can get WireGuard working in minutes.

You can get anything working in minutes, even IPSEC if you are using static keys with no authentication or authorization involved

tptacek 7 months ago | parent [-]

If you've done it a bunch before. People coming to WireGuard cold can get it set up in minutes. That's why it won: because it's much, much simpler.

srockets 7 months ago | parent | prev | next [-]

There’s a very good implementation of Wireguard with RBAC. It’s called Tailscale.

7 months ago | parent [-]
[deleted]
ahalimah 7 months ago | parent | prev | next [-]

I like Defguard for this https://defguard.net/

sintax 7 months ago | parent [-]

Not played with this yet, but https://github.com/firezone/firezone is another example.

gonzo 7 months ago | parent | prev [-]

Kernel wirguard may be (and often is) faster than OpenVPN without DCO, but OpenVPN with DCO is oftent substantially faster than kernel WireGuard.

DCO is available for Linux, FreeBSD and Windows.