undefined | Better HN

0 pointsalpn3mo ago0 comments

> I'd rather expose a Wireguard port and control my keys than introduce a third party like Tailscale.

I’m working on a (free) service that lets you have it both ways. It’s a thin layer on top of vanilla WireGuard that handles NAT traversal and endpoint updates so you don’t need to expose any ports, while leaving you in full control of your own keys and network topology.

https://wireplug.org

0 comments

copperx3mo ago

Apparently I'm ignorant about Tailscale, bacause your service description is exactly what I thought Tailscale was.

SchemaLoad3mo ago

The main issue people have with Tailscale is that it's a centralised service that isn't self hostable. The Tailscale server manages authentication and keeping track of your devices IPs.

Your eventual connection is direct to your device, but all the management before that runs on Tailscales server.

TOMDM3mo ago

Isn't this what headscale is for?

hamandcheese3mo ago

This is very cool!

But I also think it's worth a mention that for basic "I want to access my home LAN" use cases you don't need P2P, you just need a single public IP to your lan and perhaps dynamic dns.

digiown3mo ago

Where will you host the wg endpoint to open up?

- Each device? This means setting up many peers on each of your devices

- Router/central server? That's a single point of failure, and often a performance bottleneck if you're on LAN. If that's a router, the router may be compromised and eavesdrop on your connections, which you probably didn't secure as hard because it's on a VPN.

Not to mention DDNS can create significant downtime.

Tailscale fails over basically instantly, and is E2EE, unlike the hub setup.

hamandcheese3mo ago

To establish a wg connection, only one node needs a public IP/port.

> Router/central server? That's a single point of failure

Your router is a SPOF regardless. If your router goes down you can't reach any nodes on your LAN, Tailscale or otherwise. So what is your point?

> If that's a router, the router may be compromised and eavesdrop on your connections, which you probably didn't secure as hard because it's on a VPN.

Secure your router. This is HN, not advice for your mom.

> Not to mention DDNS can create significant downtime.

Set your DNS ttl correctly and you should experience no more than a minute of downtime whenever your public IP changes.

digiown3mo ago

> one node needs a public IP/port

A lot of people are behind CGNAT or behind a non-configurable router, which is an abomination.

> Secure your router

A typical router cannot be secured against physical access, unlike your servers which can have disk encryption.

> Your router is a SPOF regardless

Tailscale will keep your connection over a downstream switch, for example. It will not go through the router if it doesn't have to. If you use it for other usecases like kdeconnect synchronizing clipboard between phone and laptop, that will also stay up independent of your home router.

kevin_thibedeau3mo ago

A public IP and DDNS can be impossible behind CGNAT. A VPN link to a VPS eliminates that problem.

digiown3mo ago

The VPS (using wg-easy or similar solutions) will be able to decrypt traffic as it has all the keys. I think most people self-hosting are not fine with big cloud eavesdropping on their data.

Tailscale really is superior here if you use tailnet lock. Everything always stays encrypted, and fails over to their encrypted relays if direct connection is not possible for various reasons.

hamandcheese3mo ago

When I said "you just need a single public IP" I figured it was clear that I wasn't claiming this works for people who don't have a public IP.

j / k navigate · click thread line to collapse

0 comments

copperx3mo ago

Apparently I'm ignorant about Tailscale, bacause your service description is exactly what I thought Tailscale was.

SchemaLoad3mo ago

The main issue people have with Tailscale is that it's a centralised service that isn't self hostable. The Tailscale server manages authentication and keeping track of your devices IPs.

Your eventual connection is direct to your device, but all the management before that runs on Tailscales server.

TOMDM3mo ago

Isn't this what headscale is for?

hamandcheese3mo ago

This is very cool!

But I also think it's worth a mention that for basic "I want to access my home LAN" use cases you don't need P2P, you just need a single public IP to your lan and perhaps dynamic dns.

digiown3mo ago

Where will you host the wg endpoint to open up?

- Each device? This means setting up many peers on each of your devices

Not to mention DDNS can create significant downtime.

Tailscale fails over basically instantly, and is E2EE, unlike the hub setup.

hamandcheese3mo ago

To establish a wg connection, only one node needs a public IP/port.

> Router/central server? That's a single point of failure

Your router is a SPOF regardless. If your router goes down you can't reach any nodes on your LAN, Tailscale or otherwise. So what is your point?

> If that's a router, the router may be compromised and eavesdrop on your connections, which you probably didn't secure as hard because it's on a VPN.

Secure your router. This is HN, not advice for your mom.

> Not to mention DDNS can create significant downtime.

Set your DNS ttl correctly and you should experience no more than a minute of downtime whenever your public IP changes.

digiown3mo ago

> one node needs a public IP/port

A lot of people are behind CGNAT or behind a non-configurable router, which is an abomination.

> Secure your router

A typical router cannot be secured against physical access, unlike your servers which can have disk encryption.

> Your router is a SPOF regardless

kevin_thibedeau3mo ago

A public IP and DDNS can be impossible behind CGNAT. A VPN link to a VPS eliminates that problem.

digiown3mo ago

The VPS (using wg-easy or similar solutions) will be able to decrypt traffic as it has all the keys. I think most people self-hosting are not fine with big cloud eavesdropping on their data.

Tailscale really is superior here if you use tailnet lock. Everything always stays encrypted, and fails over to their encrypted relays if direct connection is not possible for various reasons.

hamandcheese3mo ago

When I said "you just need a single public IP" I figured it was clear that I wasn't claiming this works for people who don't have a public IP.

j / k navigate · click thread line to collapse