[HN Gopher] Show HN: WireHub - easily create and share WireGuard...
___________________________________________________________________
Show HN: WireHub - easily create and share WireGuard networks
WireHub is a side project I've been working on, on and off, for
close to a year now. It's made with django and minimal javascript.
It's a hosted WireGuard config generator/manager, that you can
invite others to join your networks and manage their own
configs/devices. It's still very much a beta, maybe an mvp, but I
just wanted to get some early from the community. Thanks!
Author : rudasn
Score : 79 points
Date : 2023-11-05 20:54 UTC (2 hours ago)
(HTM) web link (www.wirehub.org)
(TXT) w3m dump (www.wirehub.org)
| mushufasa wrote:
| OOh -- this sounds actually potentially awesome for business use-
| cases. Tailscale is the commercial tool to help setup and manage
| wireguard networks, and it had a big security incident earlier
| this year (though they were prompt to rectify).
|
| I don't use tailscale but I almost did. One of the things that
| caught me was not wanting to give a third party any control.
| (Also, at the time I didn't absolutely have a burning need given
| the number of servers and people involved). Tailscale's model is
| to charge businesses; I'm not sure if you are making this FOSS
| but something FOSS to me would be preferable.
|
| How does the privacy work on your site? I haven't the time to log
| in and play around right now. My main concerns would be if I'm
| posting my configs to a third party, that third party now has a
| vector to 'root' my networks. And if this is a site meant for
| sharing, there's the other concern that I or the site
| accidentally temporarily makes permissions public giving
| strangers that access. I'm sure you've already contemplated this
| in the design; I'd love to hear your approach on this forum.
| candiddevmike wrote:
| Have you considered using Headscale?
| mushufasa wrote:
| Oh -- yes I did actually. Forgot about that till just now.
| linsomniac wrote:
| Tailscale is great, but for anything more than toy uses,
| particularly business uses, where it's a critical part of
| your infra, you should consider paying Tailscale or using
| Nebula. My biggest reasons for saying this are: Headscale
| config errors (including ACL issues) will take down the whole
| Tailnet until you can get it corrected, setting up extra
| "relay" nodes is fairly likely and somewhat "hard"
| (especially without a dedicated IP), and headscale can take
| quite a few resources. Data point: I recently set up a ~200
| node Tailnet with headscale and in retrospect wish I had gone
| with Nebula. Tailscale's "magic" can be nice, but it can also
| lead to network weirdness. For example, I can't seem to use
| the tailnet to route traffic between sites without turning on
| "accept-routes", but turning that on causes traffic for local
| ethernet segments on those nodes to be routed over the
| Tailnet.
|
| Reasons I went with Headscale/Tailscale over Nebula: We could
| enforce periodic re-logins on user workstations, Tailscale
| was good at routing around networking problems (Nebula has
| since added similar functionality), Tailscale's self-service
| is really nice (A user can login from any of their devices
| using OIDC, Nebula you have to generate a cert).
|
| Tailscale and Headscale are both fantastic, just beware of
| the limitations.
| cube2222 wrote:
| > and in retrospect wish I had gone with Nebula
|
| Could you expand why (happy Tailscale user here, asking
| mostly out of curiosity)?
| helloooooooo wrote:
| Which security issue? https://tailscale.com/security-bulletins/
|
| None of these appear particularly severe?
| mushufasa wrote:
| https://emily.id.au/tailscale
| linsomniac wrote:
| https://tailscale.com/security-bulletins/#ts-2022-004
|
| It was a pretty severe issue, but tailscale did respond
| quickly to it.
| rudasn wrote:
| Thanks for looking into it!
|
| Yes, I thought/think about security a lot. First, you don't
| have to share/upload your private keys to WireHub for it to
| work - the generated configs will only have the public key
| (which we do store, it's public anyway).
|
| Second, if you do provide provide private keys, you must first
| encrypt them in browser with a password. The password is never
| stored, just used for encryption.
|
| Third, because of 2, to see a full config with private keys and
| everything you need to provide said password.
|
| If you scroll at the bottom of the page you can see the widget
| in action.
|
| I don't want to worry about loosing important data, so I try to
| avoid collecting it in the first place.
| FL410 wrote:
| Check out Nebula/Defined.net
| xrd wrote:
| This looks really interesting. But that might be because I'm
| unsure of something: is this somehow a browser based proxy? Or
| just a way to securely generate wireguard configurations? I'm
| unclear but I'm always interested in wireguard or tailscale
| tools. I'm using headscale with a lot of success.
| rudasn wrote:
| Just a config generator. I don't run any servers.
|
| I'm trying to strike a balance between full fledged solutions
| like tailscale, cloudflare tunnels, et al, and cli or gui based
| self hosted solutions like wg-easy and subspace.
|
| So you get to host your nodes, exit nodes, devices whatever and
| fully control what goes passes through but also a really easy
| way to manage which device gets what config, esp when dealing
| with end-users.
| dangoodmanUT wrote:
| I'd add a way to connect networks together so you can have
| devices see each other on the respective networks!
| rudasn wrote:
| Ah good one!
|
| I already support having a single WireGuard interface belong in
| multiple networks. So you can enable just a single config on
| your phone and be able to access devices in multiple, unrelated
| networks.
| cedws wrote:
| This doesn't have any relation to this right?
| https://github.com/gawen/WireHub
| rudasn wrote:
| No, just a name conflict.
___________________________________________________________________
(page generated 2023-11-05 23:00 UTC)