Do you set up nginx or haproxy as a reverse proxy to the wireguard network, or something else? Been wondering if there's an easy way to expose an internal service like that. TCP seems easy, but UDP seems much more problematic.
It does look very nice. It's a shame that it depends on third parties for authentication, and that they have gems like this in their documentation:
> No app-level integration or reconfiguration is required, because security is built into the network itself. If you configure your network to require Tailscale, every one of your internal services will be subject to multi-factor authentication.
Which is simply not true. I've had 2FA for my Cisco AnyConnect VPN for years. That does not mean my applications I access through the VPN are now magically subject to MFA.
Maybe in time this may end up being viable for me, and maybe it already is for other people. For now, I'd rather my VPN didn't depend on Google, Microsoft, Okta, etc.
The idea of a vulnerability in any app I run having access to all my things is quite scary. Status quo is that they at least have to reach the file storing browser cookies before they "become me"; the way Tailscale is talking about their system sounds like fewer barriers.
Network authentication is not the same as application authentication.
If I plug a cable into your LAN, I am not subject to MFA to login to a server on your LAN.
If you have a lock on the network port that requires me to type in a PIN code and stick in a key to unlock, and expose the port, that then results in MFA to connect to your network. Your applications behind your network remain without MFA.
MFA VPN is essentially the same thing as the above, but for remote access to the LAN. Applications should still be properly secured.
I suppose it could be argued that this provides a client-side agent to authenticate the end user as well (mumble mumble 802.1x), and if so, then it's arguable whether or not you need another layer of authentication on the application, or if this qualifies as SSO to authenticate you to everything you have access to in the network (so passwordless login to servers, desktops, webapps, etc)
Another example of a product that looks interesting, but the folks responsible for marketing it make it a pain in the arse.
This looks like it solves a problem I have. Looks like it might be a commercial product (mentions of Okta and "get started for free"), but I can't find out any more information without signing up which I don't want to do if it doesn't support the configuration I want or is more expensive than my budget for such things.
They want early adopters (their friends) to play with their prototype, and they don't want to commit to pricing and long term support before they know what they can build and if it will work and how much it costs.
How does this thing even work? do they host the gateways for you and do the authentication at the start of VPN sessions and generate the wireguard keys for you? so you simply need to connect your networks hosting services and such to their gateways?
I'm doing something similar with a random VPS provider, using and some NAT rules to forward selected ports across the VPN interface. If there's interest, I could write up a more detailed explanation.
If you've followed standard / generic wireguard configuration, then 'client' peers are all able to route to each other via the server on their wireguard-local peer IPs.
If you need any help, let me know at hn@sdan.cc. I'm going to write a couple blog posts documenting how to do this (because it took me a full brain-wrecking week to figure out how to do this properly).
WireGuard for networking and Traefik for loadbalancing is so easy to do (if you do it correctly).
> because it took me a full brain-wrecking week to figure out how to do this properly
I would appreciate a guide as well, really for anything Wireguard adjacent. I tried to get a simple client / server configuration with forwarding set up about 2 months ago and gave up after 5 hours of blood, sweat, and tears. Disclaimer: the server was an OPNsense based router. I probably could have done it between two Linux servers from the terminal. I was using a guide I found online, but it didn't help, which may have been due to using OPNsense, I'm not sure.
OpenVPN may be more complicated in theory, but one really nice thing about it is that there are tools that make setting up a configuration trivial on just about any device that supports it. Not true for Wireguard (yet). I'm sure it will get there eventually.
While waiting for your interesting blog post, I have a few questions if you don't mind :-) :
So your setup is:
* GCP Instance (i.e. VM on the Google infrastructure).
- Traefik running on this instance.
* GCP conntected to Wireguard
=> Is Wireguard run on a router/firewall, or directly
on the DB, HTTP servers? If router, would be
interesting to know which type of router?
* Behind Wireguard: Two servers (DB and HTTP) + Laptop
* You SSH to the two Servers (directly or via the GCP?)