Hacker News new | ask | show | jobs
by gunapologist99 1632 days ago
This is great! Can you also compare to Headscale and Zerotier?

How do you handle NAT compared to these other options? I've run into issues with WireGuard when both sides are behind residential NATs (or AWS EC2 IGW); as you know, Nebula solves this with "lighthouse" servers (which are self-hosted but externally accessible), and Tailscale uses its third-party intro devices.

Do the Gravitl servers have to always listen on an exposed port?
1 comments
afeiszli 1632 days ago
It is way, way faster than Zerotier. Headscale I am less familiar with, and they do make Tailscale self-hostable, but they're a community-driven project I'm not sure how reliable it'll be long term (can't speak for the author).

On the NAT side, we provide 3 layers of traversal options:

#1 (default) port forwarding: This actually works in a surprisingly well, for about 90% of environments, but does require an exposed port.

#2 UDP Hole Punching: The server acts similarly to a Nebula "lighthouse" and will tell clients where to reach each other. This covers that small situation of dualing NAT's, and doesn't require the exposed port.

#3 Relay: In situations where neither works such as CGNAT, you can set a public node as a relay to route traffic to the "hidden" node

link
znpy 1632 days ago
> but they're a community-driven project I'm not sure how reliable it'll be long term

Don't take this the wrong way, but subtly/implictly implying that some software is not going to be reliable in the long run because it only has a community behind is low-key FUD.

link
afeiszli 1632 days ago
Nahh you're right, that's not a fair criticism at all, and we rely on tons of community-driven stuff. I only meant that as a differentiator because to some companies, they need to know there's a company behind the project for support purposes or they're not gonna use it (whether or not that's fair of them).
link
easton 1632 days ago
Tailscale has some functionality to automatically determine what flavor of NAT traversal is necessary, this isn’t a big deal but do I have to configure the nodes to use these methods or will your client figure this out itself?
link
afeiszli 1632 days ago
Right now you need to choose your own option. We're planning to automate this in the next couple of months. I will say, this isn't always a bad thing. We have a lot of users who switched from Tailscale because it was frequently falling back to relay, often via public relays that were hundreds of miles away from them, causing big increases in latency. We want to give people the automation, but also the choice.
link
easton 1632 days ago
Good idea! I’ll have to give this a spin, I like the idea of “nebula but wireguard”.
link
gunapologist99 1632 days ago
Awesome, thanks!
link