Drop #177 (2023-01-13): Weekend Project Edition
What A Mesh!
We’re mixing up this week's WPE to be something a bit less grandiose in nature (yes, I am keenly aware of the complexity levels of many of the previous drops). That doesn't mean it will lack utility!
The forthcoming password manager drop (which will also discuss 2FA/MFA) will have a suggested (but not required) dependency on WireGuard. As such, today, we dig a bit deeper into that technology than we have in previous drops and present a far more achievable goal to reach by the weekend's terminus.
Fundamentally, your goal is to set up a WireGuard network, with some extra credit tossed in for good measure.
Disclaimer: as usual, I get nothing from links to vendors save the knowledge I’m leaving you in good hands (unless I preface a vendor link with a snarky remark about how horrible they are).
My main goal for this one is to help make your digital life a bit safer.
While phishing still remains a major entry path for attackers, tons of cybercrime does still happen through brute force or credential stuffing attacks (where lots of random or known credentials are tried against anything with a login prompt). Further tonnage is represented by mass attempts at exploiting vulnerabilities.
Anything exposing services to the internet is at risk.
I have yet to delve into other parts of this blog series, but that one alone should help paint a picture of how quickly and frequently internet-facing IP addresses are probed (and, that's just from the benign sources). If you can keep a service from being on the internet, it is, by default, orders of magnitude safer. If you have your mobile devices, laptops/desktops, and all services running on the same WireGuard network, you can access them all in a safe, confidential context.
I run many backend web/API services on my beefy home server that are accessible only via WireGuard. Others are proxied to a few internet-facing nodes. I also have some remote RStudio and Shiny server instances that are only accessible via Tailscale. All these used to be directly internet-facing. It's nice not seeing all the failed login attempts in the app logs.
Y'all should 👀 this presentation before beginning, even if you think you "know" WireGuard already. It's a few years old, but it's aimed at folks new to WireGuard who want a peek at the internals, but really just want to know what they're getting themselves into.
I'm oversimplifying, but the chief distinctions between WireGuard and traditional "virtual private networks" (VPN) are:
simplicity — WireGuard is very opinionated about how it does what it does, so it is less bulky than other VPNs
speed — It's faster partly because of the first bullet, but it is also multicore aware (so it can take advantage of everything your hardware can offer), and the connection and per-packet overhead is much smaller than previous VPN technologies
resilience — while WireGuard lacks some resiliency when it comes to thwarting censorship, it fully supports the host changing real-network-facing IP address changes, which means no need to re-establish the VPN connection when you are roaming around the planet
You can 100% deal with just pure WireGuard.
They even have a quick start, and a basic tool even called
To connect a couple of devices, you install WireGuard on each of them, generate keys for each of them, and then lovingly handcraft a text config file for each device.
The config has details about the device — listen port, private IP address/ key — plus info on the peer device — public key, accessible, reachable endpoint for the peer, private IP(s) associated with the peer. While fairly straightforward (once you grok the terminology), each and every pair of devices requires a new config entry, and you need to maintain that on all the nodes (that's somewhat a fib), so your configs expand quadratically.
If you don't have many devices, then manual WireGuard isn't too painful.
It is just painful enough, though, that I use Tailscale.
Fundamentally, you're outsourcing configuration management to Tailscale when you choose to rely on it for managing your WireGuard overlay network. Tailscale supports some fairly complex setups, but the basic one — a single private network for all your devices — "just works" out of the box.
Install the client on everything you want connected, login, and you're done. All your nodes even have a spiffy, private MagicDNS for easy access.
You can choose to add some complexity into the mix if you want to run your own coordination service, vs rely on Tailscale. This involves poking around the headscale project, which takes the place of Tailscale's infrastructure. While the Tailscale crew seem to be nice folks, their free offering can go away on a whim. They are a business. Businesses need 💰. So, at the very least, if you go the Tailscale route, try to get familiar with headscale.
If you're a user of Ubiquiti network kit, there are also ways to drop Tailscale on your gateway(s).
Tailscale WireGuard Alternative: Netmaker
Tailscale/headscale aren't the only players in town. Netmaker is a freemium alternative that also uses WireGuard.
You can read more about it and also check out how much coin it'll cost you if you go pro.
Different Technology Alternative: Nebula
Slack built Nebula — the VPN tech base a bit on tinc — to solve a similar problem. One chap I know — Ryan Huber — is brilliant (used to be at Slack), and now helps run Defined Networks, which has a similar freemium offering as Slack.
They aren't 1:1 similar, but you will, essentially, have the same safety and resilience with it. You can read more in the docs.
While obviously biased, Tailscale has a pretty accurate set of comparisons between various VPN/mesh alternatives. It’s shockingly comprehensive and honest (which is unusual for businesses in general these days), which does mean Tailscale is pretty self-aware.
So, your goal is to have a private, overlay mesh network setup by the end of the weekend.
The stretch goal is:
if you already have internet-facing services, remove at least one of them and make it WireGuard-only
if not, spend some coin on a $5.00 USD/month one (or fire up a Raspberry Pi at home/stick a web server on an always-connected computer at home), and get nginx on it, then wire it up!
I'll be around all weekend, so drop a comment if you need some guidance; and, def drop a comment if you want to opine about your experience (either with a blog/Fediverse post link or the full text).