[HN Gopher] FireZone - Open-source VPN server and firewall ___________________________________________________________________ FireZone - Open-source VPN server and firewall Author : punnerud Score : 204 points Date : 2022-05-28 11:15 UTC (11 hours ago) (HTM) web link (www.firezone.dev) (TXT) w3m dump (www.firezone.dev) | matthewmacleod wrote: | This is very nice and looks like a useful tool. | | It's also very much _not_ a "Tailscale Alternative" - it | explicitly describes itself as not being "a tool for creating | mesh networks", which is the exact thing that Tailscale is all | about. | | Nebula (https://github.com/slackhq/nebula) is much closer to | actually being a fully open-source and self-hostable Tailscale | alternative as I understand it, though I've never used it myself. | 8organicbits wrote: | How are end user devices supposed to join the mesh in Nebula? | Is it really add this collection of files to /etc and run a | nebula command on the command line? | RealStickman_ wrote: | Yes, you just need those certificate files and a config. All | of that could probably be automated for easier deployment. | dddw wrote: | With keys that are signed with a CA cert. And they connect to | a server that basically checks the validation, but then they | can connect in between. I've set it up a couple of months | ago, I like thr implementation, but it seems a bit too slow | somehow. | Zizizizz wrote: | I've been trying netmaker and it's been very easy to set up. | Would recommend giving it a go | jamilbk wrote: | Hi everyone! | | Firezone CEO here. Someone just clued me into this thread. | Unfortunately I'm in and out of Internet service today but I'll | do my best to answer questions. | | As noted by others, Firezone isn't really aiming to be a mesh | networking tool like Tailscale, but more of a classic east-west | VPN similar to OpenVPN Access Server. We also expose simple | controls for managing egress firewall rules. | | We have a big release planned next week to bring OIDC auth and | the ability to manage multiple WireGuard networks, plus Docker | support and more firewall + multisite features in the pipeline | for later this summer. | | We have a one-line install script for Linux at our repo if you'd | like to give it a whirl! Grateful for any and all feedback. | | https://github.com/firezone/firezone | KennyBlanken wrote: | > We also expose simple controls for managing egress firewall | rules. | | Unless user-tracking telemetry is blocked, in which case, | apparently your CLI tools stop working? | | https://news.ycombinator.com/item?id=31542047 | | Edit: dunno if that comment was deleted because the author was | wrong about their PiHole blocking telemetry causing commands to | fail, if they were harassed into deleting it, or what. | | I guess I'll give you the benefit of the doubt that there was | something else going on with their network that caused commands | to fail, but you're still getting side-eye for engaging in | telemetry/usage tracking. | SadTrombone wrote: | The post you're linking to seems to have been deleted. | loudthing wrote: | Thanks for posting. What are the use cases for Firezone | exactly? Is the intention to simplify networking configuration | in data centers? (as opposed to the zero config nature of | Tailscale devices that could be anywhere on the internet?) | [deleted] | yewenjie wrote: | There is an install script for this which is imperative. I wish | there was something for NixOS (which would be declarative). | LoveGracePeace wrote: | Not going to knock these solutions but at least for Tailscale, if | I understand what I read on their web site correctly, I think | it's built on Wireguard. I found Wireguard to be easy enough to | configure and get working and I'm lazy and cheap. | | Since then, I run my web and email servers on an old laptop in my | home and the Internet POP is a $3.50 VM plus $1 for a static IP, | at AWS Lightsail. This works for me but if I needed to connect a | disparate office and devices together I might look at Tailscale | or one of these packaged solutions, or maybe not. | lapser wrote: | It is indeed built on Wireguard, but it is a user space | implementation of Wireguard. Maybe that's fine, but kernel | space would allow much faster speeds. | dstanbro wrote: | you can run netmaker in a lightsail VPS. Similar functionality | / UI experience to tailscale but self-hosted | LoveGracePeace wrote: | It looks impressive. | razemio wrote: | Sadly not open source and their change notes are not yet | production ready. Every release something breaks. I switched | back to pure wireguard because of this. I also wouldn't call | tailscale and netmakers ui comparable. Netmaker has far more | options. Tailscale tries an apple approach by hiding almost | everything but DNS. | cassianoleal wrote: | > Sadly not open source | | Just to clarify this take, the source is available on | Github [0] but licensed under the highly controversial | Server Side Public License [1][2]. | | This license was originally written by MongoDB. They | applied to get it recognised as an open source license with | the OSI but later withdrew the application as it became | clear it wouldn't have been approved. | | OSI explained in 2019 [3] why it didn't consider the | license to be open source. | | [0] https://github.com/gravitl/netmaker | | [1] | https://github.com/gravitl/netmaker/blob/master/LICENSE.txt | | [2] | https://en.wikipedia.org/wiki/Server_Side_Public_License | | [3] https://opensource.org/node/1099 | dang wrote: | All: the submitted title ("FireZone - Tailscale Alternative - The | Open Source VPN Server and Firewall") broke the site guidelines | by editorializing. | | " _Please use the original title, unless it is misleading or | linkbait; don 't editorialize._" - | https://news.ycombinator.com/newsguidelines.html | | As complaining commenters and the project creator agree, this is | not a Tailscale alternative. Please don't do that! This was a | case study on how small title perturbations end up dominating | entire threads. | goodguyamercunt wrote: | On that note, Anyone got a way to get wireguard to work like | speedify on a Linux client? | dementik wrote: | I haven't but I have almost tried Zerotier multipath: | https://docs.zerotier.com/zerotier/multipath/ | | If I understand correctly, it should do something what speedify | does. | squarefoot wrote: | How does it compare to BSD based firewalls such as OpnSense and | pfSense? They're both great products, but support for ARM and | 802.11ac doesn't seem ready yet. | [deleted] | loeg wrote: | @dang Seems like the headline is somewhat editorialized -- can we | get "Tailscale Alternative" removed? | dang wrote: | Fixed now: https://news.ycombinator.com/item?id=31542122 | loeg wrote: | Thanks. | [deleted] | pvg wrote: | Email the mods if you want a title fixed, there's no effective | @dang-based summoning | simongray wrote: | This doesn't really seem to do what Tailscale is doing, which is | to create a mesh network with a central beacon node for | facilitating handshakes. | | I am currently researching this area and have found the following | solutions in the mesh VPN space. In order of how locked down the | source code is--which also seems to correlate with ease of use-- | there is Tailscale, ZeroTier, Netmaker, Nebula, and also Innernet | (this last one is only mac/linux). | dstanbro wrote: | Yeah you can't really use FZ for Tailscale use cases, though | maybe OP is just referring to how it uses WireGuard. Netmaker | and Innernet are the two Tailscale alternatives which are using | WireGuard. And in fact, both are much faster than Tailscale | because they use Kernel WireGuard. So they'd probably be the | best options for "Tailscale Alternative." | dang wrote: | The originally submitted title said "Tailscale Alternative" but | this appears to have been an error and we've taken it out now. | More at https://news.ycombinator.com/item?id=31542122. | [deleted] | gz5 wrote: | another well vetted one is OpenZiti (NetFoundry SaaS products | are built on top of OpenZiti). full mesh, although default- | closed model instead of default-open model: | | https://openziti.github.io/ziti/overview.html | temp8964 wrote: | Would any of those can be used against China's GFW? | | Tailscale could be blocked by the GFW [1]. I guess that's | because it uses a central beacon node? | | Also they are built on WireGuard, which is not obfuscated, so | they can be detected by DPI? | | [1] https://forum.tailscale.com/t/does-tailscale-work-in- | mainlan... | gz5 wrote: | fully self-hosted is usually best, e.g.wireguard. zerotier is | close. openziti, especially in cases in which app-specific | VPNs help (each session looks like different encrypted apps, | and you choose what apps). | api wrote: | A ton of people seem to use ZeroTier in China. It's harder to | block since you can self-host everything, which many in China | do. | simongray wrote: | I have actually lived in China for 2 years and travelled | there for maybe 6 months in total in addition to that. I've | always just used a traditional, commercial VPN service such | as ExpressVPN. In theory, those can also easily be blocked, | but in my experience it rarely happens in practice. | | The main issue with living in China is the fact that the | connections to the outside world are so clogged that using | something like Youtube is often so slow that it's not even | worth trying; that was the case in the Beijing area between | 2016-2018 at least. | temp8964 wrote: | There is a "conspiracy" theory that those VPN works in | China because they have a connection to the CCP. | | It would be amazing if Tailscale can use ExpressVPN kind of | services for handshaking so that it can work inside the | GFW. | simongray wrote: | I am note able to reply to your other comment, so I'll | reply here. | | Everything except for Tailscale (and possibly ZeroTier) | on that list can be entirely self-hosted. | temp8964 wrote: | Thanks. I will take a look. | simongray wrote: | I think self-hosting is the better solution if you're | worried about someone blocking a VPN's IP address. | | I've heard those conspiracy theories, but to be honest I | just accepted that everything was monitored when I was in | China anyway. Installing something like Wechat/Wei Xin | basically gives tencent permission to everything that's | on your (Android) phone anyway. To me, the VPN was solely | about granting access to what was otherwise blocked, not | about privacy. | ykevinator2 wrote: | temp8964 wrote: | Yes. I am looking for something like Tailscale but can be | self-hosted. | dsr_ wrote: | That would be headscale, mentioned above. | qbasic_forever wrote: | Tinc is another mesh option. Doesn't use wireguard but is still | highly regarded and liked: https://www.tinc-vpn.org/ | lapser wrote: | Worth noting, the biggest closed source thing from Tailscale is | the server side, which has an open source re-implementation | call Headscale[0]. | | [0] https://github.com/juanfont/headscale | alistairjevans wrote: | You can probably add https://enclave.io to that list; creates | mesh VPN networks based on tags + policy. | pid-1 wrote: | Fortinet has a (cloud controlled, IPSec based) mesh VPN | solution. Maybe other networking equipment vendors also have | their own offerings. | DyslexicAtheist wrote: | why would anyone want to have IPSec in 2022 ? It means | remaining stuck with a mid-90ies committee-driven-crypto | protocol (and the design is far from best practice in modern | security). | | I really like the design principles[1] of Wireguard. It does | away with all the key-negotiation nonsense and eliminates a | whole cluster of potential flaws right out of the gate. Also | Jason Donenfeld's software development cycle is a skill level | that can only be described as a 10000x-developer. | | [1] https://securitycryptographywhatever.buzzsprout.com/18223 | 02/... | pid-1 wrote: | I think your average enterprise sysadmin/networking person | doesn't really care about IPSec vs Wireguard. | igorhvr wrote: | Thanks! Yggdrasil ( https://yggdrasil-network.github.io/ ) | should probably in this list too, except that it doesn't need a | central beacon node. | simongray wrote: | Very interesting. I will add it to my list. | joshbaptiste wrote: | aaaaaand Netbird .. | smilliken wrote: | ZeroTier doesn't use WireGuard, but is a mature option | that fills the same niche. | miyuru wrote: | This is great, I was just thinking of a similar setup for the | wireguard VPN I had created for work. | | We use multiple WG interfaces with its own IPv6 subnet for access | control so will be keeping an eye on the following issue. | https://github.com/firezone/firezone/issues/549 ___________________________________________________________________ (page generated 2022-05-28 23:00 UTC)