MakerFLOSS/docs/presentations/2026-0601-vpn tech.md
Lars Rossen 22749de762
Some checks failed
Build docs site / build (push) Failing after 40s
Build slides / build (push) Successful in 1m6s
first cut of a VPN presentation
2026-06-01 16:10:26 +02:00

352 lines
8.8 KiB
Markdown

---
marp: true
theme: gaia
class: invert
paginate: true
---
<style>
table { font-size: 0.65em; }
th, td { padding: 0.25em 0.6em; }
section.dense table { font-size: 0.5em; }
section.dense th, section.dense td { padding: 0.2em 0.5em; }
</style>
# VPN Without Vendor Lock-in
### FLOSS Solutions for Secure Networking
MakerFLOSS · June 2026
---
## Why VPNs?
**Remote Access** — Securely connect to your home/office network from anywhere
**Site-to-Site** — Link multiple locations into one virtual network
**Zero Trust** — Replace traditional perimeter security with identity-based access
**Privacy** — Encrypt traffic on untrusted networks
---
## Traditional vs Modern VPNs
| Aspect | Traditional (IPSec, OpenVPN) | Modern (WireGuard-based) |
|--------|------------------------------|--------------------------|
| Codebase | 100k+ lines | ~4,000 lines |
| Speed | Good | Excellent |
| Configuration | Complex | Simple |
| Cryptography | Configurable (risk) | Fixed, modern |
| NAT traversal | Tricky | Built-in (UDP) |
| Battery/CPU | Higher overhead | Minimal |
WireGuard changed everything in 2020 when it was merged into Linux kernel.
---
## The Landscape at a Glance
| Solution | Type | Self-host | Fully FLOSS | NAT punch | UI |
|----------|------|-----------|-------------|-----------|-----|
| **WireGuard** | Protocol | N/A | ✓ | Manual | ✗ |
| **Pangolin** | Reverse proxy | ✓ | ✓ | Via Gerbil | ✓ |
| **Tailscale** | Mesh VPN | Partial | ✗ | DERP | ✓ |
| **Netbird** | Mesh VPN | ✓ | ✓ | STUN/TURN | ✓ |
---
## NAT Traversal Techniques
**Gerbil** (Pangolin)
Public-facing reverse proxy that accepts incoming connections and forwards them through WireGuard tunnels to internal Newt agents. Clients connect *out* to Gerbil.
**DERP** (Tailscale)
Designated Encrypted Relay for Packets — Tailscale's proprietary relay servers. Used when direct peer-to-peer fails. Traffic is encrypted end-to-end; relays see only ciphertext.
---
## NAT Traversal Techniques
**STUN/TURN** (Netbird, standard)
- **STUN**: Discovers your public IP and port mapping — enables direct connections
- **TURN**: Relay fallback when direct connection impossible (strict NAT/firewall)
---
## WireGuard — The Foundation
WireGuard is a **protocol**, not a product. It's the building block the others use.
**Key properties:**
- In-kernel since Linux 5.6 (2020)
- ~4,000 lines of code — auditable
- Cryptographically opinionated: Curve25519, ChaCha20, Poly1305
- Silent by default — no response to unauthenticated packets
- Roaming — endpoints can change IP seamlessly
---
## WireGuard — How It Works
```mermaid
graph LR
subgraph "Peer A (10.0.0.1)"
A[wg0 interface]
end
subgraph "Peer B (10.0.0.2)"
B[wg0 interface]
end
A <-->|"encrypted UDP"| B
```
Each peer has:
- A **private key** (never leaves the device)
- A **public key** (shared with peers)
- An **allowed IPs** list (what traffic goes through the tunnel)
No central server required — but someone has to distribute configs.
---
## WireGuard — Pros and Cons
**Pros**
- Blazing fast, low latency
- Simple config files
- Kernel-level performance
- Battle-tested cryptography
**Cons**
- No built-in key distribution
- No NAT traversal coordination
- No access control policies
- No management UI
**Best for:** sysadmins who want full control, site-to-site links
---
## Pangolin — Self-Hosted Reverse Proxy
Pangolin is a **reverse proxy** and tunneling solution, not a traditional VPN.
**Architecture:**
- **Pangolin** — Central server with web UI and proxy
- **Gerbil** — Public-facing proxy (handles NAT traversal)
- **Newt** — Agent on each client (creates WireGuard tunnel)
**Use case:** Expose internal services to the internet securely without opening ports.
---
## Pangolin — Architecture
```mermaid
graph TB
Internet[Internet] --> Gerbil[Gerbil Proxy]
Gerbil --> Pangolin[Pangolin Server]
Pangolin --> Newt1[Newt Agent]
Pangolin --> Newt2[Newt Agent]
Newt1 --> Service1[Internal Service]
Newt2 --> Service2[Internal Service]
```
Traffic flows: Internet → Gerbil → Pangolin → Newt → Your service
No port forwarding needed on the client side.
---
## Pangolin — Pros and Cons
**Pros**
- Fully self-hosted and FLOSS (Apache 2.0)
- Web UI for managing sites and users
- Automatic HTTPS via Let's Encrypt
- Works behind any NAT
- SSO integration (OIDC)
**Cons**
- Not a mesh VPN — hub-and-spoke only
- Relatively new project
- Requires a public-facing server
**Best for:** exposing self-hosted services, homelab access
---
## Tailscale — The Polished Option
Tailscale builds a **mesh VPN** on top of WireGuard with zero configuration.
**How it works:**
- Coordination server distributes keys and handles NAT traversal
- Devices connect directly when possible (peer-to-peer)
- Falls back to DERP relays when direct connection fails
- MagicDNS provides automatic DNS for all devices
---
## Tailscale — Architecture
```mermaid
graph TB
Coord[Coordination Server] -.->|key exchange| A
Coord -.->|key exchange| B
Coord -.->|key exchange| C
A[Device A] <-->|"direct WireGuard"| B[Device B]
A <-->|"via DERP relay"| C[Device C]
DERP[DERP Relay] --> C
```
Direct connections when possible, relayed when behind strict NAT.
---
## Tailscale — Pros and Cons
**Pros**
- Zero-config setup — just install and sign in
- Excellent NAT traversal
- Cross-platform (Linux, macOS, Windows, iOS, Android)
- MagicDNS and HTTPS certificates
- ACLs and SSO
**Cons**
- Coordination server is **not open source**
- Free tier limited; business features require subscription
- Vendor lock-in concern
**Alternative:** Headscale — FLOSS coordination server (community project)
---
## Netbird — Self-Hosted Mesh VPN
Netbird is a **fully FLOSS** alternative to Tailscale with self-hosting support.
**Components:**
- **Management Server** — handles key distribution, ACLs
- **Signal Server** — coordinates peer connections
- **STUN/TURN** — NAT traversal (coturn)
- **Netbird Agent** — runs on each device
---
## Netbird — Architecture
```mermaid
graph TB
Mgmt[Management Server] -.->|policies, keys| A
Mgmt -.->|policies, keys| B
Signal[Signal Server] -.->|peer discovery| A
Signal -.->|peer discovery| B
A[Device A] <-->|"direct WireGuard"| B[Device B]
TURN[TURN Relay] -.->|fallback| A
```
Self-host everything or use their managed service.
---
## Netbird — Pros and Cons
**Pros**
- Fully FLOSS (BSD-3-Clause)
- Self-hostable control plane
- Web UI for management
- SSO integration (OIDC, SAML)
- Network policies and ACLs
- **Built-in reverse proxy** (v0.65+) — expose services publicly like Pangolin
- Active development
**Cons**
- More complex to self-host than Tailscale to use
- Younger project than Tailscale
- Smaller community
**Best for:** organizations wanting Tailscale-like UX with full control
---
<!-- _class: dense -->
## Detailed Comparison
| Feature | WireGuard | Pangolin | Tailscale | Netbird |
|---------|-----------|----------|-----------|---------|
| **License** | GPL | Apache 2.0 | Proprietary* | BSD-3 |
| **Self-host control plane** | N/A | ✓ | Via Headscale | ✓ |
| **Mesh networking** | Manual | ✗ | ✓ | ✓ |
| **NAT traversal** | Manual | ✓ (Gerbil) | ✓ (DERP) | ✓ (TURN) |
| **Web UI** | ✗ | ✓ | ✓ | ✓ |
| **SSO (OIDC/SAML)** | ✗ | ✓ | ✓ | ✓ |
| **ACLs / Policies** | ✗ | ✓ | ✓ | ✓ |
| **Reverse proxy mode** | ✗ | ✓ | ✗ | ✓ (v0.65+) |
*Tailscale clients are open source, coordination server is not.
---
## Which Should You Choose?
**WireGuard directly** — Full control, simple site-to-site, technical users
**Pangolin** — Expose services publicly, homelab, reverse proxy use case
**Tailscale** — Easiest setup, don't mind some vendor dependency
**Tailscale + Headscale** — Tailscale UX with self-hosted control plane
**Netbird** — Full FLOSS, mesh VPN + reverse proxy, organization with SSO needs
---
## MakerFLOSS Lab Context
From our lab design, we plan to use **Netbird** for:
- Remote access to lab services from outside
- Connecting VPS to local infrastructure via tunnel
- Zero-trust access to pre-production zone
```
VPS -.->|Netbird| FLOSSFirewall
```
Self-hosted on our infrastructure, integrated with Authentik for SSO.
---
## Resources
| Resource | Link |
|----------|------|
| WireGuard | [wireguard.com](https://www.wireguard.com) |
| Pangolin | [github.com/fosrl/pangolin](https://github.com/fosrl/pangolin) |
| Tailscale | [tailscale.com](https://tailscale.com) |
| Headscale | [github.com/juanfont/headscale](https://github.com/juanfont/headscale) |
| Netbird | [netbird.io](https://netbird.io) |
| Netbird GitHub | [github.com/netbirdio/netbird](https://github.com/netbirdio/netbird) |
---
# Questions?
_Slides made with [Marp](https://marp.app)_