WingNews logo WingNews
top | item 46728072

(no title)

patmcc | 1 month ago

No joke, it just came up at work as a possible solution to something. We have some legacy systems that talk over TCP in plaintext. It's all within well-secured networks on locked down machines, so fine. But now we want to move things to Megaport, and their agreement says "btw don't put anything in plaintext ever, we guarantee nothing". So stunnel will probably be the fix.

discuss

order

Piraty|1 month ago

I was involved in a very similar situation once. I recommend wireguard for this, it's mature for years, has superb support in linux and some BSDs and there are userspace implementations if you need that. It wraps traffic in UDP, the overhead is much smaller thus throughput mich higher than traditional TCP-based VPN (you want to avoid tcp-in-tcp!). There were once patches posted to lkml that passed QoS-flags from the inner packet to the wireguard packet, if you need that. not sure if that landed upstream in the end. key distribution and lifecycle management is what was still unsolved years back when this was evaluated, nowadays tailscale and its clones and similar oss should serve you well.

danlitt|1 month ago

This is cool, but "legacy systems that talk over TCP in plaintext" sounds like it might qualify for "horribly outdated", no?

pixl97|1 month ago

A different way to think of this is...

"Everyday you get electricity, water, transportation, food, and general survival are dependant on horrifically outdated software systems that aren't going to be changed any time soon"

patmcc|1 month ago

I mean...fair. All I can say is it's still very critical and in production. I guess it's just worth pointing out that horribly outdated things still need support :)

nine_k|1 month ago

Not wireguard?

01HNNWZ0MV43FF|1 month ago

Maybe they need something that works without root and IP space allocation. I like WireGuard and use it myself but it is a bit of an installation compared to binding a port

pfix|1 month ago

Not a security expert and also curious about implications:

I always considered it the best solution to have both: VPN encryption and TLS encryption over the VPN. Different OSI Layers. Different Attack Surfaces.

Not sure if that is a recommended pratice though (see initial remark ;) )