🌐 Masterpiece in the realm of self-hosted distributed VPN 🌐

# [ $davids.sh ] · message #278

🌐 Masterpiece in the realm of self-hosted distributed VPN 🌐

tailscale.com + headscale.net

An exquisite technology if you want (1) your own resilient, fast, and convenient VPN, (2) a private network for your infrastructure, and more details in the comments

#vpn #security #devops

• @ [ $davids.sh ] · # 1796

  From the advantages:

  • You use clients from tailscale.com + deploy the main node on open-source headscale.net
  • Fault tolerance (you can set up multiple exit nodes)
  • Installation and configuration in a couple of commands (so there's nothing to talk about)
  • Automatic DNS (access to all nodes)
  • ACL and SSO
  • Integration with Docker containers (to manage traffic in other containers)
  • Opening access to subnets outside tailscale
  • And all this on Wireguard

  From the disadvantages:

  • You need to dig into ACLs to set everything up clearly
  • No native integration in K8S
  • There is no (or I haven't found) "out-of-the-box" solution to proxy all traffic from a machine, you'll have to dig into iptables a bit
  • You'll have to stick a broomstick 15 centimeters up your ass to connect the UI, but overall, it's survivable
  • It's not pure Wireguard, so direct integration with it is not entirely possible (or rather, Tailscale assures the availability of such a possibility, but I can't say about headscale)

  Similar projects include ZeroTier and NetBird, has anyone tried them?

• @ [ $davids.sh ] · # 1797

  One thing I misspoke about: the control plane in Headscale is indeed singular, so its failure will prevent configuration updates (though current clients will continue to work).

  Of course, it's quite simple to move it to another machine if backups are configured, but still, I wouldn't call it absolutely fault-tolerant.

• @ Vova hardvair smartvend 🛍️💻 · # 1798

  This happiness at the highway level may and will work, but wg is cut by operators in Russia

• @ [ $davids.sh ] · # 1799

  Ah, you're right about that... Yes, it probably won't work then, because Tailscale is on pure WireGuard.

• @ Ivan ITK 🚫 · # 1800

  We've been using NetBird for two years now, and it's been smooth sailing. There were some moments due to active development, but they fix things quickly.

• @ Ivan ITK 🚫 · # 1801

  In the Russian Federation and China, NetBird works excellently on the same WireGuard setup. OpenVPN was previously blocked.

• @ Vova hardvair smartvend 🛍️💻 · # 1802

  In a data center or on a developer's machine? I can't connect to the wg server from my channels, everything is cut off.

• @ Ivan ITK 🚫 · # 1803

  In China, Israel, and the Russian Federation, IoT devices, in the Russian Federation offices + remote employees, data centers in Russia, Germany, and Finland, all in one network with ACLs works perfectly.

• @ Ivan ITK 🚫 · # 1804

  What's missing now, but seems like it could be done with networks in terms of features, and I haven't gotten around to testing yet, is to set up peering so that traffic is routed within Russia and the exit to the rest of the world is purely in Finland. Because there have been instances where specific IPs are blocked and new VPSs are unavailable from Russia; it's generally a gamble with IPs.

• @ Valeriy ITK 🚀 · # 1805

  ZeroTier is used in some places, launches in 5 seconds, but the overall transfer speed is so-so, significantly lower than that of WG.

• @ [ $davids.sh ] · # 1806

  Do you mean the transmission speed of standard data or video stream?

• @ Valeriy ITK 🚀 · # 1807

  For any data, yes

  For constant sending/receiving of anything, it's better to choose something faster, but if you just need SSH access, it's extremely good and there will be no problems at this level, of course.

  We use it to establish a connection to the server as quickly as possible (really fast) and as a backup connection for important servers, in case of an apocalypse with our VPN servers.