I've been diving pretty deep into networking recently, especially from a self-hosting perspective. Self-hosting tends to turn into a mess of domain name registration, VPS management, TLS cert management, dyndns, port forwarding, hole punching, etc etc.
I think technologies like WireGuard are going to play an important role in reducing that complexity (once we get some higher abstractions). I started a list of useful software I've found in this space here.
I'm in the exact same phase - been doing hosting/ops/sysadmin for most of my life but only starting to pay serious attention to the networking since recently.
Something I've yet come up with a good solution for that I feel should be much more common and simple, maybe you can point me to the right direction for (and maybe the answer is iptables, urgh):
(Containerized) P2P software that should be routed through some other endpoint before reaching/beaing reachable from the network.
Example: Bitcoin full node or Bittorrent node running in a Docker container on one of my home servers (where the host runs other software too). For all intents and purposes I want the nodes to route traffic through a VPS in some other DC (in this case bridged via wireguard). Incoming's easy enough with reverse proxies/load balancers, but with all the UDP traffic on random ports, outgoing TCP connections, etc, I haven't figured out a way to make it not leak my IP in some way.
Feels this should be dead easy but I'm stumped. Oh, and assume no support of SOCKS proxies in the software itself.
I'm aware of hidden onion services but talking clearnet here.
Yeah sorry, I can't think of anything to solve that. But it does have me thinking that I bet someone out there has made a wrapper program that intercepts network system calls (using LD_PRELOAD hacks) from a target executable and routes them all through a specific interface.
Failing that, you're probably stuck with iptables and maybe Linux namespaces.
Run it on a lightweight k8s (eg k3s) on your machine then use iptables to forward all traffic from k8s to your VPS
I'm using some other orchestration than k8s/k3s (and regardless different deployments should have different entrypoints).
But yeah, maybe the real answer is "iptables" and I just have to step up my game a bit to grok it.
K8s means you'll have a single source IP for all your application's traffic so you can just forward it all upstream instead of having to hunt for which ports it actually uses
Right, but I'm not going to use kubernetes, and I only want this for certain containers. Maybe there's a solution for this with CNI, though?
Yeah, a VPN gateway on a VPS does away with a lot of that complexity. Having your LAN devices in the same virtual network makes dyndns, hole punching and port forwarding largely unnecessary. However, I still view wrapper scripts that you are supposed to curl | bash with some suspicion. I have a simple IPSec setup with strongswan and frankly I did not find the documentation to be as daunting as people make it out to be.
If there is a certbot plugin  for your DNS provider's API then renewal of TLS certs is a matter of a single cronjob with some hooks for other services. I set it up 18 months ago and it has never failed to renew.
We're building most everything on bare metal at Fly.io and it's the exact same deal. Wireguard is great for our infrastructure.
Your GitHub list is super handy. :)
On wireguard -- I recently replaced a pretty grim/complicated openvpn setup with a wireguard one, and while I had to write a ~200 line shell script to let our ops guys create configs for the users, it's been pretty much a great experience. (wireguard is itching for a nice ui or cli tool for managing configs.... if anyone knows one please let me know...)
Wireguard is simple point-to-point, I have an iptables rule that masquarades the tunnel interface to the internal interface of the 'vpn server' but it's all so simple that don't feel bad at all that someone down the road will inherit this system and have to mange it. It's obvious, the stuff I wrote around it is simple enough to grok in an hour, and that's a world of difference from openvpn, where you can easily deploy it with some ansible-galaxy role, but actually maintaining it for 200+ devs requires you to actually undersand it which is a different thing.
I'm not really contributing anything here, apart from -- everywhere I've used wireguard I feel better for it. If you're weighing up options, I suggest you go wg. :}
> wireguard is itching for a nice ui or cli tool for managing configs.... if anyone knows one please let me know...
I'm been writing wg-access-server which is an open source all-in-one solution for getting a wireguard based VPN server up and running.
There are a few others i've come across as well: streisand, wg-ui, subspace
If you like, i'd be happy to hear about your use-cases and see if I can fit them into wg-access-server :D
Thank you for your work on wg-access-server, I am happily using it at work with the multi user support to let staff self-service their VPN logins.
There's a few rough edges if you wander off from the simplest use case and a few nice-to-have features that I'm sure will show up in due course, but the core product nails it IMO.
Thanks for the kind words. I'd be happy to hear more about the rough edges and the nice-to-haves you're after in more detail in a github issue :D
FWIW, I'm looking for a HA solution that will allow me to use WG instead IPSec for site to site connectivity from on-prem DC to public cloud.
So basically, something to replace this (as an example): https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gatew...
NetworkManager seems to handle it fairly well, if you’re running a OS/distro/network stack/desktop that uses it
I understand WG is meant to be no frills but for my company to use it, we need a standardized authentication framework around it like Xauth that can handle usernames/passwords/certificates (X509, not just keys)/MFA/etc. and server side tracking to allow for termination of sessions when people leave. It's not something I want to build myself. I would prefer that it be standardized and added to the official clients. Even if it's as simple as an OAuth flow that returns a key.
Wireguard doesn't support MFA so it isn't complaint to the frameworks we require (I guess Tailscale is). Tho you can make a SSH proxy with MFA if you enforce MFA via PAM (e.g. FIDO2 or TOTP are both possible).
FWIW: WireGuard isn't supposed to support MFA. You're meant to do MFA at a level above WireGuard. WireGuard sessions are keyed directly with Curve25519.
We created a web portal with SAML authentication that provisions and manages wireguard profiles on our edge locations. Employees have to log into the portal to obtain a wireguard configuration, and their configuration(s) are removed when their profile is deprovisioned in the IDP. It’s much easier to support then OpenVPN was - much easier to support and the wireguard client for mobile (at least iOS) just works, whereas the OpenVPN client for iOS was a nightmare to setup.
WG is rather low-level. Projects and companies like Tailscale are tackling what you describe, and I'm confident we'll eventually have open standards as well.
You look exactly the target audience of Tailscale.
For those that find this interesting, I highly recommend Tailscale (https://tailscale.com).
Caveat emptor: requires a Google or Microsoft account.
Connect that to a printer and yet another reason for on-prem IT goes away.
On the topic of WireGuard, I just thought I’d share wgcf that discovered recently. It generates the configs and keys you need to connect to CloudFlare’s Warp+ from any WireGuard client. I used it on my router so I can use Warp+ with my entire network.
Maybe I'm just inept but the only way I could get WireGuard running on a Debian Buster server was with easy-wg-quick. And it works (almost) perfectly.
The only issue I've had is adding a 3rd client. My windows desktop just will not connect. Another Windows laptop, and an Android work perfectly.
How does this compare to an algo setup?
I skimmed through the page. While Algo has many sane defaults for configuration as well as (VPS) destinations and an interactive mode, this one doesn’t have any interactive features. It doesn’t seem to have have specific defaults either.
I may be completely wrong here since I’ve used Algo only a few times, and that was quite sometime ago. One difference I see with this is the creation of new user profiles every time it’s run. Algo, in my limited use, seems to be geared for one user profile (or creating user profiles on setup and not later?).
It would be great to see this integrated with Algo.
There is an option with algo to add client configs subsequent to the initial setup