[HN Gopher] Zrok: Open-Source Peer to Peer ___________________________________________________________________ Zrok: Open-Source Peer to Peer Author : whack Score : 155 points Date : 2023-02-08 15:36 UTC (7 hours ago) (HTM) web link (zrok.io) (TXT) w3m dump (zrok.io) | omani wrote: | there is NKN (nkn.org). with 60k+ nodes. already established | blockchain with incentivized miners. free and anonymous, p2p | networking. | | nobody uses it and everybody is doing their own thing trying to | reinvent the wheel. | vineyardmike wrote: | The purpose of the shared project has nothing to do with nkn, | either in usage or _ahem_ a blockchain. | | The shared project is more of a p2p VPN to access remote | services privately, as opposed to a VPN for accessing the | broader internet. Yes, there are other services that do | something similar to Zrok, but this actually builds on one | (openZiti) presumably to handle the connections more abstractly | (and also presumably to launch their own paid SaaS endpoint?). | I could see this more competing with Tailscale to access | Internal tools at a company, or for home-lab users who want to | access/share services they're running remotely. | wyager wrote: | The fact that whatever you're talking about has a blockchain | built in tells me everything I need to know. | orthecreedence wrote: | How is NKN different from, like, the internet? Nothing on the | homepage tells me why there is a blockchain involved. Nothing | it talks about cannot be done with TCP/TLS/etc etc. | | If it's a p2p _framework_ then something like libp2p, | holochain, or p2panda would be much more appropriate than a | blockchain with "incentivized miners" (incentivized to do | what??). | | I think the reason people are reinventing the wheel is because | blockchain tech has extremely limited use-cases and all the | people who tried (or are trying) to use it outside of its | applicable domain are misguided, prompting further exploration | into the p2p space that isn't tethered (no pun intended) to a | _global state that has to be shared by every node in the | system_ which is an inherently unscalable solution for anything | beyond a handful of performant nodes (ie, sharing transactions | between banks or something). | omani wrote: | > (incentivized to do what??) | | to route traffic. NKN is a CHORD overlay on top of the | internet. clients connect to nodes and nodes route traffic | from one node to another until the packet reaches its | destination. clients stay anonymous (no IP leakage). end-to- | end encrypted communication. "Proof-of-Relay" algorithm for | mining. consensus via MOCA. | | the only state of the art blockchain technology I know of. | and they dont even pay me to say this. | AlbertoGP wrote: | There was a post one day ago, apparently from the creator of | Zrok, giving more context on this: | https://news.ycombinator.com/item?id=34693988 | | > _In the discussions about v0.2, the (now obvious) idea came up | to implement something that we 're calling "private sharing". It | works a lot like the traditional on-demand reverse proxy, except | instead of exposing the private endpoint through a public HTTP | listener, it binds the shared resource onto an OpenZiti network, | where it can be accessed securely by another zrok client. This | "other" zrok client exposes an HTTP listener wherever the user | wants... but it's usually put on the loopback interface of that | user's system. This allows the user to securely access the shared | resource on their system as if it's local, even though it's | somewhere else on a zero-trust network._ | | > _As we 've started working through the development of v0.3, | we've realized that we can incorporate other useful capabilities, | like streamlined file sharing (elegant WebDAV integration is | coming)._ | | From a quick look, it seems that the self-hostable part | (https://github.com/openziti/zrok/blob/main/docs/guides/v0.3_...) | is written in Go, and there are SDKs for connecting to it from a | variety of languages. | | Oracle has an article on the underlying network layer which is | called OpenZiti, which defines ZeroTrust: | | > _Zero trust assumes there is no implicit trust granted to | assets or user accounts based solely on their physical or network | location (i.e., local area networks versus the internet) or based | on asset ownership (enterprise or personally owned). | Authentication and authorization (both subject and device) are | discrete functions performed before a session to an enterprise | resource is established._ | | All of this sounds very interesting to me, but I have no | experience with these kinds of network stacks. Has anyone here | evaluated it? | | Would this be useful for adding document sharing to applications | I write, for instance, a hypothetical word processor? I mean | sharing with other people working on a document. The SDKs seem to | be clients, so to interchange files between two applications with | an embedded SDK, does it still need a third machine running an | API server? | michaelquigley wrote: | > Would this be useful for adding document sharing to | applications I write, for instance, a hypothetical word | processor? I mean sharing with other people working on a | document. The SDKs seem to be clients, so to interchange files | between two applications with an embedded SDK, does it still | need a third machine running an API server? | | We could certainly incorporate an "embeddable" SDK so that zrok | can be incorporated into other applications. | | As it currently stands, you would need access to a zrok | "service instance" ("cloud"), running the zrok controller | (providing API access). But we could certainly look at other | kinds of use cases where that control plane is potentially | enabled ephemerally or on-demand. I have some ideas for things | we might be able to do. | | Neither of these are on the immediate roadmap. But if people | ask for them, we could certainly build them. | Maursault wrote: | I doubt Activision cares, but what does this have to do with | Infocom and Z-machine? | dovholuknf wrote: | man, those were the days. I actually played it on my Atari 800 | codethief wrote: | How does this compare to Tailscale, beyond being based on | OpenZiti instead of Wireguard? | gz5 wrote: | yes, zrok is open source and tailscale is not. zrok has a | private share mode in which you share the resource without any | internet exposure (not even temporary) - nice for security and | cases where you need 2 or more private enviros (rfc 1918 space) | to talk w/o opening any ports. | | if your question was centered on the compare between wireguard | and openziti. both are open source network overlay solutions | and both have large scale saas options (e.g. cloudziti from | netfoundry; tailscale for wireguard). | | 4 key differences between openziti vs wireguard are (1) app vs. | device; (2) p2p tunnel vs full mesh; (3) management model; (4) | security model. it mainly comes down to what your use case | needs and doesn't need. | | (1) app vs. device the atom of wireguard is a device. the atom | of openziti is an app. devs embed openziti directly into the | process space of an app or api as code (using openziti sdks) | such that installing your app spins up a zero trust overlay for | your app w/o distributing agents. alternatively you can use | openziti agents for mobile, desktop, cloud edge, etc. in that | model, the agents are still app-specific, e.g. only services | you specify go on the overlay; rest are ignored. | | (2) vpn vs. sdn like mesh wireguard gives you p2p tunnels like | most vpns. openziti gives you control of a full mesh, latency | optimized network - like a programmable sdn. if you want x | connections from a given machine (e.g. an api to cloud1, a | different service to cloud2, some other app to cloud3) then | openziti is designed to make that simple for you. if you want a | single device level tunnel for all data, then wg may be for | you. | | (3) management model with wg, you manage certs, p2p tunnels, | restrictions/ACLs (tailscale etc help you with much of this but | then you are buying a closed source product). openziti builds | all this into the foss for you. you even control the full mesh | fabric (programmable ziti routers) listed above. so wg may be | simpler if you have a limited # of endpoints, routes and | restrictions to manage. | | (4) security and compliance model openziti provides mTLS, X.509 | based identities, private DNS, e2e encryption all the way to | the process space of the app (see item #1 above), default least | privileged access, mfa, posture checks, etc. that is overkill | for some uses - it does carry some complexity with it - | wireguard may be a better choice for those cases. | dovholuknf wrote: | I am a dev on the OpenZiti project. I personally think | Tailscale is more similar to OpenZiti. It's making wireguard | administration really easy. | | zrok is very clearly based heavily on inspiration from the | amazing tool called ngrok. If you haven't checked them out you | should. They are widely loved for lots of good reasons. Other | product/projects in this category is Tailscale's funnels or | Cloudflare tunnels. | | Key differences to ngrok are it being fully open source and | fully self hostable. zrok allows you to do public/anonymous | type sharing too but also has this private sharing feature that | you might find neat. Basically it'll hide your app behind two | "localhost" type proxies all transparently (to most people). | bogwog wrote: | I just looked up ngrok right now and it looks really cool, | but I wonder what people actually use it for? Are people | actually running production software this way, or is it just | for sharing e.g. demos with coworkers? If the latter, it | seems to me like a narrow use case that can already be served | by automated devops stuff. | | Again this is new to me, so I'm probably missing some obvious | use cases. Do you use it for anything in particular? | dopidopHN wrote: | I often use it for : | | - showing a POC running locally / quick demo/ short terms | project | | - debug incoming webhook or the like. Let's say you have a | service where you can register a URL, and that the service | will post a http request to you when a event occurs. | | I use ngrok, piped to a local handler. It's convenient | johne20 wrote: | Consuming webhooks in dev environment is one use-case. | Agrue8u wrote: | I found ngrok looking for simple and safe ways to share our | local minecraft server among my kid's friends. (about 5 | years ago) | dovholuknf wrote: | Easily sharing local resources is a common need as a dev, | for sure. If I'm making changes to a web form, updating | online doc, etc. it's dreadfully convenient to just share | that resource for some short amount of time... | | I've used similar tech when collaborating with a fella | recently, he stood up a vault server and I hit his private | API over an ngrok share because that was the tool he had | used, liked and was familiar with. | | It's just super handy to do that sort of thing when/as you | need to | PLG88 wrote: | Great question. I am in the process of creating some public | documentation for the OpenZiti project vs [insert tech]. | OpenZiti is more akin to Wireguard (i.e., open source), | CloudZiti is more comparable to Tailscale (hosted SaaS) | | Here are some shorted bullets vs Wireguard (with references to | Tailscale). | | - Rather than connecting machines, Ziti cares about connecting | "services" with zero trust networking concepts. This can be | surmised as Wireguard being 'default-open' whereas ZT is | 'default-closed'. Wireguard is normally combined with a | firewall to deliver ACLs and network segmentation controls. | | - Whereas WireGuard securely encapsulates IP packets over UDP | and uses hole punching, OpenZiti uses TCP and a mesh overlay | (with the outbound only at source and destination). This is how | Tailscale implements Wireguard to ensure it works easily in all | situations. All of this is open-source and native to OpenZiti, | not in Wireguard. | | - Due to OpenZiti's uses of identity in the endpoints and | fabric for routing, you also get private DNS, unique naming and | outbound connections. No need to use floating or static IPs, | easily handle overlapping, and have no need for port forwarding | or NAT issues. | | - While with OpenZiti you can start with "network-based zero | trust" (installing a router in private IP space) and progress | to "host-based zero trust" (using an agent/tunneller); it also | has a suite of SDKs to embed in apps themselves for | "application-based zero trust". | | P.S., OpenZiti uses the Windows TUN (WinTun) that the Wireguard | project made as (at least) part of our Windows tunneler. | Thanks, Wireguard! | johne20 wrote: | Thanks for this. How does speed of OpenZiti compare to | Wireguard on network on same LAN? Eg. if you connect machines | on same VPC? | jron wrote: | Also curious how it compares to https://github.com/holepunchto | [deleted] | jhoechtl wrote: | Can this be used for a P2P pair editing session? | tpoacher wrote: | maybe it could be used to share a tmux session? (which is my | favourite way for collaborative editing) | dovholuknf wrote: | Not at this time. Right now zrok is for web (http) and file | sharing. It's possible that sharing other UDP/TCP type | sharing could be added in the future. Right now the overlay | network (OpenZiti) would be able to support that right now if | you were looking for any TCP/UDP. | dovholuknf wrote: | I wouldn't think so tbh. Unless whatever editor you're using is | sharing a web resource... In that case, sure. If you need/want | UDP/TCP type sharing you could use the underlying OpenZiti | overlay network for that, but out of the gate, at this time I | don't think it'd support most "P2P editing". zrok certainly | doesn't provide that type of functionality at this time | [deleted] | kerkeslager wrote: | This... sounds like something I would be interested in, but I | cannot for the life of me understand what this does. | | Is this decentralized file sharing? | spaniard89277 wrote: | It seems to me that is some kind of tunnel/vpn a-la-zerotier? | AlbertoGP wrote: | In this video from 11 months ago, at 25 min. they say this: | | "Ziti is only providing a pipe. That's also very important. | Some people might think that there is more going on there, | but Ziti is literally, just... just a black hole, from one | side to the other, and how it gets there... _it's like an SSH | tunnel_. | | https://www.youtube.com/watch?v=qyjM5y8Op_I&t=1509s | | He goes on to say " _I'm going say it publicly: my mission is | to kill REST. [...] I'm going to bring us all the way back to | the 1990s, and we're going to do RPC all over again_ " | | The linked article is about Zrok, which seems to be an | application on top of that OpenZiti overlay network on top of | the Internet. | dovholuknf wrote: | Trying to keep it short, I would say OpenZiti is similar to | zerotier moreso than zrok. This zrok tool though is closer to | ngrok. I mentioned that in another comment so hopefully | that's easy enough to find in the page. | dovholuknf wrote: | It's more peer to peer file sharing and web content sharing | than truly distributed sharig but with a globally available | service, it's "distributed" ina way. It's not doing sharding or | anything fancy like that (yet anyway). Right now, it's a dev- | focused tool similar to the other projects out there like | ngrok/tailscale funnels/cloudflare tunnels etc. There's a fair | number of them now-a-days. :) But it doesn't need to stay that | way and might change. | | This one is built on top of OpenZiti (I am a dev on that | project) which is a secure, zero trust overlay network. It's | fully self-hostable and open source which some people find | attractive. The hosted version our company is sponsoring for | free (at least 'for now'). | | The key goal is to make it super easy and safe to share | files/web content. | debarshri wrote: | On surface it looks similar to ngrok. Except you can self host | this using the open source project openziti that support the | infra for it. It seems to be either a wrapper or implemented | using openziti | vineyardmike wrote: | > zrok provides Private or Public, instant, secure tunneling of | applications from anywhere. | | Its a tunneling tool, to share a port/etc from one computer to | another. You can connect to a computer, even if you don't | directly have a route to it's IP. | | > Secured effortlessly by using a zero trust overlay network | provided by OpenZiti | | It uses OpenZiti to accomplish the links, as opposed to | tailscale, zero tier, cloudflare tunnels, Yggdrasil, etc. | | > zrok allows sharing other types of resources; rather than | just proxying http endpoints, zrok allows users to easily and | rapidly share files and web content. zrok is also ready to be | extended to easily support many kinds of decentralized resource | sharing; zrok provides a framework that makes this kind of | peer-to-peer resource sharing simple and secure | | It looks like its also extensible, so you can use it to form | the communication layer to share other things, files being one | example. | vapemaster wrote: | this was an awesome, non-snarky, explanatory comment. thanks | for this. ___________________________________________________________________ (page generated 2023-02-08 23:00 UTC)