I have been using Tailscale personally on all my machines and it's really cool..
Thanks for creating an OSS version of it !
Request to HN floks :
I can setup a basic home network, but I want to really learn networking ( Setting up subnets , understanding CIDR, etc ).. Where should I start ?
I found interactive CIDR visualization tools like https://cidr.xyz/ to be very helpful in understanding the notation.
I also end up using https://gitlab.com/ipcalc/ipcalc a lot, and am definitely planning on similarly making it easier in the terminal to manage and visualize the CIDRs in innernet networks. I'm hoping innernet can become a fun way to learn networking in a safe (and cheap) virtual environment.
I cannot wait to start using this as it looks like it will make vpn's a heck of a lot easier to manage. Here are my two questions:
1. Is it possible to use the same subnet on different innernets?
2. Could you please provide installation instructions for generic linux, as I am looking to host on almalinux and opensuse leap, neither of which use dpkg.
> 2. Could you please provide installation instructions for generic linux, as I am looking to host on almalinux and opensuse leap, neither of which use dpkg.
Our Arch PKGBUILD (https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=inner...) may be the simplest existing guide for making your own package for your distro. If it's not a lot of work to add, I'm happy to maintain other package formats, or help you be a maintainer.
Thanks! Looking forward to hearing how it goes for you.
Regarding 1.: no. AllowedIPs in the WireGuard world have the double meaning:
* I expect anything coming from that peer to have an IP address in AllowedIPs
* I know that a peer's AllowedIPs can only be reached through that specific peer
Also, RFC 1918 lists 2^24 + 2^20 + 2^16 = 17 million IPs. You should normally not have an issue finding networks that don't overlap.
10/8, 172.16/12 and 192.168/16
Also, using the same net on different interfaces would probably confuse your server. Maybe if you do some magic with VRFs you could. (And it doesn't mean you should)
How does one update an oldschool web admin page to interact with this model?
For example, suppose Kermpany had already been up and running for a while with a standard Django website running behind Cloudflare with an admin page at example.com/admin/.
Now the things in the blog post have happened, and Kermpany wants to make sure that only machines on the "humans" CIDR can connect to the routes hosted at example.com/admin/.
What happens next? Does the admin tool move to a new domain?
The manual wireguard solution I know of is to add the example.com IP to the list of AllowedIPs, so the wireguard interface gets used for all requests from the local machine to example.com, and then restrict the /admin/ route in nginx to just the wireguard server's IP. But that takes a lot of bookkeeping and I feel like I'm missing something.
I don't think there's another way than the two ways you've already described.
IMO, moving the admin tool to a separate domain (and server!) would be the best option here in terms of security. That way, there are clear boundaries and fewer attack vectors and you also don't need to do as much bookkeeping.
Somewhat unrelated but in case anyone from tonari.no is reading this: I've been following your project for some time[0] and would love to know more about it! Please please update your blog more frequently and maybe even upload some demo videos! :)
This is amazing! I've been thinking of writing a system for managing a wireguard network in rust for quite a while now but I'm still happy this popped up. Perhaps it would be nice to expand it into a bigger ecosystem with UI based interfaces for different platforms.
Could someone help me out? I understand how Wireguard and Tailscale work. But I don’t understand the various ways they could be used for personal and business use cases apart from a workaround for geoblocking. Could people currently using Tailscale chime in?
My personal use case for tailscale is to connect my home PC, MacBook Air, Raspberry pi, iPhone, iPad and my VPS into a single network without running a VPN server.
The best part is that you don’t have to open any ports on your router and it “just works” out of the box.
So even if I’m in a different country I can use the nextcloud app on my phone to connect to my raspberry pi in a secure manner and backup photos, which in turn backs them up to my VPS.
I'm using Tailscale for managing an old Mac Mini I have in the office, that does some simple 'cron' tasks. But it's behind NAT, but with Tailscale, I'm able to SSH into the box regardless, which is really nice. I believe it's also possible for instance to have Tailscale running on your servers, and only expose port 22 on the Tailscale interface, which is also quite neat.
We don't use Tailscale, but we do run a Wireguard server. It allows our remote workers that need local network access. For example we run an internal kubernetes cluster that is not accessible over the internet. And we also have SMB shares that a remote worker might need to look into.
Basically the use of a VPN is to add an extra layer of defense. Instead of finding a security hole in our Kubernetes management interface or samba server, an attacker would first have to compromise a workers system, and only then attack our internal servers.
Instead of VPN'ing to the cloud to access my servers i just installed tailscale on one of the vms in the cloud and exposed all the routes. I work on 5 different pcs, no more up and down vpn.
The only thing missing from tailscale for me is being logged into multiple accounts at the same time.
Not using Tailscale but knocked up a VPN between my various servers to allow e.g. my tiny mail frontend to use the extremely heavy ClamAV on my big mail backend without having to expose it to the wider internet. Same with allowing all the servers access to each others' Redis's for synchronisation of things like rspamd whitelists (easier than setting up Redis replication, for me.)
How name resolution is handled? I am going to play with it tonight, but it isn’t clear how is DNS setup. Is that something completely separated, or integrated on the tool? Thanks!
Currently it makes non-destructive edits to /etc/hosts. It would be interesting to explore more scalable ways to handle this for larger networks though.
DNS seems to be the weakest point of many of these overlay network products: hamachi, zerotier, tailscale, and probably this one all use some convoluted nonsense despite the fact that split dns mechanics exist out of the box now in Windows, MacOS and Linux.
All these seem nice but I never seem to find one that will interface with rootless nodes, amd link back to wherever my laptop is. There's always a requirement for a kernel module or mounting a new interface. For now I use chisel, but it's a hack and I need to manage addresses and ports manually.
A userspace implementation would use a lot of battery power on laptops and be less performant.
Wireguard is now in the Linux kernel and does not require kernel modules. You will however require root privileges.
I don't want an unprivileged user to be able to route all my traffic though some tunnel. Changing system wide routes should require root.
Isn't the tool linked at the bottom, Nebula [1], capable of running without root?
Personally, I'm not surprised in the slightest that messing with networking requires administrative privileges. I don't really understand the use case for rootless nodes or how they're normally managed, but I can see how those are too niche for most networking software to work with.
I've never tried it, but perhaps you van get Innernet to work with the usermode WireGuard client (the one written in Go [2]), that seems to work on Android without any kernel support or root privileges. Innernet is a daemon over the wg command line tool so it might work out of the box?
Thanks for the heads-up. Before adding the alias, I did a quick search (https://packages.ubuntu.com/search?suite=xenial&arch=any&mod...) and did see the "inn" package, but it didn't seem like it included any "inn" binary that would cause name conflicts.
Happy to change the way that alias works if it ends up being a problem.
I think tailscale uses a userland TUN/TAP interface[0] which negotiates at 10MiB/s; that’ll be the largest bottleneck and likely applies to Innernet too.
Tailscale does use considerable CPU on my Mac though.
This was the name of my hometown ISP back in the late 90s.
You see, kids, back in the day, the internet was not ran exclusively by gigantic mega corporations whose only argument against monopoly was "but but but WE wanted to be the monopoly!" Before Walmart pushed out all the mom-and-pop grocery stores, we had mom-and-pop internet service providers, and they didn't have to be called "artisanal" or "organic" to get anyone to care about them.
[+] [-] imiric|5 years ago|reply
I really like the simple client/server architecture, that it's easily self-hostable and there are no servers outside of my control.
The invite system reminds me of the way Tinc[1] handles it, which is great. It's so good to see user friendly tooling on top of WireGuard.
[1]: https://tinc-vpn.org/
[+] [-] reddec|5 years ago|reply
[+] [-] ing33k|5 years ago|reply
Request to HN floks : I can setup a basic home network, but I want to really learn networking ( Setting up subnets , understanding CIDR, etc ).. Where should I start ?
[+] [-] clpwn|5 years ago|reply
I also end up using https://gitlab.com/ipcalc/ipcalc a lot, and am definitely planning on similarly making it easier in the terminal to manage and visualize the CIDRs in innernet networks. I'm hoping innernet can become a fun way to learn networking in a safe (and cheap) virtual environment.
[+] [-] torwayburger|5 years ago|reply
[+] [-] JetSpiegel|5 years ago|reply
This is the best subnet calculator, since you can split and join subnets visually.
[+] [-] littlestymaar|5 years ago|reply
[+] [-] teleforce|5 years ago|reply
https://pages.di.unipi.it/ricci/501302.pdf
[+] [-] tmpfs|5 years ago|reply
I played around with Wireguard directly and having better ergonomics without vendor lock-in is great, i look forward to taking it for a spin.
[+] [-] chaz6|5 years ago|reply
1. Is it possible to use the same subnet on different innernets?
2. Could you please provide installation instructions for generic linux, as I am looking to host on almalinux and opensuse leap, neither of which use dpkg.
Thanks for sharing!
[+] [-] clpwn|5 years ago|reply
As moviuro mentioned, no, not unless you want to get fancy with independent network namespaces (https://man7.org/linux/man-pages/man8/ip-netns.8.html).
If you want to be more confident of not having an address space conflict, I recommend using a randomly generated private IPv6 block using the RFC 4193 specification: https://en.wikipedia.org/wiki/Private_network#Private_IPv6_a...
> 2. Could you please provide installation instructions for generic linux, as I am looking to host on almalinux and opensuse leap, neither of which use dpkg.
Our Arch PKGBUILD (https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=inner...) may be the simplest existing guide for making your own package for your distro. If it's not a lot of work to add, I'm happy to maintain other package formats, or help you be a maintainer.
Thanks! Looking forward to hearing how it goes for you.
[+] [-] moviuro|5 years ago|reply
* I expect anything coming from that peer to have an IP address in AllowedIPs
* I know that a peer's AllowedIPs can only be reached through that specific peer
Also, RFC 1918 lists 2^24 + 2^20 + 2^16 = 17 million IPs. You should normally not have an issue finding networks that don't overlap.
10/8, 172.16/12 and 192.168/16
Also, using the same net on different interfaces would probably confuse your server. Maybe if you do some magic with VRFs you could. (And it doesn't mean you should)
[+] [-] JackC|5 years ago|reply
For example, suppose Kermpany had already been up and running for a while with a standard Django website running behind Cloudflare with an admin page at example.com/admin/.
Now the things in the blog post have happened, and Kermpany wants to make sure that only machines on the "humans" CIDR can connect to the routes hosted at example.com/admin/.
What happens next? Does the admin tool move to a new domain?
The manual wireguard solution I know of is to add the example.com IP to the list of AllowedIPs, so the wireguard interface gets used for all requests from the local machine to example.com, and then restrict the /admin/ route in nginx to just the wireguard server's IP. But that takes a lot of bookkeeping and I feel like I'm missing something.
[+] [-] codethief|5 years ago|reply
IMO, moving the admin tool to a separate domain (and server!) would be the best option here in terms of security. That way, there are clear boundaries and fewer attack vectors and you also don't need to do as much bookkeeping.
[+] [-] codethief|5 years ago|reply
[0]: Ever since someone posted https://news.ycombinator.com/item?id=23540586
[+] [-] bschwindHN|5 years ago|reply
Is there anything in particular you'd like to read about?
[+] [-] reyman|5 years ago|reply
[+] [-] byt3r|5 years ago|reply
[+] [-] clpwn|5 years ago|reply
[+] [-] nindalf|5 years ago|reply
[+] [-] jitix|5 years ago|reply
The best part is that you don’t have to open any ports on your router and it “just works” out of the box.
So even if I’m in a different country I can use the nextcloud app on my phone to connect to my raspberry pi in a secure manner and backup photos, which in turn backs them up to my VPS.
[+] [-] spyke112|5 years ago|reply
[+] [-] tinco|5 years ago|reply
Basically the use of a VPN is to add an extra layer of defense. Instead of finding a security hole in our Kubernetes management interface or samba server, an attacker would first have to compromise a workers system, and only then attack our internal servers.
[+] [-] popotamonga|5 years ago|reply
The only thing missing from tailscale for me is being logged into multiple accounts at the same time.
[+] [-] zimpenfish|5 years ago|reply
[+] [-] davidcollantes|5 years ago|reply
[+] [-] bschwindHN|5 years ago|reply
[+] [-] gorkish|5 years ago|reply
[+] [-] davidcollantes|5 years ago|reply
[+] [-] hpfr|5 years ago|reply
Nebula has mobile apps. Might this be possible for Innernet in some distant future? It seems like no if it needs root.
[+] [-] adornedCupcake|5 years ago|reply
[+] [-] syoc|5 years ago|reply
[+] [-] jeroenhd|5 years ago|reply
Personally, I'm not surprised in the slightest that messing with networking requires administrative privileges. I don't really understand the use case for rootless nodes or how they're normally managed, but I can see how those are too niche for most networking software to work with.
I've never tried it, but perhaps you van get Innernet to work with the usermode WireGuard client (the one written in Go [2]), that seems to work on Android without any kernel support or root privileges. Innernet is a daemon over the wg command line tool so it might work out of the box?
[1]: https://github.com/slackhq/nebula [2]: https://git.zx2c4.com/wireguard-go/about/
[+] [-] JoshTriplett|5 years ago|reply
Fortunately, it sounds like that's just an alias, so people who care about "inn" can just spell out "innernet" or make a different alias themselves.
[+] [-] clpwn|5 years ago|reply
Happy to change the way that alias works if it ends up being a problem.
[+] [-] emperor_|5 years ago|reply
[+] [-] dijit|5 years ago|reply
Tailscale does use considerable CPU on my Mac though.
[0]: https://github.com/tailscale/tailscale/blob/main/net/tstun/t...
[+] [-] afics|5 years ago|reply
Is a TCP mode planned? This would be useful for networks where outbound UDP isn't allowed. (hotel wifi, other public wifis)
Do you plan to add automatic key rollover/expiry?
[+] [-] clpwn|5 years ago|reply
There aren't any current plans to bake in TCP support, but you can rig it up yourself using something like udptunnel.
Related old HN comment with basic instructions: https://news.ycombinator.com/item?id=17847008
Also see: the "TCP Mode" section in https://www.wireguard.com/known-limitations/.
[+] [-] _9rq6|5 years ago|reply
if you private dns nameservers, DNS queries are made over plaintext.
Magic DNS is not a hard-sell.
[+] [-] ng28|5 years ago|reply
[+] [-] carabiner|5 years ago|reply
[+] [-] bschwindHN|5 years ago|reply
[+] [-] moron4hire|5 years ago|reply
You see, kids, back in the day, the internet was not ran exclusively by gigantic mega corporations whose only argument against monopoly was "but but but WE wanted to be the monopoly!" Before Walmart pushed out all the mom-and-pop grocery stores, we had mom-and-pop internet service providers, and they didn't have to be called "artisanal" or "organic" to get anyone to care about them.