"Steve's Place"

I like encrypted tunnels, VPNs, whatever you wanna call 'em. I've always been fascinated by encapsulation in a technical sense, despite the wisdom of RFC1925. I've deployed LLTP, PPTP, IPSec, OpenVPN, and others. Recently, I started playing with wireguard. I had a conceptual block early on and it took me a bit to figure it out. Once I did, it was one of those facepalm moments like “Oh, crap, this is STUPID SIMPLE”.

In my testing with iperf3, wireguard is the fastest of the crew to boot. I've got a set of test servers set up in a wireguard mesh for testing. It's actually pretty cool stuff. IPv6 mesh with RFC4193 ULA address space, and it's very fast. Not significantly slower than line rate of un-encrypted V6 packets. Now I read that the Calico CNI supports wireguard as a first class encrypted in-cluster K8S transport. This is awesome! I gotta try it!

Side Quest: k8s

So I've deployed k8s with calico and bgp, then a BIRD bgp daemon on a linux box running an nginx reverse proxy config. This allows nginx to load balance to the pods that are referenced by a “headless service” – one that only identifies pods, it doesn't do network config like building NodePorts/ClusterIP/LoadBalancer. You configure your nginx to proxy to the result of servicename.namespace.svc.cluster.local and tell it to ask the cluster's coredns for the address. This will get it a round-robin result – not ideal for all endpoints, but great for others.

The wireguard CNI would offer a similar solution, I think. I have to try it to be sure, but I think you can just add it to the wireguard mesh and et voila! Encrypted and tunneled! Pretty nifty.

Main Quest: Encrypted Mesh

Then I discovered Tailscale. Tailscale uses wireguard – but so does a lot of other stuff, like Ubiquiti's Teleport. Tailscale is a commercial product with a 'free personal tier' that allows you to have 20 nodes, one subnet router and some limits on functionality. It's STUPID SIMPLE to make it work initially, and there are a few things you can learn in one afternoon to expand its functionality. It's a full-time tunnel, but by default you only talk to other nodes on the mesh via TS; However, one node can publish routes, and you can accept those routes, and any traffic you send to them will be forwarded through the TS mesh. e.g. one node (my TrueNAS node) publishes my internal RFC1918 v4 range and any of my other nodes can access that network by accepting those routes.

A node can also advertise itself as an “exit node”; My other nodes can choose to use it, and that sends all traffic through that node. If it has internet access, that means your internet access goes through that node. And it doesn't matter where you are, as long as you have internet connectivity. Your friend's house, the coffee shop on the corner... as soon as you choose “use exit node” and choose the exit node, your traffic is tunneled through that node, and encrypted. I have two exit nodes configured. My NAS is on the tailscale mesh, as are my laptops and my proxmox servers.

Get back home, or decide you don't need the security of the encrypted tunnel anymore? Just stop using the exit node. You can still ssh to your tailscale nodes from anywhere you have internet connectivity, but there are no 'ports' open to the world.

Side Quest: “Self hosted” alternatives

I like to host my own solutions. I have a Mastodon instance, a Pleroma instance, a WriteFreely instance (this one), a Pixelfed instance, a Friendica instance, etc. I like the control of knowing the network inside and out and having control and knowledge. Thus, Tailscale being a commercial solution that I don't own, I had to look for alternatives. I found three. Project nebula, Headscale, and spinning one's own mesh.

Nebula and Headscale are not bad projects, but Nebula doesn't offer comprehensive IPv6 solutions (last I checked), and Headscale doesn't have an IOS client. They offer some of the features of TailScale, but are not nearly as simple to get going (of course, since you have to build the system yourself). If nebula ever gets full IPv6 functionality in both overlay and underlay, I might switch. Or if Headscale gets an IOS client... :D

Spinning your own mesh isn't hard, but is tedious. Building all the config files and designing the network is a spreadsheet job, and I hate spreadsheet jobs.

fin

Anyway, if you have any use for a VPN in your private life or hobby world, I highly recommend giving Tailscale a spin. No, I'm not getting paid, it's just really cool. If you don't care about IPv6, give nebula and headscale a look, they might be a good solution for you. And if you're really into spreadsheet jobs, build your own mesh!