From 22749de762ff52f8d646bef738ea77ec830a3428 Mon Sep 17 00:00:00 2001 From: Lars Rossen Date: Mon, 1 Jun 2026 16:10:26 +0200 Subject: [PATCH] first cut of a VPN presentation --- docs/presentations/2026-0601-vpn tech.md | 352 +++++++++++++++++++++++ 1 file changed, 352 insertions(+) create mode 100644 docs/presentations/2026-0601-vpn tech.md diff --git a/docs/presentations/2026-0601-vpn tech.md b/docs/presentations/2026-0601-vpn tech.md new file mode 100644 index 0000000..75763b5 --- /dev/null +++ b/docs/presentations/2026-0601-vpn tech.md @@ -0,0 +1,352 @@ +--- +marp: true +theme: gaia +class: invert +paginate: true +--- + + + +# VPN Without Vendor Lock-in + +### FLOSS Solutions for Secure Networking + +MakerFLOSS · June 2026 + +--- + +## Why VPNs? + +**Remote Access** — Securely connect to your home/office network from anywhere + +**Site-to-Site** — Link multiple locations into one virtual network + +**Zero Trust** — Replace traditional perimeter security with identity-based access + +**Privacy** — Encrypt traffic on untrusted networks + +--- + +## Traditional vs Modern VPNs + +| Aspect | Traditional (IPSec, OpenVPN) | Modern (WireGuard-based) | +|--------|------------------------------|--------------------------| +| Codebase | 100k+ lines | ~4,000 lines | +| Speed | Good | Excellent | +| Configuration | Complex | Simple | +| Cryptography | Configurable (risk) | Fixed, modern | +| NAT traversal | Tricky | Built-in (UDP) | +| Battery/CPU | Higher overhead | Minimal | + +WireGuard changed everything in 2020 when it was merged into Linux kernel. + +--- + +## The Landscape at a Glance + +| Solution | Type | Self-host | Fully FLOSS | NAT punch | UI | +|----------|------|-----------|-------------|-----------|-----| +| **WireGuard** | Protocol | N/A | ✓ | Manual | ✗ | +| **Pangolin** | Reverse proxy | ✓ | ✓ | Via Gerbil | ✓ | +| **Tailscale** | Mesh VPN | Partial | ✗ | DERP | ✓ | +| **Netbird** | Mesh VPN | ✓ | ✓ | STUN/TURN | ✓ | + +--- + +## NAT Traversal Techniques + +**Gerbil** (Pangolin) +Public-facing reverse proxy that accepts incoming connections and forwards them through WireGuard tunnels to internal Newt agents. Clients connect *out* to Gerbil. + +**DERP** (Tailscale) +Designated Encrypted Relay for Packets — Tailscale's proprietary relay servers. Used when direct peer-to-peer fails. Traffic is encrypted end-to-end; relays see only ciphertext. + +--- + +## NAT Traversal Techniques + +**STUN/TURN** (Netbird, standard) +- **STUN**: Discovers your public IP and port mapping — enables direct connections +- **TURN**: Relay fallback when direct connection impossible (strict NAT/firewall) + +--- + +## WireGuard — The Foundation + +WireGuard is a **protocol**, not a product. It's the building block the others use. + +**Key properties:** + +- In-kernel since Linux 5.6 (2020) +- ~4,000 lines of code — auditable +- Cryptographically opinionated: Curve25519, ChaCha20, Poly1305 +- Silent by default — no response to unauthenticated packets +- Roaming — endpoints can change IP seamlessly + +--- + +## WireGuard — How It Works + +```mermaid +graph LR + subgraph "Peer A (10.0.0.1)" + A[wg0 interface] + end + subgraph "Peer B (10.0.0.2)" + B[wg0 interface] + end + A <-->|"encrypted UDP"| B +``` + +Each peer has: +- A **private key** (never leaves the device) +- A **public key** (shared with peers) +- An **allowed IPs** list (what traffic goes through the tunnel) + +No central server required — but someone has to distribute configs. + +--- + +## WireGuard — Pros and Cons + +**Pros** + +- Blazing fast, low latency +- Simple config files +- Kernel-level performance +- Battle-tested cryptography + +**Cons** + +- No built-in key distribution +- No NAT traversal coordination +- No access control policies +- No management UI + +**Best for:** sysadmins who want full control, site-to-site links + +--- + +## Pangolin — Self-Hosted Reverse Proxy + +Pangolin is a **reverse proxy** and tunneling solution, not a traditional VPN. + +**Architecture:** + +- **Pangolin** — Central server with web UI and proxy +- **Gerbil** — Public-facing proxy (handles NAT traversal) +- **Newt** — Agent on each client (creates WireGuard tunnel) + +**Use case:** Expose internal services to the internet securely without opening ports. + +--- + +## Pangolin — Architecture + +```mermaid +graph TB + Internet[Internet] --> Gerbil[Gerbil Proxy] + Gerbil --> Pangolin[Pangolin Server] + Pangolin --> Newt1[Newt Agent] + Pangolin --> Newt2[Newt Agent] + Newt1 --> Service1[Internal Service] + Newt2 --> Service2[Internal Service] +``` + +Traffic flows: Internet → Gerbil → Pangolin → Newt → Your service + +No port forwarding needed on the client side. + +--- + +## Pangolin — Pros and Cons + +**Pros** + +- Fully self-hosted and FLOSS (Apache 2.0) +- Web UI for managing sites and users +- Automatic HTTPS via Let's Encrypt +- Works behind any NAT +- SSO integration (OIDC) + +**Cons** + +- Not a mesh VPN — hub-and-spoke only +- Relatively new project +- Requires a public-facing server + +**Best for:** exposing self-hosted services, homelab access + +--- + +## Tailscale — The Polished Option + +Tailscale builds a **mesh VPN** on top of WireGuard with zero configuration. + +**How it works:** + +- Coordination server distributes keys and handles NAT traversal +- Devices connect directly when possible (peer-to-peer) +- Falls back to DERP relays when direct connection fails +- MagicDNS provides automatic DNS for all devices + +--- + +## Tailscale — Architecture + +```mermaid +graph TB + Coord[Coordination Server] -.->|key exchange| A + Coord -.->|key exchange| B + Coord -.->|key exchange| C + A[Device A] <-->|"direct WireGuard"| B[Device B] + A <-->|"via DERP relay"| C[Device C] + DERP[DERP Relay] --> C +``` + +Direct connections when possible, relayed when behind strict NAT. + +--- + +## Tailscale — Pros and Cons + +**Pros** + +- Zero-config setup — just install and sign in +- Excellent NAT traversal +- Cross-platform (Linux, macOS, Windows, iOS, Android) +- MagicDNS and HTTPS certificates +- ACLs and SSO + +**Cons** + +- Coordination server is **not open source** +- Free tier limited; business features require subscription +- Vendor lock-in concern + +**Alternative:** Headscale — FLOSS coordination server (community project) + +--- + +## Netbird — Self-Hosted Mesh VPN + +Netbird is a **fully FLOSS** alternative to Tailscale with self-hosting support. + +**Components:** + +- **Management Server** — handles key distribution, ACLs +- **Signal Server** — coordinates peer connections +- **STUN/TURN** — NAT traversal (coturn) +- **Netbird Agent** — runs on each device + +--- + +## Netbird — Architecture + +```mermaid +graph TB + Mgmt[Management Server] -.->|policies, keys| A + Mgmt -.->|policies, keys| B + Signal[Signal Server] -.->|peer discovery| A + Signal -.->|peer discovery| B + A[Device A] <-->|"direct WireGuard"| B[Device B] + TURN[TURN Relay] -.->|fallback| A +``` + +Self-host everything or use their managed service. + +--- + +## Netbird — Pros and Cons + +**Pros** + +- Fully FLOSS (BSD-3-Clause) +- Self-hostable control plane +- Web UI for management +- SSO integration (OIDC, SAML) +- Network policies and ACLs +- **Built-in reverse proxy** (v0.65+) — expose services publicly like Pangolin +- Active development + +**Cons** + +- More complex to self-host than Tailscale to use +- Younger project than Tailscale +- Smaller community + +**Best for:** organizations wanting Tailscale-like UX with full control + +--- + + + +## Detailed Comparison + +| Feature | WireGuard | Pangolin | Tailscale | Netbird | +|---------|-----------|----------|-----------|---------| +| **License** | GPL | Apache 2.0 | Proprietary* | BSD-3 | +| **Self-host control plane** | N/A | ✓ | Via Headscale | ✓ | +| **Mesh networking** | Manual | ✗ | ✓ | ✓ | +| **NAT traversal** | Manual | ✓ (Gerbil) | ✓ (DERP) | ✓ (TURN) | +| **Web UI** | ✗ | ✓ | ✓ | ✓ | +| **SSO (OIDC/SAML)** | ✗ | ✓ | ✓ | ✓ | +| **ACLs / Policies** | ✗ | ✓ | ✓ | ✓ | +| **Reverse proxy mode** | ✗ | ✓ | ✗ | ✓ (v0.65+) | + +*Tailscale clients are open source, coordination server is not. + +--- + +## Which Should You Choose? + +**WireGuard directly** — Full control, simple site-to-site, technical users + +**Pangolin** — Expose services publicly, homelab, reverse proxy use case + +**Tailscale** — Easiest setup, don't mind some vendor dependency + +**Tailscale + Headscale** — Tailscale UX with self-hosted control plane + +**Netbird** — Full FLOSS, mesh VPN + reverse proxy, organization with SSO needs + +--- + +## MakerFLOSS Lab Context + +From our lab design, we plan to use **Netbird** for: + +- Remote access to lab services from outside +- Connecting VPS to local infrastructure via tunnel +- Zero-trust access to pre-production zone + +``` +VPS -.->|Netbird| FLOSSFirewall +``` + +Self-hosted on our infrastructure, integrated with Authentik for SSO. + +--- + +## Resources + +| Resource | Link | +|----------|------| +| WireGuard | [wireguard.com](https://www.wireguard.com) | +| Pangolin | [github.com/fosrl/pangolin](https://github.com/fosrl/pangolin) | +| Tailscale | [tailscale.com](https://tailscale.com) | +| Headscale | [github.com/juanfont/headscale](https://github.com/juanfont/headscale) | +| Netbird | [netbird.io](https://netbird.io) | +| Netbird GitHub | [github.com/netbirdio/netbird](https://github.com/netbirdio/netbird) | + +--- + +# Questions? + +_Slides made with [Marp](https://marp.app)_ +