[HN Gopher] FireZone - Open-source VPN server and firewall
___________________________________________________________________
FireZone - Open-source VPN server and firewall
Author : punnerud
Score : 204 points
Date : 2022-05-28 11:15 UTC (11 hours ago)
(HTM) web link (www.firezone.dev)
(TXT) w3m dump (www.firezone.dev)
| matthewmacleod wrote:
| This is very nice and looks like a useful tool.
|
| It's also very much _not_ a "Tailscale Alternative" - it
| explicitly describes itself as not being "a tool for creating
| mesh networks", which is the exact thing that Tailscale is all
| about.
|
| Nebula (https://github.com/slackhq/nebula) is much closer to
| actually being a fully open-source and self-hostable Tailscale
| alternative as I understand it, though I've never used it myself.
| 8organicbits wrote:
| How are end user devices supposed to join the mesh in Nebula?
| Is it really add this collection of files to /etc and run a
| nebula command on the command line?
| RealStickman_ wrote:
| Yes, you just need those certificate files and a config. All
| of that could probably be automated for easier deployment.
| dddw wrote:
| With keys that are signed with a CA cert. And they connect to
| a server that basically checks the validation, but then they
| can connect in between. I've set it up a couple of months
| ago, I like thr implementation, but it seems a bit too slow
| somehow.
| Zizizizz wrote:
| I've been trying netmaker and it's been very easy to set up.
| Would recommend giving it a go
| jamilbk wrote:
| Hi everyone!
|
| Firezone CEO here. Someone just clued me into this thread.
| Unfortunately I'm in and out of Internet service today but I'll
| do my best to answer questions.
|
| As noted by others, Firezone isn't really aiming to be a mesh
| networking tool like Tailscale, but more of a classic east-west
| VPN similar to OpenVPN Access Server. We also expose simple
| controls for managing egress firewall rules.
|
| We have a big release planned next week to bring OIDC auth and
| the ability to manage multiple WireGuard networks, plus Docker
| support and more firewall + multisite features in the pipeline
| for later this summer.
|
| We have a one-line install script for Linux at our repo if you'd
| like to give it a whirl! Grateful for any and all feedback.
|
| https://github.com/firezone/firezone
| KennyBlanken wrote:
| > We also expose simple controls for managing egress firewall
| rules.
|
| Unless user-tracking telemetry is blocked, in which case,
| apparently your CLI tools stop working?
|
| https://news.ycombinator.com/item?id=31542047
|
| Edit: dunno if that comment was deleted because the author was
| wrong about their PiHole blocking telemetry causing commands to
| fail, if they were harassed into deleting it, or what.
|
| I guess I'll give you the benefit of the doubt that there was
| something else going on with their network that caused commands
| to fail, but you're still getting side-eye for engaging in
| telemetry/usage tracking.
| SadTrombone wrote:
| The post you're linking to seems to have been deleted.
| loudthing wrote:
| Thanks for posting. What are the use cases for Firezone
| exactly? Is the intention to simplify networking configuration
| in data centers? (as opposed to the zero config nature of
| Tailscale devices that could be anywhere on the internet?)
| [deleted]
| yewenjie wrote:
| There is an install script for this which is imperative. I wish
| there was something for NixOS (which would be declarative).
| LoveGracePeace wrote:
| Not going to knock these solutions but at least for Tailscale, if
| I understand what I read on their web site correctly, I think
| it's built on Wireguard. I found Wireguard to be easy enough to
| configure and get working and I'm lazy and cheap.
|
| Since then, I run my web and email servers on an old laptop in my
| home and the Internet POP is a $3.50 VM plus $1 for a static IP,
| at AWS Lightsail. This works for me but if I needed to connect a
| disparate office and devices together I might look at Tailscale
| or one of these packaged solutions, or maybe not.
| lapser wrote:
| It is indeed built on Wireguard, but it is a user space
| implementation of Wireguard. Maybe that's fine, but kernel
| space would allow much faster speeds.
| dstanbro wrote:
| you can run netmaker in a lightsail VPS. Similar functionality
| / UI experience to tailscale but self-hosted
| LoveGracePeace wrote:
| It looks impressive.
| razemio wrote:
| Sadly not open source and their change notes are not yet
| production ready. Every release something breaks. I switched
| back to pure wireguard because of this. I also wouldn't call
| tailscale and netmakers ui comparable. Netmaker has far more
| options. Tailscale tries an apple approach by hiding almost
| everything but DNS.
| cassianoleal wrote:
| > Sadly not open source
|
| Just to clarify this take, the source is available on
| Github [0] but licensed under the highly controversial
| Server Side Public License [1][2].
|
| This license was originally written by MongoDB. They
| applied to get it recognised as an open source license with
| the OSI but later withdrew the application as it became
| clear it wouldn't have been approved.
|
| OSI explained in 2019 [3] why it didn't consider the
| license to be open source.
|
| [0] https://github.com/gravitl/netmaker
|
| [1]
| https://github.com/gravitl/netmaker/blob/master/LICENSE.txt
|
| [2]
| https://en.wikipedia.org/wiki/Server_Side_Public_License
|
| [3] https://opensource.org/node/1099
| dang wrote:
| All: the submitted title ("FireZone - Tailscale Alternative - The
| Open Source VPN Server and Firewall") broke the site guidelines
| by editorializing.
|
| " _Please use the original title, unless it is misleading or
| linkbait; don 't editorialize._" -
| https://news.ycombinator.com/newsguidelines.html
|
| As complaining commenters and the project creator agree, this is
| not a Tailscale alternative. Please don't do that! This was a
| case study on how small title perturbations end up dominating
| entire threads.
| goodguyamercunt wrote:
| On that note, Anyone got a way to get wireguard to work like
| speedify on a Linux client?
| dementik wrote:
| I haven't but I have almost tried Zerotier multipath:
| https://docs.zerotier.com/zerotier/multipath/
|
| If I understand correctly, it should do something what speedify
| does.
| squarefoot wrote:
| How does it compare to BSD based firewalls such as OpnSense and
| pfSense? They're both great products, but support for ARM and
| 802.11ac doesn't seem ready yet.
| [deleted]
| loeg wrote:
| @dang Seems like the headline is somewhat editorialized -- can we
| get "Tailscale Alternative" removed?
| dang wrote:
| Fixed now: https://news.ycombinator.com/item?id=31542122
| loeg wrote:
| Thanks.
| [deleted]
| pvg wrote:
| Email the mods if you want a title fixed, there's no effective
| @dang-based summoning
| simongray wrote:
| This doesn't really seem to do what Tailscale is doing, which is
| to create a mesh network with a central beacon node for
| facilitating handshakes.
|
| I am currently researching this area and have found the following
| solutions in the mesh VPN space. In order of how locked down the
| source code is--which also seems to correlate with ease of use--
| there is Tailscale, ZeroTier, Netmaker, Nebula, and also Innernet
| (this last one is only mac/linux).
| dstanbro wrote:
| Yeah you can't really use FZ for Tailscale use cases, though
| maybe OP is just referring to how it uses WireGuard. Netmaker
| and Innernet are the two Tailscale alternatives which are using
| WireGuard. And in fact, both are much faster than Tailscale
| because they use Kernel WireGuard. So they'd probably be the
| best options for "Tailscale Alternative."
| dang wrote:
| The originally submitted title said "Tailscale Alternative" but
| this appears to have been an error and we've taken it out now.
| More at https://news.ycombinator.com/item?id=31542122.
| [deleted]
| gz5 wrote:
| another well vetted one is OpenZiti (NetFoundry SaaS products
| are built on top of OpenZiti). full mesh, although default-
| closed model instead of default-open model:
|
| https://openziti.github.io/ziti/overview.html
| temp8964 wrote:
| Would any of those can be used against China's GFW?
|
| Tailscale could be blocked by the GFW [1]. I guess that's
| because it uses a central beacon node?
|
| Also they are built on WireGuard, which is not obfuscated, so
| they can be detected by DPI?
|
| [1] https://forum.tailscale.com/t/does-tailscale-work-in-
| mainlan...
| gz5 wrote:
| fully self-hosted is usually best, e.g.wireguard. zerotier is
| close. openziti, especially in cases in which app-specific
| VPNs help (each session looks like different encrypted apps,
| and you choose what apps).
| api wrote:
| A ton of people seem to use ZeroTier in China. It's harder to
| block since you can self-host everything, which many in China
| do.
| simongray wrote:
| I have actually lived in China for 2 years and travelled
| there for maybe 6 months in total in addition to that. I've
| always just used a traditional, commercial VPN service such
| as ExpressVPN. In theory, those can also easily be blocked,
| but in my experience it rarely happens in practice.
|
| The main issue with living in China is the fact that the
| connections to the outside world are so clogged that using
| something like Youtube is often so slow that it's not even
| worth trying; that was the case in the Beijing area between
| 2016-2018 at least.
| temp8964 wrote:
| There is a "conspiracy" theory that those VPN works in
| China because they have a connection to the CCP.
|
| It would be amazing if Tailscale can use ExpressVPN kind of
| services for handshaking so that it can work inside the
| GFW.
| simongray wrote:
| I am note able to reply to your other comment, so I'll
| reply here.
|
| Everything except for Tailscale (and possibly ZeroTier)
| on that list can be entirely self-hosted.
| temp8964 wrote:
| Thanks. I will take a look.
| simongray wrote:
| I think self-hosting is the better solution if you're
| worried about someone blocking a VPN's IP address.
|
| I've heard those conspiracy theories, but to be honest I
| just accepted that everything was monitored when I was in
| China anyway. Installing something like Wechat/Wei Xin
| basically gives tencent permission to everything that's
| on your (Android) phone anyway. To me, the VPN was solely
| about granting access to what was otherwise blocked, not
| about privacy.
| ykevinator2 wrote:
| temp8964 wrote:
| Yes. I am looking for something like Tailscale but can be
| self-hosted.
| dsr_ wrote:
| That would be headscale, mentioned above.
| qbasic_forever wrote:
| Tinc is another mesh option. Doesn't use wireguard but is still
| highly regarded and liked: https://www.tinc-vpn.org/
| lapser wrote:
| Worth noting, the biggest closed source thing from Tailscale is
| the server side, which has an open source re-implementation
| call Headscale[0].
|
| [0] https://github.com/juanfont/headscale
| alistairjevans wrote:
| You can probably add https://enclave.io to that list; creates
| mesh VPN networks based on tags + policy.
| pid-1 wrote:
| Fortinet has a (cloud controlled, IPSec based) mesh VPN
| solution. Maybe other networking equipment vendors also have
| their own offerings.
| DyslexicAtheist wrote:
| why would anyone want to have IPSec in 2022 ? It means
| remaining stuck with a mid-90ies committee-driven-crypto
| protocol (and the design is far from best practice in modern
| security).
|
| I really like the design principles[1] of Wireguard. It does
| away with all the key-negotiation nonsense and eliminates a
| whole cluster of potential flaws right out of the gate. Also
| Jason Donenfeld's software development cycle is a skill level
| that can only be described as a 10000x-developer.
|
| [1] https://securitycryptographywhatever.buzzsprout.com/18223
| 02/...
| pid-1 wrote:
| I think your average enterprise sysadmin/networking person
| doesn't really care about IPSec vs Wireguard.
| igorhvr wrote:
| Thanks! Yggdrasil ( https://yggdrasil-network.github.io/ )
| should probably in this list too, except that it doesn't need a
| central beacon node.
| simongray wrote:
| Very interesting. I will add it to my list.
| joshbaptiste wrote:
| aaaaaand Netbird ..
| smilliken wrote:
| ZeroTier doesn't use WireGuard, but is a mature option
| that fills the same niche.
| miyuru wrote:
| This is great, I was just thinking of a similar setup for the
| wireguard VPN I had created for work.
|
| We use multiple WG interfaces with its own IPv6 subnet for access
| control so will be keeping an eye on the following issue.
| https://github.com/firezone/firezone/issues/549
___________________________________________________________________
(page generated 2022-05-28 23:00 UTC)