Off topic question. Anyone know any kind of VPN tool that manages connections and can hole punch (and initiate from either side) like syncthing does for file transfers?
The term “VPN” is really broad, and there are different kinds of VPN. I’m assuming you refer to a traditional remote access/site-to-site VPN here, not to a “commercial network proxy service”.
In that case, you’re looking for VPN solutions with NAT traversal features. There are lots of them, for example:
- Tailscale (based on Wireguard, L3 VPN, partially open source)
- ZeroTier (L2 VPN, open source, license not FOSS)
- Netbird (based on Wireguard, L3 VPN, extremely similar to Tailscale, open source)
- Plain WireGuard with some tweaks or mods (can be googled easily, not linking them here)
I’m not sure what you mean with “manages connections”. A VPN just routes traffic, it doesn’t do much with “connections”. Or do you mean identity/access control?
1 Like
- OpenZiti / zrok
OpenZiti makes it easy to embed zero trust, programmable networking directly into your app. With OpenZiti you can have zero trust, high performance networking on any Internet connection, without VPNs.
zrokfacilitates sharing resources both publicly and privately. Public sharing allows you to sharezrokresources with non-zrokusers over the public internet. Private sharing allows you to directly share your resources peer-to-peer with otherzrokusers without changing your security or firewall settings.
Thanks for the comments. I will investigate these.
The use case is a traveling robotics competition. We want to be able to setup devices in different places within a school network and have them automatically establish a private connection so we don’t have to run 400ft of network cable to connect different areas of the school. If each can reach the internet we should be able to VPN. But we don’t want to have to configure th vpn differently at each different school.
I realize depending on the network configuration this may not work at every venue. But for the venues that it could work at it save a bunch of setup and tear down time and trip hazards if we have to run cables over high traffic areas.
I researched the existing VPN solutions a couple of years ago, and eventually settled on Nebula VPN from Slack, for:
- being open-sourced,
- extremely simple to set-up,
- trust-worthy security out-of-the-box, using certificates for authentication (zero-trust) and traffic encryption,
- runs on Linux and Windows,
- does relaying and NAT-punching (the network requires 1 public IP for this. Public IP is not required for static configuration). i.e. mesh networking,
- can use aes or chacha encryption (chacha is faster on older CPUs and embedded devices),
- supports routing for devices that cannot run Nebula (perhaps this can also do site-to-site, I’m not sure),
- has a built-in firewall…
Here’s an introductory video from apalrd: The Power of Zero-Trust Architecture: Building a Secure Internal Network with Nebula
2 Likes
For my needs I went with the sort of centralised ZeroTier, or rather centrally orchestrated, because traffic will still try to avoid hopping through ZeroTier when possible.
ZeroTier allowed me to avoid deploying any infrastructure, where I think Nebula required me to deploy some infrastructure, at least back then.
I haven’t tried Nebula yet, but the free version of ZeroTier still meets my needs, I think I can have up to 50 devices on the free edition.
Yeah I heard ZeroTier was very practical and easy to set-up plus has a web dashboard.
Depending on your security requirements, having a web server and a foreign “orchestrator” might be OK.
Yeah, to set up Nebula, on each device you will need:
- The executable
- The configuration file
- The node’s private key file
- The network cert’s public key file
Then a mechanism for pushing configuration updates and new (periodic) key roll-outs would be needed (there’s no web dashboard or the like). Ansible is generally a good choice for this.
I can recommend Tailscale. It’s been solid after a year of use.