[HN Gopher] Zrok: Open-Source Peer to Peer
___________________________________________________________________
Zrok: Open-Source Peer to Peer
Author : whack
Score : 155 points
Date : 2023-02-08 15:36 UTC (7 hours ago)
(HTM) web link (zrok.io)
(TXT) w3m dump (zrok.io)
| omani wrote:
| there is NKN (nkn.org). with 60k+ nodes. already established
| blockchain with incentivized miners. free and anonymous, p2p
| networking.
|
| nobody uses it and everybody is doing their own thing trying to
| reinvent the wheel.
| vineyardmike wrote:
| The purpose of the shared project has nothing to do with nkn,
| either in usage or _ahem_ a blockchain.
|
| The shared project is more of a p2p VPN to access remote
| services privately, as opposed to a VPN for accessing the
| broader internet. Yes, there are other services that do
| something similar to Zrok, but this actually builds on one
| (openZiti) presumably to handle the connections more abstractly
| (and also presumably to launch their own paid SaaS endpoint?).
| I could see this more competing with Tailscale to access
| Internal tools at a company, or for home-lab users who want to
| access/share services they're running remotely.
| wyager wrote:
| The fact that whatever you're talking about has a blockchain
| built in tells me everything I need to know.
| orthecreedence wrote:
| How is NKN different from, like, the internet? Nothing on the
| homepage tells me why there is a blockchain involved. Nothing
| it talks about cannot be done with TCP/TLS/etc etc.
|
| If it's a p2p _framework_ then something like libp2p,
| holochain, or p2panda would be much more appropriate than a
| blockchain with "incentivized miners" (incentivized to do
| what??).
|
| I think the reason people are reinventing the wheel is because
| blockchain tech has extremely limited use-cases and all the
| people who tried (or are trying) to use it outside of its
| applicable domain are misguided, prompting further exploration
| into the p2p space that isn't tethered (no pun intended) to a
| _global state that has to be shared by every node in the
| system_ which is an inherently unscalable solution for anything
| beyond a handful of performant nodes (ie, sharing transactions
| between banks or something).
| omani wrote:
| > (incentivized to do what??)
|
| to route traffic. NKN is a CHORD overlay on top of the
| internet. clients connect to nodes and nodes route traffic
| from one node to another until the packet reaches its
| destination. clients stay anonymous (no IP leakage). end-to-
| end encrypted communication. "Proof-of-Relay" algorithm for
| mining. consensus via MOCA.
|
| the only state of the art blockchain technology I know of.
| and they dont even pay me to say this.
| AlbertoGP wrote:
| There was a post one day ago, apparently from the creator of
| Zrok, giving more context on this:
| https://news.ycombinator.com/item?id=34693988
|
| > _In the discussions about v0.2, the (now obvious) idea came up
| to implement something that we 're calling "private sharing". It
| works a lot like the traditional on-demand reverse proxy, except
| instead of exposing the private endpoint through a public HTTP
| listener, it binds the shared resource onto an OpenZiti network,
| where it can be accessed securely by another zrok client. This
| "other" zrok client exposes an HTTP listener wherever the user
| wants... but it's usually put on the loopback interface of that
| user's system. This allows the user to securely access the shared
| resource on their system as if it's local, even though it's
| somewhere else on a zero-trust network._
|
| > _As we 've started working through the development of v0.3,
| we've realized that we can incorporate other useful capabilities,
| like streamlined file sharing (elegant WebDAV integration is
| coming)._
|
| From a quick look, it seems that the self-hostable part
| (https://github.com/openziti/zrok/blob/main/docs/guides/v0.3_...)
| is written in Go, and there are SDKs for connecting to it from a
| variety of languages.
|
| Oracle has an article on the underlying network layer which is
| called OpenZiti, which defines ZeroTrust:
|
| > _Zero trust assumes there is no implicit trust granted to
| assets or user accounts based solely on their physical or network
| location (i.e., local area networks versus the internet) or based
| on asset ownership (enterprise or personally owned).
| Authentication and authorization (both subject and device) are
| discrete functions performed before a session to an enterprise
| resource is established._
|
| All of this sounds very interesting to me, but I have no
| experience with these kinds of network stacks. Has anyone here
| evaluated it?
|
| Would this be useful for adding document sharing to applications
| I write, for instance, a hypothetical word processor? I mean
| sharing with other people working on a document. The SDKs seem to
| be clients, so to interchange files between two applications with
| an embedded SDK, does it still need a third machine running an
| API server?
| michaelquigley wrote:
| > Would this be useful for adding document sharing to
| applications I write, for instance, a hypothetical word
| processor? I mean sharing with other people working on a
| document. The SDKs seem to be clients, so to interchange files
| between two applications with an embedded SDK, does it still
| need a third machine running an API server?
|
| We could certainly incorporate an "embeddable" SDK so that zrok
| can be incorporated into other applications.
|
| As it currently stands, you would need access to a zrok
| "service instance" ("cloud"), running the zrok controller
| (providing API access). But we could certainly look at other
| kinds of use cases where that control plane is potentially
| enabled ephemerally or on-demand. I have some ideas for things
| we might be able to do.
|
| Neither of these are on the immediate roadmap. But if people
| ask for them, we could certainly build them.
| Maursault wrote:
| I doubt Activision cares, but what does this have to do with
| Infocom and Z-machine?
| dovholuknf wrote:
| man, those were the days. I actually played it on my Atari 800
| codethief wrote:
| How does this compare to Tailscale, beyond being based on
| OpenZiti instead of Wireguard?
| gz5 wrote:
| yes, zrok is open source and tailscale is not. zrok has a
| private share mode in which you share the resource without any
| internet exposure (not even temporary) - nice for security and
| cases where you need 2 or more private enviros (rfc 1918 space)
| to talk w/o opening any ports.
|
| if your question was centered on the compare between wireguard
| and openziti. both are open source network overlay solutions
| and both have large scale saas options (e.g. cloudziti from
| netfoundry; tailscale for wireguard).
|
| 4 key differences between openziti vs wireguard are (1) app vs.
| device; (2) p2p tunnel vs full mesh; (3) management model; (4)
| security model. it mainly comes down to what your use case
| needs and doesn't need.
|
| (1) app vs. device the atom of wireguard is a device. the atom
| of openziti is an app. devs embed openziti directly into the
| process space of an app or api as code (using openziti sdks)
| such that installing your app spins up a zero trust overlay for
| your app w/o distributing agents. alternatively you can use
| openziti agents for mobile, desktop, cloud edge, etc. in that
| model, the agents are still app-specific, e.g. only services
| you specify go on the overlay; rest are ignored.
|
| (2) vpn vs. sdn like mesh wireguard gives you p2p tunnels like
| most vpns. openziti gives you control of a full mesh, latency
| optimized network - like a programmable sdn. if you want x
| connections from a given machine (e.g. an api to cloud1, a
| different service to cloud2, some other app to cloud3) then
| openziti is designed to make that simple for you. if you want a
| single device level tunnel for all data, then wg may be for
| you.
|
| (3) management model with wg, you manage certs, p2p tunnels,
| restrictions/ACLs (tailscale etc help you with much of this but
| then you are buying a closed source product). openziti builds
| all this into the foss for you. you even control the full mesh
| fabric (programmable ziti routers) listed above. so wg may be
| simpler if you have a limited # of endpoints, routes and
| restrictions to manage.
|
| (4) security and compliance model openziti provides mTLS, X.509
| based identities, private DNS, e2e encryption all the way to
| the process space of the app (see item #1 above), default least
| privileged access, mfa, posture checks, etc. that is overkill
| for some uses - it does carry some complexity with it -
| wireguard may be a better choice for those cases.
| dovholuknf wrote:
| I am a dev on the OpenZiti project. I personally think
| Tailscale is more similar to OpenZiti. It's making wireguard
| administration really easy.
|
| zrok is very clearly based heavily on inspiration from the
| amazing tool called ngrok. If you haven't checked them out you
| should. They are widely loved for lots of good reasons. Other
| product/projects in this category is Tailscale's funnels or
| Cloudflare tunnels.
|
| Key differences to ngrok are it being fully open source and
| fully self hostable. zrok allows you to do public/anonymous
| type sharing too but also has this private sharing feature that
| you might find neat. Basically it'll hide your app behind two
| "localhost" type proxies all transparently (to most people).
| bogwog wrote:
| I just looked up ngrok right now and it looks really cool,
| but I wonder what people actually use it for? Are people
| actually running production software this way, or is it just
| for sharing e.g. demos with coworkers? If the latter, it
| seems to me like a narrow use case that can already be served
| by automated devops stuff.
|
| Again this is new to me, so I'm probably missing some obvious
| use cases. Do you use it for anything in particular?
| dopidopHN wrote:
| I often use it for :
|
| - showing a POC running locally / quick demo/ short terms
| project
|
| - debug incoming webhook or the like. Let's say you have a
| service where you can register a URL, and that the service
| will post a http request to you when a event occurs.
|
| I use ngrok, piped to a local handler. It's convenient
| johne20 wrote:
| Consuming webhooks in dev environment is one use-case.
| Agrue8u wrote:
| I found ngrok looking for simple and safe ways to share our
| local minecraft server among my kid's friends. (about 5
| years ago)
| dovholuknf wrote:
| Easily sharing local resources is a common need as a dev,
| for sure. If I'm making changes to a web form, updating
| online doc, etc. it's dreadfully convenient to just share
| that resource for some short amount of time...
|
| I've used similar tech when collaborating with a fella
| recently, he stood up a vault server and I hit his private
| API over an ngrok share because that was the tool he had
| used, liked and was familiar with.
|
| It's just super handy to do that sort of thing when/as you
| need to
| PLG88 wrote:
| Great question. I am in the process of creating some public
| documentation for the OpenZiti project vs [insert tech].
| OpenZiti is more akin to Wireguard (i.e., open source),
| CloudZiti is more comparable to Tailscale (hosted SaaS)
|
| Here are some shorted bullets vs Wireguard (with references to
| Tailscale).
|
| - Rather than connecting machines, Ziti cares about connecting
| "services" with zero trust networking concepts. This can be
| surmised as Wireguard being 'default-open' whereas ZT is
| 'default-closed'. Wireguard is normally combined with a
| firewall to deliver ACLs and network segmentation controls.
|
| - Whereas WireGuard securely encapsulates IP packets over UDP
| and uses hole punching, OpenZiti uses TCP and a mesh overlay
| (with the outbound only at source and destination). This is how
| Tailscale implements Wireguard to ensure it works easily in all
| situations. All of this is open-source and native to OpenZiti,
| not in Wireguard.
|
| - Due to OpenZiti's uses of identity in the endpoints and
| fabric for routing, you also get private DNS, unique naming and
| outbound connections. No need to use floating or static IPs,
| easily handle overlapping, and have no need for port forwarding
| or NAT issues.
|
| - While with OpenZiti you can start with "network-based zero
| trust" (installing a router in private IP space) and progress
| to "host-based zero trust" (using an agent/tunneller); it also
| has a suite of SDKs to embed in apps themselves for
| "application-based zero trust".
|
| P.S., OpenZiti uses the Windows TUN (WinTun) that the Wireguard
| project made as (at least) part of our Windows tunneler.
| Thanks, Wireguard!
| johne20 wrote:
| Thanks for this. How does speed of OpenZiti compare to
| Wireguard on network on same LAN? Eg. if you connect machines
| on same VPC?
| jron wrote:
| Also curious how it compares to https://github.com/holepunchto
| [deleted]
| jhoechtl wrote:
| Can this be used for a P2P pair editing session?
| tpoacher wrote:
| maybe it could be used to share a tmux session? (which is my
| favourite way for collaborative editing)
| dovholuknf wrote:
| Not at this time. Right now zrok is for web (http) and file
| sharing. It's possible that sharing other UDP/TCP type
| sharing could be added in the future. Right now the overlay
| network (OpenZiti) would be able to support that right now if
| you were looking for any TCP/UDP.
| dovholuknf wrote:
| I wouldn't think so tbh. Unless whatever editor you're using is
| sharing a web resource... In that case, sure. If you need/want
| UDP/TCP type sharing you could use the underlying OpenZiti
| overlay network for that, but out of the gate, at this time I
| don't think it'd support most "P2P editing". zrok certainly
| doesn't provide that type of functionality at this time
| [deleted]
| kerkeslager wrote:
| This... sounds like something I would be interested in, but I
| cannot for the life of me understand what this does.
|
| Is this decentralized file sharing?
| spaniard89277 wrote:
| It seems to me that is some kind of tunnel/vpn a-la-zerotier?
| AlbertoGP wrote:
| In this video from 11 months ago, at 25 min. they say this:
|
| "Ziti is only providing a pipe. That's also very important.
| Some people might think that there is more going on there,
| but Ziti is literally, just... just a black hole, from one
| side to the other, and how it gets there... _it's like an SSH
| tunnel_.
|
| https://www.youtube.com/watch?v=qyjM5y8Op_I&t=1509s
|
| He goes on to say " _I'm going say it publicly: my mission is
| to kill REST. [...] I'm going to bring us all the way back to
| the 1990s, and we're going to do RPC all over again_ "
|
| The linked article is about Zrok, which seems to be an
| application on top of that OpenZiti overlay network on top of
| the Internet.
| dovholuknf wrote:
| Trying to keep it short, I would say OpenZiti is similar to
| zerotier moreso than zrok. This zrok tool though is closer to
| ngrok. I mentioned that in another comment so hopefully
| that's easy enough to find in the page.
| dovholuknf wrote:
| It's more peer to peer file sharing and web content sharing
| than truly distributed sharig but with a globally available
| service, it's "distributed" ina way. It's not doing sharding or
| anything fancy like that (yet anyway). Right now, it's a dev-
| focused tool similar to the other projects out there like
| ngrok/tailscale funnels/cloudflare tunnels etc. There's a fair
| number of them now-a-days. :) But it doesn't need to stay that
| way and might change.
|
| This one is built on top of OpenZiti (I am a dev on that
| project) which is a secure, zero trust overlay network. It's
| fully self-hostable and open source which some people find
| attractive. The hosted version our company is sponsoring for
| free (at least 'for now').
|
| The key goal is to make it super easy and safe to share
| files/web content.
| debarshri wrote:
| On surface it looks similar to ngrok. Except you can self host
| this using the open source project openziti that support the
| infra for it. It seems to be either a wrapper or implemented
| using openziti
| vineyardmike wrote:
| > zrok provides Private or Public, instant, secure tunneling of
| applications from anywhere.
|
| Its a tunneling tool, to share a port/etc from one computer to
| another. You can connect to a computer, even if you don't
| directly have a route to it's IP.
|
| > Secured effortlessly by using a zero trust overlay network
| provided by OpenZiti
|
| It uses OpenZiti to accomplish the links, as opposed to
| tailscale, zero tier, cloudflare tunnels, Yggdrasil, etc.
|
| > zrok allows sharing other types of resources; rather than
| just proxying http endpoints, zrok allows users to easily and
| rapidly share files and web content. zrok is also ready to be
| extended to easily support many kinds of decentralized resource
| sharing; zrok provides a framework that makes this kind of
| peer-to-peer resource sharing simple and secure
|
| It looks like its also extensible, so you can use it to form
| the communication layer to share other things, files being one
| example.
| vapemaster wrote:
| this was an awesome, non-snarky, explanatory comment. thanks
| for this.
___________________________________________________________________
(page generated 2023-02-08 23:00 UTC)