VPNCloud: Open-source peer-to-peer VPN written in rust
vpncloud.ddswd.deBasically a re-invention of the early 2000's Hamachi app? I think I might have used Hamachi once or twice to play a network version of Age of Empires over_the_internet long before this was a standard function in games :)
I just Ducked for Hamachi VPN and it still exists, see https://vpn.net
I believe Hamachi was mainly a level 2 VPN, perfect for transporting IPX, which was really mainstream for LAN games of the 90s.
This seems to handle layer 2/3 since they mention support for TUN/Tap interfaces, but I guess 99% of people will just create IP tunnels, layer 2 is not the hot thing anymore.
Also, Hamachi was not decentralized from what I remember.
What is presented here reminds me a lot of n2n.
Some other apps in this category can also do layer 2, like tinc. It does layer 3 by default but you can switch it.
What would you use for layer 2 transport today(in spefific for playing ild games)?
LogMeIn owned
Is that a bad thing?
Yeah; they slowly de-feature and increase the price of everything they acquire.
This looks like the much older Tinc VPN (https://www.tinc-vpn.org), but in Rust.
It would be great to have a comparison between the two. I've been using Tinc for many years; it's been working quite well, but about once a year I get a segfault (and then it gets restarted). It might be appealing to reduce the chances of that via Rust.
One commonality I found is that both are single-threaded.
I believe I've also heard of the idea of a future version of Tinc potentially using Wireguard as the underlying transport, and building its meshing on top of it. I wonder if that's on the table for VPNCloud as well.
Yes I use tinc too. The only problem I have with it is that it's not very performant. For example video streaming through it always causes hiccups.
There's other options I've looked at too: Zerotier (discounted it because it uses cloud-based configuration that's hard to self-host). And Nebula. The latter I still have to try.
I have an added requirement of needing a mobile client too (which tinc now has) so I don't think VPNCloud will work for me :(
> For example video streaming through it always causes hiccups.
This sounds weird to me. either there are enough resources available to sustain the bandwidth requirements or not. this changes with time and usage of the machine but just as it does without tinc. Depending on the hardware used it should not be too hard to stream common videos with something like 20mbit at max...
However, i just wanted to say; maybe you had MTU issues?
It's possible that a future version of tinc could use WireGuard as the data plane, but comes with a few drawbacks. See comment on this very thing: [0]
I think there is an inaccuracy in that comment. Double check this: wire guard encapsulates L3 IP packets, not L2 Ethernet frames. This means ARP is handled locally instead of being transmitted over the wire (or the need for an arp responder)
You are right, I wrote it backwards -- WireGuard supports only IP packets, not Ethernet frames while tinc supports both. The example that I gave why Ethernet frames is more useful is correct, just the factual part is reversed.
IMO tinc is really awesome. I've been using it for years to connect my servers, laptops and desktops into a VPN.
Including my RPI (running PiHole in my LAN) into the tinc VPN gave me an easy way to access my home network from anywhere in the world. One of my dedicated servers would automatically take care of routing the traffic and I can just `ssh foo@10.0.0.42` to connect to the RPI and be inside my home network.
IIRC tinc implements some tricks like TCP/UDP hole punching. So best case I end up with an actual p2p connection between my remote device and home network after connecting via tinc.
Tinc is even more awesome than that -- if you are using it on the same LAN as other nodes on the VPN it will try to make sure traffic between those nodes stays on the same LAN (it has a special broadcast beacon it sends out to find these).
It ALSO supports arbitrary commands for connecting, like ProxyCommand in OpenSSH so you can proxy through any kind of thing manually if you need to.
Tinc is really awesome !
IIRC ZeroTier borrowed the NAT hole punching code.
I setup a Wireguard VPN on a Pi and it is very stable, not sure what a P2P VPN would add.
P2P here means it will form a mesh network which itself means every node in the network (your clients) tries to connect to each other as "directly" as they determined possible by some routing algorithm. This is in contrast to a a hub and spoke model for example, where every node will connect to a central hub and communication between nodes need to pass through that hub.
I guess that would be most useful if you don't have any reliable 24/7 internet connection to install a PiVPN server on...
while that would partially help, i think there are better use cases for this type of setup. it is less about discovering endpoint addresses of peers (you could setup a statically configured mesh network too) and more about moving packets efficiently between peers. it can reduce load, latency and bandwidth requirements all while being more resilient to outages... a full mesh network should still work after any other node/peer fails, making only itself unreachable to others. a mesh network could even be able to reroute packets avoiding the failing paths if possible at all. for example your phone could be connected to your home network and your mobile ISP network, so when your home network loses internet connection peers could still route traffic through your phones mobile isp network to other peers in your home network. if you use your VPN to connect home from abroad it is pretty useless though. a mesh network between two computers makes no sense and probably should not be called like that. However, just connecting few sites and some road warriors makes this option quite attractive already.
It feels recently like we're living in a bit of a VPN renaissance. Wireguard, OpenVPN Cloud, ZeroTier, Tailscale, Pritunl, VPNCloud, Nebula.
I've been playing with ZeroTier and liking it quite a lot.
https://github.com/dswd/vpncloud/blob/master/src/crypto/core...
https://github.com/dswd/vpncloud/blob/master/src/crypto/comm...
This implements a novel cryptosystem. Default to not trusting novel cryptosystems until you have sufficient reason to begin believing that they are trustworthy.
Nice to see another one of these tools. Tonari also recently released innernet in this space, written in Rust as well:
There was some discussion on this here: https://news.ycombinator.com/item?id=26628285
This looks great!
The "CIDR" peer grouping is bloody brilliant.
Any advantages to this over https://www.zerotier.com/?
Being p2p and using one PSK seems to make firewalling more difficult. ZeroTier's 'capability-based + tagging' rule engine is pretty amazing in that I can easily allow just one peer to connect on a port.
VPNCloud is Open Source, which is a huge advantage for me.
ZeroTier is also Open Source
No, it is not.
It's only source available: it is licensed under the BSL which is not a free software license. Use of the term open source is not appropriate.
A friend works there and tried to recruit me; I declined because of this sort of fake open source charlatan nonsense.
The software in TFA (VPNCloud) is indeed free software/open source: it is licensed under the GPL, just like Linux.
ZeroTier reverts to Apache after 4 years, and there’s a GPL version from 2019.
So, older versions are indeed open source, and new versions will eventually be so as well.
What’s your objection to the BSL? It seems like a great way to provide ongoing funding to open source, and guarantees popular commercially developed software won’t end up as abandonware.
There are several problems with it. The license prevents me from paying some one other than ZeroTier Inc. from hosting it for me, and providing related services. This is a business risk because ZeroTier Inc may have diverging business needs from me. THey may even go bankrupt or be bought out by some one who abandons the product. This would mean I would have to host it myself (Until the version I need becomes Open Source), and I may not want to do that.
It also makes it hard for a fork to develop traction, as a fork would have to start at a much older version that is Open Source, or the ecosystem would have to forgo the opportunity for third-party hosting services to support it.
The freedom to fork is an essential freedom. Without it, I would not feel comfortable contributing to the project. Nor would I feel comfortable basing critical business infrastructure on it.
Others may be fine with proprietary source-available software, and that is fine for them, but I strongly prefer Open Source for my needs, especially for core infrastructure.
The downvotes of the parent are unjustified; the license's own text literally says:
> The Business Source License (this document, or the "License") is not an Open Source license.
https://github.com/zerotier/ZeroTierOne/blob/a7f652781faedfb...
It seems like a pretty good license to me. I just can't host it (same as GPLv3), but in a few years it switches to an every more free license.
Is the concern simply that governments can only use it to help people?
I looked at it also but for me the concern was that all access management and configuration is done via their cloud. So they can easily add nodes to my VPN. This is an absolute dealbreaker for me.
I know I can self-host even that top management layer (I think they called it "earth" or something). but they make that pretty complicated, probably on purpose.
In the end I just wrote it off in the end as something that has goals not aligned with mine. I'm going to look at Nebula (from Slack) soon. I use tinc at the moment but I wish it was more performant.
There's many options in this arena now so there's no point in sticking with something that doesn't completely fit your needs.
> there's no point in sticking with something that doesn't completely fit your needs.
True. The stateless firewall is rather important to me and I haven't found that in anything else (I'll keep an eye on Nebula).
The concern is the same as that with any other software license that restricts the freedoms of the world to build upon, adapt, and use the software for any purpose.
I'm not some free software zealot; I use macOS and the Creative Cloud and a bunch of other proprietary crap on a daily basis. I just don't pretend it respects my freedom. Nonfree licenses are like that.
It's not like it "switches to even more free": it is presently nonfree.
> It's not like it "switches to even more free": it is presently nonfree.
It's free for any use-case I'm concerned with. I can modify the source, self-host it, and run thousands of nodes through it if I want. All I can't do is take their work, slap my name on it, and sell it.
If that was your intent then VPNCloud is even less free. The GPL3 license means you could never host a closed-source version.
That's false. The GPL allows for running a service with a closed source fork.
It's the AGPL that prohibits this, which is why I consider the AGPL nonfree.
Okay, well then replace service with sell device with the code in it, or put any type of DRM on a device using the code.
The point being that any license is going to have some amount of:
> restricts the freedoms of the world to build upon, adapt, and use the software for any purpose.
It's just up to if you like the terms or not.
zerotier runs into problems when two NATs are involved, this claims to not have any problems with that?
I'm running 4 hosts behind 4 different NATs in the same zerotier-virtual-network and never had any issues. By far the easiest way to accomplish connecting different hosts behind different NATs. No config whatsoever required!
Once you have two NATs, you can either try to punch holes (ZeroTier tries that), use UPnP (ZeroTier does - see below) or relay traffic using dedicated machines (ZeroTier does that as fallback). I successfully used ZeroTier to connect multiple devices behind NATs.
VPNCloud seems to only do UDP hole punching and doesn't have the ability to relay via a third party. At least in theory, ZeroTier should handle cases that VPNCloud doesn't.
I think zerotier does UPnP too (read somewhere), though I could not get zerotier to work reliably with 2 NATs. I'll try this and tell if I see any success with this.
> I think zerotier does UPnP too
I think you're correct. Thanks. My information was from an old blog post from 2014 [1] but they seems to have added support since then: https://github.com/zerotier/ZeroTierOne/commit/bf193dd3. Edited my post.
[1] https://www.zerotier.com/2014/08/25/the-state-of-nat-travers...
Having two NATs is really the only case worth mentioning. Considering almost all internet traffic involves at least one NAT, if you can’t handle a single NAT case, you’ve got issues!
I have ZeroTier running behind a variety of different NATs and haven't had any issues at all. It also seems to do a good job of having hosts on the same network talk directly over their private IPs.
Except almost no IPv6 traffic involves a NAT, and a significant chunk of internet traffic is using IPv6.
Hence it's not possible for almost all to involve a NAT, even if all IPv4 traffic would.
Do you mean when one peer is behind multiple layers of NAT? If so that's not a situation I have myself, but I'll keep in mind.
For regular nodes behind a single NAT I've personally found it worked remarkable well. Maybe I've been lucky on UPnP support with routers or something though.
I haven't experienced that. At home I currently have a Google WiFi in NAT mode behind a Nokia Fiber ONT also in NAT mode (eventually plan to switch to bridging mode after some networking reorganization).
I haven't run into any ZeroTier issues in this config.
I am a happy user of https://tailscale.com which I think solves the same problem
Why do they not support email + password signups?
I'm not super averse to Google SSO but I would not tie my critical infrastructure to it in any way.
This is the reason why I've not used them, it's an instant turn-off needing to use Google SSO
Yes I looked at that one also but it was an insta-dealbreaker for the same reason. There's many options around, luckily. So no need to go for something as compromised as this.
Another dealbreaker for me is hosted configuration and access management. I want to be the only one managing it.
They support GSuite and azure AD it appears. So it is not limited to just gmail. When you pay for GSuite I think it will be a bit less risky than when using their free gmail offering.
Regardless, it would have been nice if you could use your own identity provider.
Tailscale is not Open Source, nor?
They are: https://github.com/tailscale/tailscale
A fair bit of the client code is also on the repo. Things like role based access control that require a backing store on tailscale side aren't open.
No, that's only the client.
the client is here https://github.com/tailscale/tailscale
Great to have more Open Source options in this software segment! Some sort of configuration interface would be nice.
Wondering whether there is business opportunity in offering beacons as a service.
It is great, I totally agree. The fact that it's OSS is awesome even if just from a learning standpoint.
Regarding your latter thought, it seems to me that if I'm running a service like this on my servers, I probably don't want to connect to unknown/untrusted peers. Open to use cases where that make sense, though.
[Edit] Just found the documentation on beacons that explains the trust model. So sounds like there is merit to your idea :)
The problem with these kind of things is that now I need to ask around some IPs to connect to, as I see there's no automatic peer discovery. Sounds awesome nonetheless.
What would automatic discovery even do? Add you to some worldwide IP overlay on top of internet? What would be the use of that?
I did had a use case in the past for peer to peer VPNs, mainly because in the 2000s, most hosting companies would only provide you crappy VMs with a single public interface. If you needed some control over the network, subnets, etc, then you would need some kind of overlay. This, added with the fact that you would typically have dozens of heterogeneous boxes at different providers, made maintaining a traditional host to host ipsec full mesh nightmarish. I used n2n (a peer to peer VPN) to reconciliate these various internet facing boxes in a single private IP network.
Nowadays, cloud providers are much more evolved, and offer you full configuration of multiple public/private interfaces, so recreating subnets over public facing boxes is not really a concern, which is why IMHO peer to peer VPNs do not serve much purpose in 2021.
https://tailscale.com for instance will show all the peers on the network in the menu bar of the app.
> [..] as I see there's no automatic peer discovery.
Actually there is, but it's not immediately obvious: https://vpncloud.ddswd.de/docs/beacons/
It's seems really simple to use as well: The linked implementation in PHP on https://vpncloud.ddswd.de/docs/beacons/php-service/ is only around 80 lines of code and extremely simple and due to the beacon design doesn't compromise the security of your setup if anything goes wrong.
Cool! Does this bring any benefits that WireGuard does not?
Yes, wireguard is a point-to-point transport layer. VPNCloud includes a management layer about that. And for example deals with NATs, network management etc.
I have heard this before (that wireguard does p2p), but have yet to see any examples of how to run this. Is it theoretical or just not fully implemented...?
I found this: https://github.com/gawen/wirehub but it doesn't look like it's still active.
What platforms does it support? Linux, Mac, Windows?
From github README:
"Help with other platforms: If you are a Rust developer with experience on Windows or MacOS your help on porting VpnCloud to those platforms is very welcome."
Different packages for Linux available... No Mac or Windows support ad far as I can see :(
No mobile ones either :(