MakerFLOSS/docs/presentations/2026-0601-vpn tech.md
Lars Rossen 22749de762
Some checks failed
Build docs site / build (push) Failing after 40s
Build slides / build (push) Successful in 1m6s
first cut of a VPN presentation
2026-06-01 16:10:26 +02:00

8.8 KiB

marp theme class paginate
true gaia invert true

VPN Without Vendor Lock-in

FLOSS Solutions for Secure Networking

MakerFLOSS · June 2026


Why VPNs?

Remote Access — Securely connect to your home/office network from anywhere

Site-to-Site — Link multiple locations into one virtual network

Zero Trust — Replace traditional perimeter security with identity-based access

Privacy — Encrypt traffic on untrusted networks


Traditional vs Modern VPNs

Aspect Traditional (IPSec, OpenVPN) Modern (WireGuard-based)
Codebase 100k+ lines ~4,000 lines
Speed Good Excellent
Configuration Complex Simple
Cryptography Configurable (risk) Fixed, modern
NAT traversal Tricky Built-in (UDP)
Battery/CPU Higher overhead Minimal

WireGuard changed everything in 2020 when it was merged into Linux kernel.


The Landscape at a Glance

Solution Type Self-host Fully FLOSS NAT punch UI
WireGuard Protocol N/A Manual
Pangolin Reverse proxy Via Gerbil
Tailscale Mesh VPN Partial DERP
Netbird Mesh VPN STUN/TURN

NAT Traversal Techniques

Gerbil (Pangolin) Public-facing reverse proxy that accepts incoming connections and forwards them through WireGuard tunnels to internal Newt agents. Clients connect out to Gerbil.

DERP (Tailscale) Designated Encrypted Relay for Packets — Tailscale's proprietary relay servers. Used when direct peer-to-peer fails. Traffic is encrypted end-to-end; relays see only ciphertext.


NAT Traversal Techniques

STUN/TURN (Netbird, standard)

  • STUN: Discovers your public IP and port mapping — enables direct connections
  • TURN: Relay fallback when direct connection impossible (strict NAT/firewall)

WireGuard — The Foundation

WireGuard is a protocol, not a product. It's the building block the others use.

Key properties:

  • In-kernel since Linux 5.6 (2020)
  • ~4,000 lines of code — auditable
  • Cryptographically opinionated: Curve25519, ChaCha20, Poly1305
  • Silent by default — no response to unauthenticated packets
  • Roaming — endpoints can change IP seamlessly

WireGuard — How It Works

graph LR
    subgraph "Peer A (10.0.0.1)"
        A[wg0 interface]
    end
    subgraph "Peer B (10.0.0.2)"
        B[wg0 interface]
    end
    A <-->|"encrypted UDP"| B

Each peer has:

  • A private key (never leaves the device)
  • A public key (shared with peers)
  • An allowed IPs list (what traffic goes through the tunnel)

No central server required — but someone has to distribute configs.


WireGuard — Pros and Cons

Pros

  • Blazing fast, low latency
  • Simple config files
  • Kernel-level performance
  • Battle-tested cryptography

Cons

  • No built-in key distribution
  • No NAT traversal coordination
  • No access control policies
  • No management UI

Best for: sysadmins who want full control, site-to-site links


Pangolin — Self-Hosted Reverse Proxy

Pangolin is a reverse proxy and tunneling solution, not a traditional VPN.

Architecture:

  • Pangolin — Central server with web UI and proxy
  • Gerbil — Public-facing proxy (handles NAT traversal)
  • Newt — Agent on each client (creates WireGuard tunnel)

Use case: Expose internal services to the internet securely without opening ports.


Pangolin — Architecture

graph TB
    Internet[Internet] --> Gerbil[Gerbil Proxy]
    Gerbil --> Pangolin[Pangolin Server]
    Pangolin --> Newt1[Newt Agent]
    Pangolin --> Newt2[Newt Agent]
    Newt1 --> Service1[Internal Service]
    Newt2 --> Service2[Internal Service]

Traffic flows: Internet → Gerbil → Pangolin → Newt → Your service

No port forwarding needed on the client side.


Pangolin — Pros and Cons

Pros

  • Fully self-hosted and FLOSS (Apache 2.0)
  • Web UI for managing sites and users
  • Automatic HTTPS via Let's Encrypt
  • Works behind any NAT
  • SSO integration (OIDC)

Cons

  • Not a mesh VPN — hub-and-spoke only
  • Relatively new project
  • Requires a public-facing server

Best for: exposing self-hosted services, homelab access


Tailscale — The Polished Option

Tailscale builds a mesh VPN on top of WireGuard with zero configuration.

How it works:

  • Coordination server distributes keys and handles NAT traversal
  • Devices connect directly when possible (peer-to-peer)
  • Falls back to DERP relays when direct connection fails
  • MagicDNS provides automatic DNS for all devices

Tailscale — Architecture

graph TB
    Coord[Coordination Server] -.->|key exchange| A
    Coord -.->|key exchange| B
    Coord -.->|key exchange| C
    A[Device A] <-->|"direct WireGuard"| B[Device B]
    A <-->|"via DERP relay"| C[Device C]
    DERP[DERP Relay] --> C

Direct connections when possible, relayed when behind strict NAT.


Tailscale — Pros and Cons

Pros

  • Zero-config setup — just install and sign in
  • Excellent NAT traversal
  • Cross-platform (Linux, macOS, Windows, iOS, Android)
  • MagicDNS and HTTPS certificates
  • ACLs and SSO

Cons

  • Coordination server is not open source
  • Free tier limited; business features require subscription
  • Vendor lock-in concern

Alternative: Headscale — FLOSS coordination server (community project)


Netbird — Self-Hosted Mesh VPN

Netbird is a fully FLOSS alternative to Tailscale with self-hosting support.

Components:

  • Management Server — handles key distribution, ACLs
  • Signal Server — coordinates peer connections
  • STUN/TURN — NAT traversal (coturn)
  • Netbird Agent — runs on each device

Netbird — Architecture

graph TB
    Mgmt[Management Server] -.->|policies, keys| A
    Mgmt -.->|policies, keys| B
    Signal[Signal Server] -.->|peer discovery| A
    Signal -.->|peer discovery| B
    A[Device A] <-->|"direct WireGuard"| B[Device B]
    TURN[TURN Relay] -.->|fallback| A

Self-host everything or use their managed service.


Netbird — Pros and Cons

Pros

  • Fully FLOSS (BSD-3-Clause)
  • Self-hostable control plane
  • Web UI for management
  • SSO integration (OIDC, SAML)
  • Network policies and ACLs
  • Built-in reverse proxy (v0.65+) — expose services publicly like Pangolin
  • Active development

Cons

  • More complex to self-host than Tailscale to use
  • Younger project than Tailscale
  • Smaller community

Best for: organizations wanting Tailscale-like UX with full control


Detailed Comparison

Feature WireGuard Pangolin Tailscale Netbird
License GPL Apache 2.0 Proprietary* BSD-3
Self-host control plane N/A Via Headscale
Mesh networking Manual
NAT traversal Manual ✓ (Gerbil) ✓ (DERP) ✓ (TURN)
Web UI
SSO (OIDC/SAML)
ACLs / Policies
Reverse proxy mode ✓ (v0.65+)

*Tailscale clients are open source, coordination server is not.


Which Should You Choose?

WireGuard directly — Full control, simple site-to-site, technical users

Pangolin — Expose services publicly, homelab, reverse proxy use case

Tailscale — Easiest setup, don't mind some vendor dependency

Tailscale + Headscale — Tailscale UX with self-hosted control plane

Netbird — Full FLOSS, mesh VPN + reverse proxy, organization with SSO needs


MakerFLOSS Lab Context

From our lab design, we plan to use Netbird for:

  • Remote access to lab services from outside
  • Connecting VPS to local infrastructure via tunnel
  • Zero-trust access to pre-production zone
VPS -.->|Netbird| FLOSSFirewall

Self-hosted on our infrastructure, integrated with Authentik for SSO.


Resources

Resource Link
WireGuard wireguard.com
Pangolin github.com/fosrl/pangolin
Tailscale tailscale.com
Headscale github.com/juanfont/headscale
Netbird netbird.io
Netbird GitHub github.com/netbirdio/netbird

Questions?

Slides made with Marp