hngopher.com

       [HN Gopher] Creating a VPN Gateway with a Unikernel Running Wire...
       ___________________________________________________________________
        
       Creating a VPN Gateway with a Unikernel Running WireGuard
        
       Author : eyberg
       Score  : 46 points
       Date   : 2021-08-30 17:39 UTC (5 hours ago)
        
 (HTM) web link (nanovms.com)
 (TXT) w3m dump (nanovms.com)
        
       | gizdan wrote:
       | Does anyone know of any full featured firewalls built on a
       | unikernel? Something like opnsense/pfsense but built on a
       | unikernel?
        
       | jvanderbot wrote:
       | Wireguard is so useful, and intuitive, and straightforward, and
       | easy to use, that I suspect it'll be as ubiquitous as TCP
       | someday. Not before a billion look-alike VPN apps or services pop
       | up, of course.
        
       | exabrial wrote:
       | > With a little bit of effort you can run a userspace WireGuard
       | on the Nanos unikernel, combining the security of WireGuard and
       | unikernels to make a secure VPN gateway
       | 
       | What a time to be alive... we can create a single purpose
       | operating system, to run under a hypervisor, to forward traffic
       | inside a NAT firewall, with patches applied that bypass the
       | separation of user-space configuration parsing and move them into
       | kernel functions.
        
         | chris37879 wrote:
         | It's just sandboxing taken to the extreme. The idea of
         | freestanding (meaning requiring nothing more than the hardware
         | to run) applications isn't anything new, in fact it's how all
         | old applications worked! And doing it this way gives you a lot
         | more control over the execution environment. Though, from a
         | certain point of view it's starting to look more and more like
         | we're just making an operating system who's components are
         | separated by IP address space instead of traces through
         | silicon.
        
       | mrkstu wrote:
       | I was just thinking of trying to do similar. The main thing I'd
       | deviate from this configuration is using masquerading- for a
       | multiuser setup you'd want an ip pool and arp for one address per
       | tunnel.
       | 
       | Trying to diagnose issues or track traffic per user becomes nigh
       | impossible transiting a PAT-NAT.
        
       | anonymousisme wrote:
       | Not directly related to the article, but I've been doing a lot of
       | interesting stuff with WireGuard for the past few years. I've
       | observed some odd behavior by some mobile service providers.
       | Right now I have two permanently deployed WireGuard VPNs using
       | terrestrial wireless carriers. One VPN uses AT&T Wireless while
       | the other uses T-Mobile. That AT&T VPN worked fine out the box.
       | The T-Mobile VPN required some odd tweaks to MTU/MRU in order to
       | get it working. I found that the MTU on the mobile end needed to
       | be 1220 or less, and the MTU on the remote end needed to be 1380
       | or less. This took a while to debug.
        
         | mcspiff wrote:
         | I wonder if you're bumping into issues with t-mobile's 646XLAT
         | (https://sites.google.com/site/tmoipv6/464xlat )?
        
       ___________________________________________________________________
       (page generated 2021-08-30 23:01 UTC)