[HN Gopher] Show HN: WireHub - easily create and share WireGuard... ___________________________________________________________________ Show HN: WireHub - easily create and share WireGuard networks WireHub is a side project I've been working on, on and off, for close to a year now. It's made with django and minimal javascript. It's a hosted WireGuard config generator/manager, that you can invite others to join your networks and manage their own configs/devices. It's still very much a beta, maybe an mvp, but I just wanted to get some early from the community. Thanks! Author : rudasn Score : 79 points Date : 2023-11-05 20:54 UTC (2 hours ago) (HTM) web link (www.wirehub.org) (TXT) w3m dump (www.wirehub.org) | mushufasa wrote: | OOh -- this sounds actually potentially awesome for business use- | cases. Tailscale is the commercial tool to help setup and manage | wireguard networks, and it had a big security incident earlier | this year (though they were prompt to rectify). | | I don't use tailscale but I almost did. One of the things that | caught me was not wanting to give a third party any control. | (Also, at the time I didn't absolutely have a burning need given | the number of servers and people involved). Tailscale's model is | to charge businesses; I'm not sure if you are making this FOSS | but something FOSS to me would be preferable. | | How does the privacy work on your site? I haven't the time to log | in and play around right now. My main concerns would be if I'm | posting my configs to a third party, that third party now has a | vector to 'root' my networks. And if this is a site meant for | sharing, there's the other concern that I or the site | accidentally temporarily makes permissions public giving | strangers that access. I'm sure you've already contemplated this | in the design; I'd love to hear your approach on this forum. | candiddevmike wrote: | Have you considered using Headscale? | mushufasa wrote: | Oh -- yes I did actually. Forgot about that till just now. | linsomniac wrote: | Tailscale is great, but for anything more than toy uses, | particularly business uses, where it's a critical part of | your infra, you should consider paying Tailscale or using | Nebula. My biggest reasons for saying this are: Headscale | config errors (including ACL issues) will take down the whole | Tailnet until you can get it corrected, setting up extra | "relay" nodes is fairly likely and somewhat "hard" | (especially without a dedicated IP), and headscale can take | quite a few resources. Data point: I recently set up a ~200 | node Tailnet with headscale and in retrospect wish I had gone | with Nebula. Tailscale's "magic" can be nice, but it can also | lead to network weirdness. For example, I can't seem to use | the tailnet to route traffic between sites without turning on | "accept-routes", but turning that on causes traffic for local | ethernet segments on those nodes to be routed over the | Tailnet. | | Reasons I went with Headscale/Tailscale over Nebula: We could | enforce periodic re-logins on user workstations, Tailscale | was good at routing around networking problems (Nebula has | since added similar functionality), Tailscale's self-service | is really nice (A user can login from any of their devices | using OIDC, Nebula you have to generate a cert). | | Tailscale and Headscale are both fantastic, just beware of | the limitations. | cube2222 wrote: | > and in retrospect wish I had gone with Nebula | | Could you expand why (happy Tailscale user here, asking | mostly out of curiosity)? | helloooooooo wrote: | Which security issue? https://tailscale.com/security-bulletins/ | | None of these appear particularly severe? | mushufasa wrote: | https://emily.id.au/tailscale | linsomniac wrote: | https://tailscale.com/security-bulletins/#ts-2022-004 | | It was a pretty severe issue, but tailscale did respond | quickly to it. | rudasn wrote: | Thanks for looking into it! | | Yes, I thought/think about security a lot. First, you don't | have to share/upload your private keys to WireHub for it to | work - the generated configs will only have the public key | (which we do store, it's public anyway). | | Second, if you do provide provide private keys, you must first | encrypt them in browser with a password. The password is never | stored, just used for encryption. | | Third, because of 2, to see a full config with private keys and | everything you need to provide said password. | | If you scroll at the bottom of the page you can see the widget | in action. | | I don't want to worry about loosing important data, so I try to | avoid collecting it in the first place. | FL410 wrote: | Check out Nebula/Defined.net | xrd wrote: | This looks really interesting. But that might be because I'm | unsure of something: is this somehow a browser based proxy? Or | just a way to securely generate wireguard configurations? I'm | unclear but I'm always interested in wireguard or tailscale | tools. I'm using headscale with a lot of success. | rudasn wrote: | Just a config generator. I don't run any servers. | | I'm trying to strike a balance between full fledged solutions | like tailscale, cloudflare tunnels, et al, and cli or gui based | self hosted solutions like wg-easy and subspace. | | So you get to host your nodes, exit nodes, devices whatever and | fully control what goes passes through but also a really easy | way to manage which device gets what config, esp when dealing | with end-users. | dangoodmanUT wrote: | I'd add a way to connect networks together so you can have | devices see each other on the respective networks! | rudasn wrote: | Ah good one! | | I already support having a single WireGuard interface belong in | multiple networks. So you can enable just a single config on | your phone and be able to access devices in multiple, unrelated | networks. | cedws wrote: | This doesn't have any relation to this right? | https://github.com/gawen/WireHub | rudasn wrote: | No, just a name conflict. ___________________________________________________________________ (page generated 2023-11-05 23:00 UTC)