first cut of a VPN presentation
This commit is contained in:
parent
1f9b203cb4
commit
22749de762
1 changed files with 352 additions and 0 deletions
352
docs/presentations/2026-0601-vpn tech.md
Normal file
352
docs/presentations/2026-0601-vpn tech.md
Normal file
|
|
@ -0,0 +1,352 @@
|
|||
---
|
||||
marp: true
|
||||
theme: gaia
|
||||
class: invert
|
||||
paginate: true
|
||||
---
|
||||
|
||||
<style>
|
||||
table { font-size: 0.65em; }
|
||||
th, td { padding: 0.25em 0.6em; }
|
||||
section.dense table { font-size: 0.5em; }
|
||||
section.dense th, section.dense td { padding: 0.2em 0.5em; }
|
||||
</style>
|
||||
|
||||
# VPN Without Vendor Lock-in
|
||||
|
||||
### FLOSS Solutions for Secure Networking
|
||||
|
||||
MakerFLOSS · June 2026
|
||||
|
||||
---
|
||||
|
||||
## Why VPNs?
|
||||
|
||||
**Remote Access** — Securely connect to your home/office network from anywhere
|
||||
|
||||
**Site-to-Site** — Link multiple locations into one virtual network
|
||||
|
||||
**Zero Trust** — Replace traditional perimeter security with identity-based access
|
||||
|
||||
**Privacy** — Encrypt traffic on untrusted networks
|
||||
|
||||
---
|
||||
|
||||
## Traditional vs Modern VPNs
|
||||
|
||||
| Aspect | Traditional (IPSec, OpenVPN) | Modern (WireGuard-based) |
|
||||
|--------|------------------------------|--------------------------|
|
||||
| Codebase | 100k+ lines | ~4,000 lines |
|
||||
| Speed | Good | Excellent |
|
||||
| Configuration | Complex | Simple |
|
||||
| Cryptography | Configurable (risk) | Fixed, modern |
|
||||
| NAT traversal | Tricky | Built-in (UDP) |
|
||||
| Battery/CPU | Higher overhead | Minimal |
|
||||
|
||||
WireGuard changed everything in 2020 when it was merged into Linux kernel.
|
||||
|
||||
---
|
||||
|
||||
## The Landscape at a Glance
|
||||
|
||||
| Solution | Type | Self-host | Fully FLOSS | NAT punch | UI |
|
||||
|----------|------|-----------|-------------|-----------|-----|
|
||||
| **WireGuard** | Protocol | N/A | ✓ | Manual | ✗ |
|
||||
| **Pangolin** | Reverse proxy | ✓ | ✓ | Via Gerbil | ✓ |
|
||||
| **Tailscale** | Mesh VPN | Partial | ✗ | DERP | ✓ |
|
||||
| **Netbird** | Mesh VPN | ✓ | ✓ | STUN/TURN | ✓ |
|
||||
|
||||
---
|
||||
|
||||
## NAT Traversal Techniques
|
||||
|
||||
**Gerbil** (Pangolin)
|
||||
Public-facing reverse proxy that accepts incoming connections and forwards them through WireGuard tunnels to internal Newt agents. Clients connect *out* to Gerbil.
|
||||
|
||||
**DERP** (Tailscale)
|
||||
Designated Encrypted Relay for Packets — Tailscale's proprietary relay servers. Used when direct peer-to-peer fails. Traffic is encrypted end-to-end; relays see only ciphertext.
|
||||
|
||||
---
|
||||
|
||||
## NAT Traversal Techniques
|
||||
|
||||
**STUN/TURN** (Netbird, standard)
|
||||
- **STUN**: Discovers your public IP and port mapping — enables direct connections
|
||||
- **TURN**: Relay fallback when direct connection impossible (strict NAT/firewall)
|
||||
|
||||
---
|
||||
|
||||
## WireGuard — The Foundation
|
||||
|
||||
WireGuard is a **protocol**, not a product. It's the building block the others use.
|
||||
|
||||
**Key properties:**
|
||||
|
||||
- In-kernel since Linux 5.6 (2020)
|
||||
- ~4,000 lines of code — auditable
|
||||
- Cryptographically opinionated: Curve25519, ChaCha20, Poly1305
|
||||
- Silent by default — no response to unauthenticated packets
|
||||
- Roaming — endpoints can change IP seamlessly
|
||||
|
||||
---
|
||||
|
||||
## WireGuard — How It Works
|
||||
|
||||
```mermaid
|
||||
graph LR
|
||||
subgraph "Peer A (10.0.0.1)"
|
||||
A[wg0 interface]
|
||||
end
|
||||
subgraph "Peer B (10.0.0.2)"
|
||||
B[wg0 interface]
|
||||
end
|
||||
A <-->|"encrypted UDP"| B
|
||||
```
|
||||
|
||||
Each peer has:
|
||||
- A **private key** (never leaves the device)
|
||||
- A **public key** (shared with peers)
|
||||
- An **allowed IPs** list (what traffic goes through the tunnel)
|
||||
|
||||
No central server required — but someone has to distribute configs.
|
||||
|
||||
---
|
||||
|
||||
## WireGuard — Pros and Cons
|
||||
|
||||
**Pros**
|
||||
|
||||
- Blazing fast, low latency
|
||||
- Simple config files
|
||||
- Kernel-level performance
|
||||
- Battle-tested cryptography
|
||||
|
||||
**Cons**
|
||||
|
||||
- No built-in key distribution
|
||||
- No NAT traversal coordination
|
||||
- No access control policies
|
||||
- No management UI
|
||||
|
||||
**Best for:** sysadmins who want full control, site-to-site links
|
||||
|
||||
---
|
||||
|
||||
## Pangolin — Self-Hosted Reverse Proxy
|
||||
|
||||
Pangolin is a **reverse proxy** and tunneling solution, not a traditional VPN.
|
||||
|
||||
**Architecture:**
|
||||
|
||||
- **Pangolin** — Central server with web UI and proxy
|
||||
- **Gerbil** — Public-facing proxy (handles NAT traversal)
|
||||
- **Newt** — Agent on each client (creates WireGuard tunnel)
|
||||
|
||||
**Use case:** Expose internal services to the internet securely without opening ports.
|
||||
|
||||
---
|
||||
|
||||
## Pangolin — Architecture
|
||||
|
||||
```mermaid
|
||||
graph TB
|
||||
Internet[Internet] --> Gerbil[Gerbil Proxy]
|
||||
Gerbil --> Pangolin[Pangolin Server]
|
||||
Pangolin --> Newt1[Newt Agent]
|
||||
Pangolin --> Newt2[Newt Agent]
|
||||
Newt1 --> Service1[Internal Service]
|
||||
Newt2 --> Service2[Internal Service]
|
||||
```
|
||||
|
||||
Traffic flows: Internet → Gerbil → Pangolin → Newt → Your service
|
||||
|
||||
No port forwarding needed on the client side.
|
||||
|
||||
---
|
||||
|
||||
## Pangolin — Pros and Cons
|
||||
|
||||
**Pros**
|
||||
|
||||
- Fully self-hosted and FLOSS (Apache 2.0)
|
||||
- Web UI for managing sites and users
|
||||
- Automatic HTTPS via Let's Encrypt
|
||||
- Works behind any NAT
|
||||
- SSO integration (OIDC)
|
||||
|
||||
**Cons**
|
||||
|
||||
- Not a mesh VPN — hub-and-spoke only
|
||||
- Relatively new project
|
||||
- Requires a public-facing server
|
||||
|
||||
**Best for:** exposing self-hosted services, homelab access
|
||||
|
||||
---
|
||||
|
||||
## Tailscale — The Polished Option
|
||||
|
||||
Tailscale builds a **mesh VPN** on top of WireGuard with zero configuration.
|
||||
|
||||
**How it works:**
|
||||
|
||||
- Coordination server distributes keys and handles NAT traversal
|
||||
- Devices connect directly when possible (peer-to-peer)
|
||||
- Falls back to DERP relays when direct connection fails
|
||||
- MagicDNS provides automatic DNS for all devices
|
||||
|
||||
---
|
||||
|
||||
## Tailscale — Architecture
|
||||
|
||||
```mermaid
|
||||
graph TB
|
||||
Coord[Coordination Server] -.->|key exchange| A
|
||||
Coord -.->|key exchange| B
|
||||
Coord -.->|key exchange| C
|
||||
A[Device A] <-->|"direct WireGuard"| B[Device B]
|
||||
A <-->|"via DERP relay"| C[Device C]
|
||||
DERP[DERP Relay] --> C
|
||||
```
|
||||
|
||||
Direct connections when possible, relayed when behind strict NAT.
|
||||
|
||||
---
|
||||
|
||||
## Tailscale — Pros and Cons
|
||||
|
||||
**Pros**
|
||||
|
||||
- Zero-config setup — just install and sign in
|
||||
- Excellent NAT traversal
|
||||
- Cross-platform (Linux, macOS, Windows, iOS, Android)
|
||||
- MagicDNS and HTTPS certificates
|
||||
- ACLs and SSO
|
||||
|
||||
**Cons**
|
||||
|
||||
- Coordination server is **not open source**
|
||||
- Free tier limited; business features require subscription
|
||||
- Vendor lock-in concern
|
||||
|
||||
**Alternative:** Headscale — FLOSS coordination server (community project)
|
||||
|
||||
---
|
||||
|
||||
## Netbird — Self-Hosted Mesh VPN
|
||||
|
||||
Netbird is a **fully FLOSS** alternative to Tailscale with self-hosting support.
|
||||
|
||||
**Components:**
|
||||
|
||||
- **Management Server** — handles key distribution, ACLs
|
||||
- **Signal Server** — coordinates peer connections
|
||||
- **STUN/TURN** — NAT traversal (coturn)
|
||||
- **Netbird Agent** — runs on each device
|
||||
|
||||
---
|
||||
|
||||
## Netbird — Architecture
|
||||
|
||||
```mermaid
|
||||
graph TB
|
||||
Mgmt[Management Server] -.->|policies, keys| A
|
||||
Mgmt -.->|policies, keys| B
|
||||
Signal[Signal Server] -.->|peer discovery| A
|
||||
Signal -.->|peer discovery| B
|
||||
A[Device A] <-->|"direct WireGuard"| B[Device B]
|
||||
TURN[TURN Relay] -.->|fallback| A
|
||||
```
|
||||
|
||||
Self-host everything or use their managed service.
|
||||
|
||||
---
|
||||
|
||||
## Netbird — Pros and Cons
|
||||
|
||||
**Pros**
|
||||
|
||||
- Fully FLOSS (BSD-3-Clause)
|
||||
- Self-hostable control plane
|
||||
- Web UI for management
|
||||
- SSO integration (OIDC, SAML)
|
||||
- Network policies and ACLs
|
||||
- **Built-in reverse proxy** (v0.65+) — expose services publicly like Pangolin
|
||||
- Active development
|
||||
|
||||
**Cons**
|
||||
|
||||
- More complex to self-host than Tailscale to use
|
||||
- Younger project than Tailscale
|
||||
- Smaller community
|
||||
|
||||
**Best for:** organizations wanting Tailscale-like UX with full control
|
||||
|
||||
---
|
||||
|
||||
<!-- _class: dense -->
|
||||
|
||||
## Detailed Comparison
|
||||
|
||||
| Feature | WireGuard | Pangolin | Tailscale | Netbird |
|
||||
|---------|-----------|----------|-----------|---------|
|
||||
| **License** | GPL | Apache 2.0 | Proprietary* | BSD-3 |
|
||||
| **Self-host control plane** | N/A | ✓ | Via Headscale | ✓ |
|
||||
| **Mesh networking** | Manual | ✗ | ✓ | ✓ |
|
||||
| **NAT traversal** | Manual | ✓ (Gerbil) | ✓ (DERP) | ✓ (TURN) |
|
||||
| **Web UI** | ✗ | ✓ | ✓ | ✓ |
|
||||
| **SSO (OIDC/SAML)** | ✗ | ✓ | ✓ | ✓ |
|
||||
| **ACLs / Policies** | ✗ | ✓ | ✓ | ✓ |
|
||||
| **Reverse proxy mode** | ✗ | ✓ | ✗ | ✓ (v0.65+) |
|
||||
|
||||
*Tailscale clients are open source, coordination server is not.
|
||||
|
||||
---
|
||||
|
||||
## Which Should You Choose?
|
||||
|
||||
**WireGuard directly** — Full control, simple site-to-site, technical users
|
||||
|
||||
**Pangolin** — Expose services publicly, homelab, reverse proxy use case
|
||||
|
||||
**Tailscale** — Easiest setup, don't mind some vendor dependency
|
||||
|
||||
**Tailscale + Headscale** — Tailscale UX with self-hosted control plane
|
||||
|
||||
**Netbird** — Full FLOSS, mesh VPN + reverse proxy, organization with SSO needs
|
||||
|
||||
---
|
||||
|
||||
## MakerFLOSS Lab Context
|
||||
|
||||
From our lab design, we plan to use **Netbird** for:
|
||||
|
||||
- Remote access to lab services from outside
|
||||
- Connecting VPS to local infrastructure via tunnel
|
||||
- Zero-trust access to pre-production zone
|
||||
|
||||
```
|
||||
VPS -.->|Netbird| FLOSSFirewall
|
||||
```
|
||||
|
||||
Self-hosted on our infrastructure, integrated with Authentik for SSO.
|
||||
|
||||
---
|
||||
|
||||
## Resources
|
||||
|
||||
| Resource | Link |
|
||||
|----------|------|
|
||||
| WireGuard | [wireguard.com](https://www.wireguard.com) |
|
||||
| Pangolin | [github.com/fosrl/pangolin](https://github.com/fosrl/pangolin) |
|
||||
| Tailscale | [tailscale.com](https://tailscale.com) |
|
||||
| Headscale | [github.com/juanfont/headscale](https://github.com/juanfont/headscale) |
|
||||
| Netbird | [netbird.io](https://netbird.io) |
|
||||
| Netbird GitHub | [github.com/netbirdio/netbird](https://github.com/netbirdio/netbird) |
|
||||
|
||||
---
|
||||
|
||||
# Questions?
|
||||
|
||||
_Slides made with [Marp](https://marp.app)_
|
||||
|
||||
Loading…
Add table
Reference in a new issue