[HN Gopher] VPNCloud: Open-source peer-to-peer VPN written in rust
___________________________________________________________________
VPNCloud: Open-source peer-to-peer VPN written in rust
Author : albatruss
Score : 173 points
Date : 2021-04-03 06:05 UTC (16 hours ago)
(HTM) web link (vpncloud.ddswd.de)
(TXT) w3m dump (vpncloud.ddswd.de)
| ranguna wrote:
| The problem with these kind of things is that now I need to ask
| around some IPs to connect to, as I see there's no automatic peer
| discovery. Sounds awesome nonetheless.
| dividuum wrote:
| > [..] as I see there's no automatic peer discovery.
|
| Actually there is, but it's not immediately obvious:
| https://vpncloud.ddswd.de/docs/beacons/
|
| It's seems really simple to use as well: The linked
| implementation in PHP on
| https://vpncloud.ddswd.de/docs/beacons/php-service/ is only
| around 80 lines of code and extremely simple and due to the
| beacon design doesn't compromise the security of your setup if
| anything goes wrong.
| Galanwe wrote:
| What would automatic discovery even do? Add you to some
| worldwide IP overlay on top of internet? What would be the use
| of that?
|
| I did had a use case in the past for peer to peer VPNs, mainly
| because in the 2000s, most hosting companies would only provide
| you crappy VMs with a single public interface. If you needed
| some control over the network, subnets, etc, then you would
| need some kind of overlay. This, added with the fact that you
| would typically have dozens of heterogeneous boxes at different
| providers, made maintaining a traditional host to host ipsec
| full mesh nightmarish. I used n2n (a peer to peer VPN) to
| reconciliate these various internet facing boxes in a single
| private IP network.
|
| Nowadays, cloud providers are much more evolved, and offer you
| full configuration of multiple public/private interfaces, so
| recreating subnets over public facing boxes is not really a
| concern, which is why IMHO peer to peer VPNs do not serve much
| purpose in 2021.
| mynameisvlad wrote:
| https://tailscale.com for instance will show all the peers on
| the network in the menu bar of the app.
| jsilence wrote:
| Great to have more Open Source options in this software segment!
| Some sort of configuration interface would be nice.
|
| Wondering whether there is business opportunity in offering
| beacons as a service.
| njacobs5074 wrote:
| It is great, I totally agree. The fact that it's OSS is awesome
| even if just from a learning standpoint.
|
| Regarding your latter thought, it seems to me that if I'm
| running a service like this on my servers, I probably don't
| want to connect to unknown/untrusted peers. Open to use cases
| where that make sense, though.
|
| [Edit] Just found the documentation on beacons that explains
| the trust model. So sounds like there is merit to your idea :)
| nh2 wrote:
| This looks like the much older Tinc VPN (https://www.tinc-
| vpn.org), but in Rust.
|
| It would be great to have a comparison between the two. I've been
| using Tinc for many years; it's been working quite well, but
| about once a year I get a segfault (and then it gets restarted).
| It might be appealing to reduce the chances of that via Rust.
|
| One commonality I found is that both are single-threaded.
|
| I believe I've also heard of the idea of a future version of Tinc
| potentially using Wireguard as the underlying transport, and
| building its meshing on top of it. I wonder if that's on the
| table for VPNCloud as well.
| GekkePrutser wrote:
| Yes I use tinc too. The only problem I have with it is that
| it's not very performant. For example video streaming through
| it always causes hiccups.
|
| There's other options I've looked at too: Zerotier (discounted
| it because it uses cloud-based configuration that's hard to
| self-host). And Nebula. The latter I still have to try.
|
| I have an added requirement of needing a mobile client too
| (which tinc now has) so I don't think VPNCloud will work for me
| :(
| mercora wrote:
| > For example video streaming through it always causes
| hiccups.
|
| This sounds weird to me. either there are enough resources
| available to sustain the bandwidth requirements or not. this
| changes with time and usage of the machine but just as it
| does without tinc. Depending on the hardware used it should
| not be too hard to stream common videos with something like
| 20mbit at max...
|
| However, i just wanted to say; maybe you had MTU issues?
| Black101 wrote:
| I setup a Wireguard VPN on a Pi and it is very stable, not sure
| what a P2P VPN would add.
| mercora wrote:
| P2P here means it will form a mesh network which itself means
| every node in the network (your clients) tries to connect to
| each other as "directly" as they determined possible by some
| routing algorithm. This is in contrast to a a hub and spoke
| model for example, where every node will connect to a central
| hub and communication between nodes need to pass through that
| hub.
| Black101 wrote:
| I guess that would be most useful if you don't have any
| reliable 24/7 internet connection to install a PiVPN server
| on...
| [deleted]
| rkeene2 wrote:
| It's possible that a future version of tinc could use WireGuard
| as the data plane, but comes with a few drawbacks. See comment
| on this very thing: [0]
|
| [0] https://news.ycombinator.com/item?id=19304624
| ffk wrote:
| I think there is an inaccuracy in that comment. Double check
| this: wire guard encapsulates L3 IP packets, not L2 Ethernet
| frames. This means ARP is handled locally instead of being
| transmitted over the wire (or the need for an arp responder)
| rkeene2 wrote:
| You are right, I wrote it backwards -- WireGuard supports
| only IP packets, not Ethernet frames while tinc supports
| both. The example that I gave why Ethernet frames is more
| useful is correct, just the factual part is reversed.
| CloselyChunky wrote:
| IMO tinc is really awesome. I've been using it for years to
| connect my servers, laptops and desktops into a VPN.
|
| Including my RPI (running PiHole in my LAN) into the tinc VPN
| gave me an easy way to access my home network from anywhere in
| the world. One of my dedicated servers would automatically take
| care of routing the traffic and I can just `ssh foo@10.0.0.42`
| to connect to the RPI and be inside my home network.
|
| IIRC tinc implements some tricks like TCP/UDP hole punching. So
| best case I end up with an actual p2p connection between my
| remote device and home network after connecting via tinc.
| linsomniac wrote:
| IIRC ZeroTier borrowed the NAT hole punching code.
| rkeene2 wrote:
| Tinc is even more awesome than that -- if you are using it on
| the same LAN as other nodes on the VPN it will try to make
| sure traffic between those nodes stays on the same LAN (it
| has a special broadcast beacon it sends out to find these).
|
| It ALSO supports arbitrary commands for connecting, like
| ProxyCommand in OpenSSH so you can proxy through any kind of
| thing manually if you need to.
|
| Tinc is really awesome !
| ohmyblock wrote:
| I am a happy user of https://tailscale.com which I think solves
| the same problem
| meibo wrote:
| Why do they not support email + password signups?
|
| I'm not super averse to Google SSO but I would not tie my
| critical infrastructure to it in any way.
| GekkePrutser wrote:
| Yes I looked at that one also but it was an insta-dealbreaker
| for the same reason. There's many options around, luckily. So
| no need to go for something as compromised as this.
|
| Another dealbreaker for me is hosted configuration and access
| management. I want to be the only one managing it.
| _joel wrote:
| This is the reason why I've not used them, it's an instant
| turn-off needing to use Google SSO
| spockz wrote:
| They support GSuite and azure AD it appears. So it is not
| limited to just gmail. When you pay for GSuite I think it
| will be a bit less risky than when using their free gmail
| offering.
|
| Regardless, it would have been nice if you could use your own
| identity provider.
| jsilence wrote:
| Tailscale is not Open Source, nor?
| huzaif wrote:
| They are: https://github.com/tailscale/tailscale
|
| A fair bit of the client code is also on the repo. Things
| like role based access control that require a backing store
| on tailscale side aren't open.
| eeZah7Ux wrote:
| No, that's only the client.
| tuananh wrote:
| the client is here https://github.com/tailscale/tailscale
| kenmacd wrote:
| Any advantages to this over https://www.zerotier.com/?
|
| Being p2p and using one PSK seems to make firewalling more
| difficult. ZeroTier's 'capability-based + tagging' rule engine is
| pretty amazing in that I can easily allow just one peer to
| connect on a port.
| ensignavenger wrote:
| VPNCloud is Open Source, which is a huge advantage for me.
| orev wrote:
| ZeroTier is also Open Source
| sneak wrote:
| No, it is not.
|
| It's only source available: it is licensed under the BSL
| which is not a free software license. Use of the term open
| source is not appropriate.
|
| A friend works there and tried to recruit me; I declined
| because of this sort of fake open source charlatan
| nonsense.
|
| The software in TFA (VPNCloud) is indeed free software/open
| source: it is licensed under the GPL, just like Linux.
| nh2 wrote:
| The downvotes of the parent are unjustified; the
| license's own text literally says:
|
| > The Business Source License (this document, or the
| "License") is not an Open Source license.
|
| https://github.com/zerotier/ZeroTierOne/blob/a7f652781fae
| dfb...
| kenmacd wrote:
| It seems like a pretty good license to me. I just can't
| host it (same as GPLv3), but in a few years it switches
| to an every more free license.
|
| Is the concern simply that governments can only use it to
| help people?
| GekkePrutser wrote:
| I looked at it also but for me the concern was that all
| access management and configuration is done via their
| cloud. So they can easily add nodes to my VPN. This is an
| absolute dealbreaker for me.
|
| I know I can self-host even that top management layer (I
| think they called it "earth" or something). but they make
| that pretty complicated, probably on purpose.
|
| In the end I just wrote it off in the end as something
| that has goals not aligned with mine. I'm going to look
| at Nebula (from Slack) soon. I use tinc at the moment but
| I wish it was more performant.
|
| There's many options in this arena now so there's no
| point in sticking with something that doesn't completely
| fit your needs.
| kenmacd wrote:
| > there's no point in sticking with something that
| doesn't completely fit your needs.
|
| True. The stateless firewall is rather important to me
| and I haven't found that in anything else (I'll keep an
| eye on Nebula).
| sneak wrote:
| The concern is the same as that with any other software
| license that restricts the freedoms of the world to build
| upon, adapt, and use the software for _any_ purpose.
|
| I'm not some free software zealot; I use macOS and the
| Creative Cloud and a bunch of other proprietary crap on a
| daily basis. I just don't pretend it respects my freedom.
| Nonfree licenses are like that.
|
| It's not like it "switches to even more free": it is
| presently _nonfree_.
| kenmacd wrote:
| > It's not like it "switches to even more free": it is
| presently nonfree.
|
| It's free for any use-case I'm concerned with. I can
| modify the source, self-host it, and run thousands of
| nodes through it if I want. All I can't do is take their
| work, slap my name on it, and sell it.
|
| If that was your intent then VPNCloud is even less free.
| The GPL3 license means you could never host a closed-
| source version.
| sneak wrote:
| That's false. The GPL allows for running a service with a
| closed source fork.
|
| It's the AGPL that prohibits this, which is why I
| consider the AGPL nonfree.
| hedora wrote:
| ZeroTier reverts to Apache after 4 years, and there's a
| GPL version from 2019.
|
| So, older versions are indeed open source, and new
| versions will eventually be so as well.
|
| What's your objection to the BSL? It seems like a great
| way to provide ongoing funding to open source, and
| guarantees popular commercially developed software won't
| end up as abandonware.
| ensignavenger wrote:
| There are several problems with it. The license prevents
| me from paying some one other than ZeroTier Inc. from
| hosting it for me, and providing related services. This
| is a business risk because ZeroTier Inc may have
| diverging business needs from me. THey may even go
| bankrupt or be bought out by some one who abandons the
| product. This would mean I would have to host it myself
| (Until the version I need becomes Open Source), and I may
| not want to do that.
|
| It also makes it hard for a fork to develop traction, as
| a fork would have to start at a much older version that
| is Open Source, or the ecosystem would have to forgo the
| opportunity for third-party hosting services to support
| it.
|
| The freedom to fork is an essential freedom. Without it,
| I would not feel comfortable contributing to the project.
| Nor would I feel comfortable basing critical business
| infrastructure on it.
|
| Others may be fine with proprietary source-available
| software, and that is fine for them, but I strongly
| prefer Open Source for my needs, especially for core
| infrastructure.
| Anunayj wrote:
| zerotier runs into problems when two NATs are involved, this
| claims to not have any problems with that?
| dividuum wrote:
| Once you have two NATs, you can either try to punch holes
| (ZeroTier tries that), use UPnP (ZeroTier does - see below)
| or relay traffic using dedicated machines (ZeroTier does that
| as fallback). I successfully used ZeroTier to connect
| multiple devices behind NATs.
|
| VPNCloud seems to only do UDP hole punching and doesn't have
| the ability to relay via a third party. At least in theory,
| ZeroTier should handle cases that VPNCloud doesn't.
| Anunayj wrote:
| I think zerotier does UPnP too (read somewhere), though I
| could not get zerotier to work reliably with 2 NATs. I'll
| try this and tell if I see any success with this.
| dividuum wrote:
| > I think zerotier does UPnP too
|
| I think you're correct. Thanks. My information was from
| an old blog post from 2014 [1] but they seems to have
| added support since then:
| https://github.com/zerotier/ZeroTierOne/commit/bf193dd3.
| Edited my post.
|
| [1] https://www.zerotier.com/2014/08/25/the-state-of-nat-
| travers...
| linsomniac wrote:
| I haven't experienced that. At home I currently have a Google
| WiFi in NAT mode behind a Nokia Fiber ONT also in NAT mode
| (eventually plan to switch to bridging mode after some
| networking reorganization).
|
| I haven't run into any ZeroTier issues in this config.
| heythere22 wrote:
| I'm running 4 hosts behind 4 different NATs in the same
| zerotier-virtual-network and never had any issues. By far the
| easiest way to accomplish connecting different hosts behind
| different NATs. No config whatsoever required!
| adamfisk wrote:
| Having two NATs is really the only case worth mentioning.
| Considering almost all internet traffic involves at least one
| NAT, if you can't handle a single NAT case, you've got
| issues!
| kenmacd wrote:
| I have ZeroTier running behind a variety of different NATs
| and haven't had any issues at all. It also seems to do a
| good job of having hosts on the same network talk directly
| over their private IPs.
| namibj wrote:
| Except almost no IPv6 traffic involves a NAT, and a
| significant chunk of internet traffic is using IPv6.
|
| Hence it's not possible for almost all to involve a NAT,
| even if all IPv4 traffic would.
| kenmacd wrote:
| Do you mean when one peer is behind multiple layers of NAT?
| If so that's not a situation I have myself, but I'll keep in
| mind.
|
| For regular nodes behind a single NAT I've personally found
| it worked remarkable well. Maybe I've been lucky on UPnP
| support with routers or something though.
| janandonly wrote:
| Basically a re-invention of the early 2000's Hamachi app? I think
| I might have used Hamachi once or twice to play a network version
| of Age of Empires over_the_internet long before this was a
| standard function in games :)
|
| I just Ducked for Hamachi VPN and it still exists, see
| https://vpn.net
| ivanstegic wrote:
| LogMeIn owned
| someperson wrote:
| Is that a bad thing?
| hedora wrote:
| Yeah; they slowly de-feature and increase the price of
| everything they acquire.
| Galanwe wrote:
| I believe Hamachi was mainly a level 2 VPN, perfect for
| transporting IPX, which was really mainstream for LAN games of
| the 90s.
|
| This seems to handle layer 2/3 since they mention support for
| TUN/Tap interfaces, but I guess 99% of people will just create
| IP tunnels, layer 2 is not the hot thing anymore.
|
| Also, Hamachi was not decentralized from what I remember.
|
| What is presented here reminds me a lot of n2n.
| GekkePrutser wrote:
| Some other apps in this category can also do layer 2, like
| tinc. It does layer 3 by default but you can switch it.
| Haemm0r wrote:
| What would you use for layer 2 transport today(in spefific
| for playing ild games)?
| skanga wrote:
| What platforms does it support? Linux, Mac, Windows?
| janandonly wrote:
| Different packages for Linux available... No Mac or Windows
| support ad far as I can see :(
| GekkePrutser wrote:
| No mobile ones either :(
| guerby wrote:
| From github README:
|
| "Help with other platforms: If you are a Rust developer with
| experience on Windows or MacOS your help on porting VpnCloud to
| those platforms is very welcome."
| sneak wrote:
| https://github.com/dswd/vpncloud/blob/master/src/crypto/core...
|
| https://github.com/dswd/vpncloud/blob/master/src/crypto/comm...
|
| This implements a novel cryptosystem. Default to not trusting
| novel cryptosystems until you have sufficient reason to begin
| believing that they are trustworthy.
| lwhsiao wrote:
| Nice to see another one of these tools. Tonari also recently
| released innernet in this space, written in Rust as well:
|
| https://blog.tonari.no/introducing-innernet
| aloknnikhil wrote:
| There was some discussion on this here:
| https://news.ycombinator.com/item?id=26628285
| canada_dry wrote:
| This looks great!
|
| The "CIDR" peer grouping is bloody brilliant.
| unixhero wrote:
| Cool! Does this bring any benefits that WireGuard does not?
| robert_foss wrote:
| Yes, wireguard is a point-to-point transport layer. VPNCloud
| includes a management layer about that. And for example deals
| with NATs, network management etc.
| [deleted]
| linsomniac wrote:
| It feels recently like we're living in a bit of a VPN
| renaissance. Wireguard, OpenVPN Cloud, ZeroTier, Tailscale,
| Pritunl, VPNCloud, Nebula.
|
| I've been playing with ZeroTier and liking it quite a lot.
| [deleted]
___________________________________________________________________
(page generated 2021-04-03 23:02 UTC)