Wireguard can't punch through NATs or firewalls without third party software like Tailscale. Also I'm pretty sure each peer to peer connection needs to be individually set up in a config file ahead of time
Nebula[0] addresses this and is IMO an improvement over WireGuard. Came out of Slack originally, and it supports peer discovery, NAT hole punching, and some other cool features. Also still uses the Noise Protocol.
In practice, the extra networking features + better first class peer config management baked in is very nice (Nebula’s “lighthouses” are configured with a tool similar to DSNet for Wireguard[1])
People keep saying that, but haven't we learned already that eventually Tailscale gets bought, then priorities change, then they make incompatible changes because they're need to grow, and headscale either can't keep up, or gets pushed away by Tailscale themselves, and we're back to using $TailscaleCompetitor who promises to not do the same thing.
Just don't rely on centralized for-profit entities, rely on stuff produced by non-profits and foundations, that you know isn't gonna screw you over as soon as they need money.
> Just don't rely on centralized for-profit entities, rely on stuff produced by non-profits and foundations, that you know isn't gonna screw you over as soon as they need money
What do you use that fits that philosophy and offers the basic functionality (NAT traversal, Magic DNS, failover relaying) TS provides?
While I agree in spirit, I find this logic around for profit FOSS projects a little backwards sometimes, because it implies forking Tailscale wouldn't save much time.
What makes you think we'd be better off building a competitor to something open source if it has all the features we want now? The reason we don't see open source competitors to big products is not because people are too dumb to try it. It's because it's way, way harder. It makes way more sense to Fork and work from there while we're still getting this momentum from Tailscale.
If you think Headscale is going to have problems keeping up with a private Tailscale, good luck rebuilding Tailscale.
It punches through my NAT just fine without third party software.
It's not as simple to make it reliable as it is with Tailscale, but it works
It doesn't universally work without a helper script and a STUN server, though - you need a suitably "friendly" NAT that has reasonably predictable behaviour with respect to port mapping and/or just one side of each pair behind a NAT.
> Wireguard can't punch through NATs or firewalls without third party software like Tailscale.
That's a false or incorrect statement, I've been using Wireguard and a cheap VPS (actually free on OCI) for several years, and with a cheap VPS at AWS Lightsail before that. No third party software in use at all. The only thing running on the VPS is Wireguard. The only thing running on my peers is Wireguard.
> Also I'm pretty sure each peer to peer connection needs to be individually set up in a config file ahead of time
That's how I do it but there are tools available to make it easy.
We have _some_ NAT traversal logic in place, but it's very basic. Tailscale does a much more thorough job on it. It would be cool to add peer relays to innernet but I imagine it's a fair amount of work.
From what I recall, tailscale has their own Wireguard implementation so they have more control over the socket and how things are routed. innernet is just a wrapper around managing wireguard peer lists, and yeah there's a central coordination server which is unfortunate. If the server goes down, you can still connect to peers so thankfully it doesn't bring down your whole network, but you won't be able to learn about new peers or peer endpoints over time until you re-establish connectivity with the coordination server.
Yes. I’m replying to a comment thread debating WireGuard vs tinc where someone said that WireGuard couldn’t, as if it was a differentiated thing between them.
When networks get used for unethical or criminal workloads, reliability problems aren’t the tooling's fault. A tiny VPS does the job fine for the rest of us.
Wireguard can't punch through NATs or firewalls without third party software like Tailscale. Also I'm pretty sure each peer to peer connection needs to be individually set up in a config file ahead of time
Nebula[0] addresses this and is IMO an improvement over WireGuard. Came out of Slack originally, and it supports peer discovery, NAT hole punching, and some other cool features. Also still uses the Noise Protocol.
In practice, the extra networking features + better first class peer config management baked in is very nice (Nebula’s “lighthouses” are configured with a tool similar to DSNet for Wireguard[1])
[0] https://github.com/slackhq/nebula [1] https://github.com/naggie/dsnet
I use Nebula but the relay config is somewhat clunky and the macOS port is pretty buggy.
What's the story with removing uncooperative endpoints from Nebula?
So now we're back "tailscale but with different steps"
tailscale appears to be a paid product with a free tier, nebula (while DIY) is free
there is an open source control plane called headscale which covers almost all of the features for free (while DIY)
People keep saying that, but haven't we learned already that eventually Tailscale gets bought, then priorities change, then they make incompatible changes because they're need to grow, and headscale either can't keep up, or gets pushed away by Tailscale themselves, and we're back to using $TailscaleCompetitor who promises to not do the same thing.
Just don't rely on centralized for-profit entities, rely on stuff produced by non-profits and foundations, that you know isn't gonna screw you over as soon as they need money.
I am personally happy to use Tailscale directly so I don't know. There isn't anything better out there though.
> Just don't rely on centralized for-profit entities, rely on stuff produced by non-profits and foundations, that you know isn't gonna screw you over as soon as they need money
What do you use that fits that philosophy and offers the basic functionality (NAT traversal, Magic DNS, failover relaying) TS provides?
Nebula has NAT traversal and failover relaying I beleve, but not magic dns
This is correct, and the lack of a MagicDNS solution is definitely felt when using Nebula (esp. when switching from Tailscale)
While I agree in spirit, I find this logic around for profit FOSS projects a little backwards sometimes, because it implies forking Tailscale wouldn't save much time.
What makes you think we'd be better off building a competitor to something open source if it has all the features we want now? The reason we don't see open source competitors to big products is not because people are too dumb to try it. It's because it's way, way harder. It makes way more sense to Fork and work from there while we're still getting this momentum from Tailscale.
If you think Headscale is going to have problems keeping up with a private Tailscale, good luck rebuilding Tailscale.
It punches through my NAT just fine without third party software.
It's not as simple to make it reliable as it is with Tailscale, but it works
It doesn't universally work without a helper script and a STUN server, though - you need a suitably "friendly" NAT that has reasonably predictable behaviour with respect to port mapping and/or just one side of each pair behind a NAT.
> Wireguard can't punch through NATs or firewalls without third party software like Tailscale.
That's a false or incorrect statement, I've been using Wireguard and a cheap VPS (actually free on OCI) for several years, and with a cheap VPS at AWS Lightsail before that. No third party software in use at all. The only thing running on the VPS is Wireguard. The only thing running on my peers is Wireguard.
> Also I'm pretty sure each peer to peer connection needs to be individually set up in a config file ahead of time
That's how I do it but there are tools available to make it easy.
Folks have solved these problems and open sourced solutions: https://github.com/tonarino/innernet
But all that I've seen are still centralized/federated
(I help maintain innernet)
We have _some_ NAT traversal logic in place, but it's very basic. Tailscale does a much more thorough job on it. It would be cool to add peer relays to innernet but I imagine it's a fair amount of work.
From what I recall, tailscale has their own Wireguard implementation so they have more control over the socket and how things are routed. innernet is just a wrapper around managing wireguard peer lists, and yeah there's a central coordination server which is unfortunate. If the server goes down, you can still connect to peers so thankfully it doesn't bring down your whole network, but you won't be able to learn about new peers or peer endpoints over time until you re-establish connectivity with the coordination server.
My netgear pr460x supports WireGuard with NAT & firewall; granted it’s not a consumer router.
Neither can tinc.
Last I checked, tinc supported NAT port punching natively.
As far as I’m aware, that works the same as things like tailscale is doing, where you need at least one node that is publicly reachable to facilitate.
Correct. This is not something Wireguard does, which was the original comparison.
tinc: One public node, thousands of private nodes, with NAT punching. That's fine and typical in my experience.
Which is a much smaller requirement than needing extra software on every NATed node.
So yes it is a differentiated thing between wireguard and tinc, as you phrased it in your other comment.
... because its an problem with NAT and not with the protocol.
Yes. I’m replying to a comment thread debating WireGuard vs tinc where someone said that WireGuard couldn’t, as if it was a differentiated thing between them.
A $2.5/month vps solves this issue.
Yes. Only use it as rendezvous server for publishing port numbers and establishing direct connections. Do not use for passing traffic
It does not. I push hundreds of TB across my private mesh.
When networks get used for unethical or criminal workloads, reliability problems aren’t the tooling's fault. A tiny VPS does the job fine for the rest of us.
What are you talking about? Nothing I am pushing across my mesh is unethical or criminal, from whence these baseless accusations?
I assume the GP assumed that it was pirated media material.
Hundreds of TB over what timeframe? It does seem like quite a bit of data.