hngopher.com

       [HN Gopher] Show HN: Onetun - Access your WireGuard network from...
       ___________________________________________________________________
        
       Show HN: Onetun - Access your WireGuard network from anywhere
        
       Author : momothereal
       Score  : 57 points
       Date   : 2021-10-16 01:47 UTC (2 days ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | toomuchtodo wrote:
       | Thanks for building this, very cool. Like UPnP for your wireguard
       | network.
        
       | johnklos wrote:
       | Curious - why an extra program when ssh already does this? (ssh
       | -J, -g, -R, -L, et cetera)
        
         | momothereal wrote:
         | There's a few drawbacks to SSH tunneling:
         | 
         | - SSH uses TCP for transport, and tunneling TCP-over-TCP has
         | considerable performance issues:
         | http://sites.inka.de/~bigred/devel/tcp-tcp.html
         | 
         | - SSH doesn't support tunneling UDP out of the box (you need to
         | either wrap UDP with TCP, or use SSH's -w option for creating a
         | TUN interface, which requires root access).
         | 
         | WireGuard being a very simple UDP protocol has its advantages
         | for things like this. The downside is you can't use onetun with
         | the same private-key/assigned IP on multiple devices, since WG
         | only supports 1 UDP endpoint per peer at a time.
         | 
         | Note: my tool doesn't support UDP in it's current state, but
         | there's no technical reason it shouldn't be feasible (unlike
         | SSH). I have a draft PR for it right now.
        
       | philsnow wrote:
       | The name cries out for an icon derived from a 'won ton'
       | (americans usually pronounce it wahn tawn but the canto
       | pronunciation is exactly like 'one tun').
       | 
       | https://www.google.com/search?q=won%20ton&tbm=isch&tbs=itp:c...
        
         | momothereal wrote:
         | Yup, it's a play on word with "won ton" and "one tun[nel]" ;)
         | 
         | I have some illustrator and designer friends, I'll see if they
         | want to cook up something!
        
       | momothereal wrote:
       | Hey everyone, I wrote this tool because I wanted to be able to
       | access ports running on peers in my WireGuard network from any
       | computer/server; without having to install WireGuard locally and
       | without having root access (no iptables configs).
       | 
       | So as long as you have a private key & peer IP dedicated for your
       | roaming needs, you'll be able to forward a local port to a port
       | on a secured peer.
       | 
       | This can be useful for a few other use-cases, like exposing
       | services to the Internet from a separate server that doesn't have
       | root access (like a non-privileged container).
       | 
       | I've also gotten feedback to enable reverse-tunneling (making a
       | port accessible on a peer that forwards to a port running
       | locally), which enables a few more use-cases. I'm looking for any
       | more ideas or feedback that would fit in this tool!
       | 
       | I've described how the internals work in the README. It's still a
       | proof-of-concept right now but I listed my little roadmap in the
       | issues: reverse-tunneling, UDP support, multi-port-forwarding,
       | etc. Happy to answer any questions.
        
       | ignoramous wrote:
       | A note: wireguard-go (the official userspace impl in golang) can
       | do this since several months back. It uses gVisor's netstack as a
       | tcp/udp provider to forward connections to its peer (compared to
       | whitequark's smoltcp in case of onetun).
       | 
       | Here's a demonstration of both a http-client and a http-server
       | running over wireguard (a poor man's QUIC, if you will):
       | https://github.com/WireGuard/wireguard-go/tree/master/tun/ne...
       | 
       | fly.io wrote about such a setup not long ago too:
       | https://news.ycombinator.com/item?id=26315695
       | 
       | And tailscale.com similarly uses wireguard with netstack to impl
       | functionality unavailable on non-Linux/xBSD platforms:
       | https://news.ycombinator.com/item?id=28261683
        
         | tptacek wrote:
         | Can I just put another word in for how bananas this is?
         | WireGuard and Netstack allows you to run an entire TCP/IP stack
         | in your userland program with no cooperation from your kernel.
         | You can an interface to write raw packets (as an unprivileged
         | user) _and_ the whole TCP, integrated into the standard Go
         | networking code. It is very, very cool to play with.
        
           | momothereal wrote:
           | Yup! This is how onetun works as well (but
           | :%s/Netstack/smoltcp/g in Rust)
        
           | dave78 wrote:
           | This reminds me a lot of lwIP[0] and uIP[1]. I did some
           | projects 15 years ago with lwIP where we were able to work
           | around a very lossy wireless network link when controlling
           | PTZ cameras by building what was essentially a proxy with
           | lwIP that allowed us to do some hack-ish things like
           | transmitting 2 copies of all TCP packets immediately to
           | increase resiliency. As I recall it exposed the BSD socket
           | API so it was shockingly easy to relink a project to use lwIP
           | instead of the host OS. All that was needed then on the other
           | end was hooking up lwIP to a raw network interface.
           | 
           | [0] https://savannah.nongnu.org/projects/lwip/ [1]
           | https://en.wikipedia.org/wiki/UIP_(micro_IP)
        
         | momothereal wrote:
         | Thanks for the links, I'll have to take some inspiration from
         | wireguard-go!
        
       ___________________________________________________________________
       (page generated 2021-10-18 23:01 UTC)