--- marp: true theme: gaia class: invert paginate: true --- # VPN Without Vendor Lock-in ### FLOSS Solutions for Secure Networking MakerFLOSS · June 2026 --- ## Why VPNs? **Remote Access** — Securely connect to your home/office network from anywhere **Site-to-Site** — Link multiple locations into one virtual network **Zero Trust** — Replace traditional perimeter security with identity-based access **Privacy** — Encrypt traffic on untrusted networks --- ## Traditional vs Modern VPNs | Aspect | Traditional (IPSec, OpenVPN) | Modern (WireGuard-based) | |--------|------------------------------|--------------------------| | Codebase | 100k+ lines | ~4,000 lines | | Speed | Good | Excellent | | Configuration | Complex | Simple | | Cryptography | Configurable (risk) | Fixed, modern | | NAT traversal | Tricky | Built-in (UDP) | | Battery/CPU | Higher overhead | Minimal | WireGuard changed everything in 2020 when it was merged into Linux kernel. --- ## The Landscape at a Glance | Solution | Type | Self-host | Fully FLOSS | NAT punch | UI | |----------|------|-----------|-------------|-----------|-----| | **WireGuard** | Protocol | N/A | ✓ | Manual | ✗ | | **Pangolin** | Reverse proxy | ✓ | ✓ | Via Gerbil | ✓ | | **Tailscale** | Mesh VPN | Partial | ✗ | DERP | ✓ | | **Netbird** | Mesh VPN | ✓ | ✓ | STUN/TURN | ✓ | --- ## NAT Traversal Techniques **Gerbil** (Pangolin) Public-facing reverse proxy that accepts incoming connections and forwards them through WireGuard tunnels to internal Newt agents. Clients connect *out* to Gerbil. **DERP** (Tailscale) Designated Encrypted Relay for Packets — Tailscale's proprietary relay servers. Used when direct peer-to-peer fails. Traffic is encrypted end-to-end; relays see only ciphertext. --- ## NAT Traversal Techniques **STUN/TURN** (Netbird, standard) - **STUN**: Discovers your public IP and port mapping — enables direct connections - **TURN**: Relay fallback when direct connection impossible (strict NAT/firewall) --- ## WireGuard — The Foundation WireGuard is a **protocol**, not a product. It's the building block the others use. **Key properties:** - In-kernel since Linux 5.6 (2020) - ~4,000 lines of code — auditable - Cryptographically opinionated: Curve25519, ChaCha20, Poly1305 - Silent by default — no response to unauthenticated packets - Roaming — endpoints can change IP seamlessly --- ## WireGuard — How It Works ```mermaid graph LR subgraph "Peer A (10.0.0.1)" A[wg0 interface] end subgraph "Peer B (10.0.0.2)" B[wg0 interface] end A <-->|"encrypted UDP"| B ``` Each peer has: - A **private key** (never leaves the device) - A **public key** (shared with peers) - An **allowed IPs** list (what traffic goes through the tunnel) No central server required — but someone has to distribute configs. --- ## WireGuard — Pros and Cons **Pros** - Blazing fast, low latency - Simple config files - Kernel-level performance - Battle-tested cryptography **Cons** - No built-in key distribution - No NAT traversal coordination - No access control policies - No management UI **Best for:** sysadmins who want full control, site-to-site links --- ## Pangolin — Self-Hosted Reverse Proxy Pangolin is a **reverse proxy** and tunneling solution, not a traditional VPN. **Architecture:** - **Pangolin** — Central server with web UI and proxy - **Gerbil** — Public-facing proxy (handles NAT traversal) - **Newt** — Agent on each client (creates WireGuard tunnel) **Use case:** Expose internal services to the internet securely without opening ports. --- ## Pangolin — Architecture ```mermaid graph TB Internet[Internet] --> Gerbil[Gerbil Proxy] Gerbil --> Pangolin[Pangolin Server] Pangolin --> Newt1[Newt Agent] Pangolin --> Newt2[Newt Agent] Newt1 --> Service1[Internal Service] Newt2 --> Service2[Internal Service] ``` Traffic flows: Internet → Gerbil → Pangolin → Newt → Your service No port forwarding needed on the client side. --- ## Pangolin — Pros and Cons **Pros** - Fully self-hosted and FLOSS (Apache 2.0) - Web UI for managing sites and users - Automatic HTTPS via Let's Encrypt - Works behind any NAT - SSO integration (OIDC) **Cons** - Not a mesh VPN — hub-and-spoke only - Relatively new project - Requires a public-facing server **Best for:** exposing self-hosted services, homelab access --- ## Tailscale — The Polished Option Tailscale builds a **mesh VPN** on top of WireGuard with zero configuration. **How it works:** - Coordination server distributes keys and handles NAT traversal - Devices connect directly when possible (peer-to-peer) - Falls back to DERP relays when direct connection fails - MagicDNS provides automatic DNS for all devices --- ## Tailscale — Architecture ```mermaid graph TB Coord[Coordination Server] -.->|key exchange| A Coord -.->|key exchange| B Coord -.->|key exchange| C A[Device A] <-->|"direct WireGuard"| B[Device B] A <-->|"via DERP relay"| C[Device C] DERP[DERP Relay] --> C ``` Direct connections when possible, relayed when behind strict NAT. --- ## Tailscale — Pros and Cons **Pros** - Zero-config setup — just install and sign in - Excellent NAT traversal - Cross-platform (Linux, macOS, Windows, iOS, Android) - MagicDNS and HTTPS certificates - ACLs and SSO **Cons** - Coordination server is **not open source** - Free tier limited; business features require subscription - Vendor lock-in concern **Alternative:** Headscale — FLOSS coordination server (community project) --- ## Netbird — Self-Hosted Mesh VPN Netbird is a **fully FLOSS** alternative to Tailscale with self-hosting support. **Components:** - **Management Server** — handles key distribution, ACLs - **Signal Server** — coordinates peer connections - **STUN/TURN** — NAT traversal (coturn) - **Netbird Agent** — runs on each device --- ## Netbird — Architecture ```mermaid graph TB Mgmt[Management Server] -.->|policies, keys| A Mgmt -.->|policies, keys| B Signal[Signal Server] -.->|peer discovery| A Signal -.->|peer discovery| B A[Device A] <-->|"direct WireGuard"| B[Device B] TURN[TURN Relay] -.->|fallback| A ``` Self-host everything or use their managed service. --- ## Netbird — Pros and Cons **Pros** - Fully FLOSS (BSD-3-Clause) - Self-hostable control plane - Web UI for management - SSO integration (OIDC, SAML) - Network policies and ACLs - **Built-in reverse proxy** (v0.65+) — expose services publicly like Pangolin - Active development **Cons** - More complex to self-host than Tailscale to use - Younger project than Tailscale - Smaller community **Best for:** organizations wanting Tailscale-like UX with full control --- ## Detailed Comparison | Feature | WireGuard | Pangolin | Tailscale | Netbird | |---------|-----------|----------|-----------|---------| | **License** | GPL | Apache 2.0 | Proprietary* | BSD-3 | | **Self-host control plane** | N/A | ✓ | Via Headscale | ✓ | | **Mesh networking** | Manual | ✗ | ✓ | ✓ | | **NAT traversal** | Manual | ✓ (Gerbil) | ✓ (DERP) | ✓ (TURN) | | **Web UI** | ✗ | ✓ | ✓ | ✓ | | **SSO (OIDC/SAML)** | ✗ | ✓ | ✓ | ✓ | | **ACLs / Policies** | ✗ | ✓ | ✓ | ✓ | | **Reverse proxy mode** | ✗ | ✓ | ✗ | ✓ (v0.65+) | *Tailscale clients are open source, coordination server is not. --- ## Which Should You Choose? **WireGuard directly** — Full control, simple site-to-site, technical users **Pangolin** — Expose services publicly, homelab, reverse proxy use case **Tailscale** — Easiest setup, don't mind some vendor dependency **Tailscale + Headscale** — Tailscale UX with self-hosted control plane **Netbird** — Full FLOSS, mesh VPN + reverse proxy, organization with SSO needs --- ## MakerFLOSS Lab Context From our lab design, we plan to use **Netbird** for: - Remote access to lab services from outside - Connecting VPS to local infrastructure via tunnel - Zero-trust access to pre-production zone ``` VPS -.->|Netbird| FLOSSFirewall ``` Self-hosted on our infrastructure, integrated with Authentik for SSO. --- ## Resources | Resource | Link | |----------|------| | WireGuard | [wireguard.com](https://www.wireguard.com) | | Pangolin | [github.com/fosrl/pangolin](https://github.com/fosrl/pangolin) | | Tailscale | [tailscale.com](https://tailscale.com) | | Headscale | [github.com/juanfont/headscale](https://github.com/juanfont/headscale) | | Netbird | [netbird.io](https://netbird.io) | | Netbird GitHub | [github.com/netbirdio/netbird](https://github.com/netbirdio/netbird) | --- # Questions? _Slides made with [Marp](https://marp.app)_