Hacker News new | ask | show | jobs
by gcommer 1094 days ago
Tinc is incredible, it has worked flawlessly for me for 6+ years with exactly 0 maintenance.

As trustworthy as it is, I am sadly on the hunt to replace it. Compared to wireguard, the throughput ain't great, and it takes way too much CPU on my low power nodes. I would pay good money for "tinc, but with wireguard transport" -- there's of course projects purporting to do this but I haven't found one I trust yet.
5 comments
dave78 1094 days ago
There's another dead comment saying the same thing, but take a look at Nebula. I set it up over a year ago and haven't really thought about it much since - it just works. The open source version doesn't have any fancy GUIs or anything but it's not very hard to deploy. Covers every OS that you'd probably care about too.

https://github.com/slackhq/nebula

link
rkeene2 1094 days ago
I haven't contributed to tinc in a while and I haven't contributed a transport mechanism, but I do know it is modular and supports more than TUN/TAP (for example PPP) -- so knowing this and having worked with the code-base in general I would be surprised if adding wireguard as a transport was more than a weekend project to get something working (with the drawbacks I mentioned here [0]).

[0] https://news.ycombinator.com/item?id=19304624

link
tomberek 1093 days ago
I would donate a few beers and pizzas to such an effort.
link
rkeene2 1093 days ago
To be clear I wasn't volunteering just encouraging anyone who wanted that outcome to just try it, it's probably easier than one might think
link
axiomdata316 1094 days ago
Would Tailscale be an effective replacement for Tinc? It's built on top of Wireguard and works really well.
link
westurner 1093 days ago
WebVM runs x86 binaries in WASM on any browser w/ ("[CheerpX:] an x86-to-WebAssembly JIT compiler, a virtual block-based file system, and a Linux syscall emulator") and for external sockets there's Tailscale networking. https://webvm.io/

IIUC that means an SSH (and/or MoSH Mobile Shell) client in a WASM WebVM in a browser tab could connect to a (tailscale (wg)) VPN mesh? (And JupyterLite+WebVM could ssh over an in-browser VPN mesh)

You'd probably need to compile a userspace wireguard implementation with a fork of the WebVM Dockerfile, or is that redundant because tailscale already wg's the sockets?: https://github.com/leaningtech/webvm/blob/main/dockerfiles/d...

link
tumdum_ 1094 days ago
Tailscale is using userspace Go implementation of wireguard, right?
link
p_l 1094 days ago
Yes, with the wireguard implementation being very deeply intertwined with the rest of the VPN implementation, resulting in sometimes higher speeds than in-kernel wireguard implementation.
link
sys42590 1094 days ago
I recently switched from Tinc to Wireguard (4 machines) due to simpler configuration and better support for road warriors. Transition was quite painless.
link
INTPenis 1094 days ago
When you say 4 machines, do you mean a mesh between 4 machines? And it's not hub-and-spoke? I'm looking for a solution like that but because my portable devices can be anywhere in the world I had to use a hub-and-spoke setup where there is one central VPS that they can all connect through.
link
vidarh 1094 days ago
You can do a full non-hub mesh with Wireguard if 1) you can find a NAT hole punching method that works (usually can), and 2) you have some means of passing peer information between them, which also means you need to use a means to get at your external IP and port. If you don't have a reliable way of getting the external IP and port for all of them, if one of them supports port forwarding, just a basic dynamic DNS provider to get one of the dynamic external IPs is enough - you can then get the rest by hitting the first one.

Note that "some means" of exchanging data here really is any way of communicating at all. Post an encoded string to a Mastodon server? Send you an e-mail that's automatically picked up?

link
lapinot 1094 days ago
Also if 3) if you have the energy to write and maintain some stateful thingy that manages this dynamic peer information you need to pass around. And while doable, a hack in bash won't cut it if you want reliability and the occasional introspection when things go wrong.

It's a no for me.

link
tumdum_ 1094 days ago
You could try https://nordvpn.com/meshnet/ - it's wireguard, cross platform and meshnet handles everything automatically for you. Also meshnet is free so if you don't want to use vpn you won't have to pay anything.
link
vidarh 1094 days ago
A hack in whatever language works just fine, and depending on your setup you may not need any hacks at all - e.g. of you have dynamic DNS and port forwarding set up for one of your peers. It's not a beginner option, but it's an option that is simple for most common setups if you know what you're doing.
link
sys42590 1094 days ago
It's full mesh with 3 fixed servers and one machine with a dynamic IP. Just configured all peerings in WG instead of Tinc. I don't need Tinc's mesh routing, so WG is sufficient for me.
link
pahae 1094 days ago
You should give nebula a try. I've recently switched my private VPN setup from wireguard to nebula and am looking into using it for work. It has some really nice features (for our use case), so ymmv. But so far it's been fantastic and very easy to use.

https://github.com/slackhq/nebula

link