technology

23218 readers

2 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.

founded 5 years ago

MODERATORS

Jadzia_Dax@hexbear.net

blashork@hexbear.net

context@hexbear.net

EmmaGoldman@hexbear.net

SexUnderSocialism@hexbear.net

gaycomputeruser@hexbear.net

ZoomeristLeninist@hexbear.net

Do you use a mesh VPN? (hexbear.net)

submitted 1 year ago* (last edited 1 year ago) by wheresmysurplusvalue@hexbear.net to c/technology@hexbear.net

16 comments fedilink hide all child comments

Recently I've been reading a lot about the topic of mesh VPNs (tinc, Nebula, Tailscale, ZeroTier, Netmaker, Netbird, etc) and find them pretty interesting. Is anyone here using these in some capacity at home or maybe at work?

My problem so far is that many of the options seem to be aimed at corporate use, understandably, so the developers can earn enough to keep doing it. This means the focus is on a centralized control plane, one server which knows everything about the entire network and manages firewall rules for all of it.

This is why I'm leaning towards Nebula, since I think the decentralized design just makes more sense. There is some centralization for issuing certs though. How do I go about setting up PKI? Is there some open source solution for managing certificates and automatically renewing them?

There's also the option of using vanilla WireGuard. This is my current setup, but I really like the idea of meshing, since it means I don't need to care if my devices are physically on the same network or not, the best connection will be used. Basically the layer of abstraction is a nice convenience that lets me think about hosts or services independently of the physical network topology.

I'm interested to hear your thoughts on this topic! What's your setup like and what do you use it for?

you are viewing a single comment's thread
view the rest of the comments

[–] wheresmysurplusvalue@hexbear.net 3 points 1 year ago* (last edited 1 year ago) (1 children)

Just wrote up my use case here

These certificates are custom certificates generated for Nebula clients, I don't think Let's Encrypt can issue them. In this case I have a trusted machine at home which acts as a CA and signs certificates for all other hosts on the network. The certificate is used to authenticate the host, and also can include custom attributes to be used in firewall rules. So the problem I'd need to solve is keeping track of certificate expiry and renewing the certificates, or issuing new certificates when I add new attributes to a set of hosts.

[–] drinkinglakewater@hexbear.net 2 points 1 year ago* (last edited 1 year ago) (2 children)

Their docs don't mention anything unique for their pki certs so it seems like Let's Encrypt should work. They also mention rotating certs in this guide so you can definitely automate some part of that

[–] wheresmysurplusvalue@hexbear.net 2 points 1 year ago

That sounds cool, I will definitely do some reading. Thanks!

[–] wheresmysurplusvalue@hexbear.net 2 points 1 year ago* (last edited 1 year ago) (1 children)

Ah, yeah I recognize the cert rotation page. That docs page doesn't say it, but they do use a custom certificate, described a little bit here:

Nebula have implemented their own certificate structure. It’s similar to an x509 “TLS Certificate” (like you’d use to access an HTTPS website, or to establish an OpenVPN connection), but has a few custom fields.

I think Let's Encrypt issues certs for validating that you own a (public) domain name, but for my use, these certs aren't associated to a domain name, just a machine not accessible to the public internet. I'll do some research to see if I can self host something that would allow other hosts to request a renewed cert automatically.

[–] drinkinglakewater@hexbear.net 2 points 1 year ago

Ahh that's a bummer, not sure why they wouldn't put that in their doc page