Brian Lovin
/
Hacker News
Daily Digest email

Get the top HN stories in your inbox every day.

terrywang

Ah, this is a fork, NOT the original. I came across the original subspace long time ago when switching from strongSwan (IPsec based VPN) to WireGuard for my own good. There has been no development work for the original project in a while.

If you are looking for user friendly web UI for quickly building a VPN for remote access (encrypting traffic / data path between the device and Internet), with easy client management (scan the QR code for client profile thingy) try

- wg-access-server [1]

- wg-gen-web [2]

- wg-ui [3]

They all work well in a containerized fashion, all created around the same time when WireGuard was merged into Linux kernel mainline ;-)

Simple script worked better for my remote access use case for now, for use cases at scale I'd seriously take Tailscale into account (100 clients for personal - free account).

[1]: https://github.com/Place1/wg-access-server

[2]: https://github.com/vx3r/wg-gen-web

[3]: https://github.com/EmbarkStudios/wg-ui

oregontechninja

Pretty sure this is a fork because the original has arbitrary user limits due to it wanting to be a commericial product. Que hundreds of forks with the user limits removed.

Angostura

'Cue' not 'Que' - just in case you want to use the word in more formal circumstances.

bakoo

Que?

BrandoElFollito

I am a happy user of the mentioned wg-gen-web (https://github.com/vx3r/wg-gen-web), it helps enormously to manage WG profiles and most importantly sites only this.

Specifically it written not try to manage your firewall and whatnot (how to do that is explained, though).

elitistphoenix

Which one would you recommend?

terrywang

I'd recommend wg-access-server to start with (the one web UI that I tried first), fundamentally they are pretty much the same, just UI style difference.

rubatuga

Is there anybody interested in building or using a service that routes static public IPs to self-hosted servers, over WireGuard? I made a prototype a week ago, here's the homepage:

https://hoppy.network

I realized that I didn't want to ever deal with port-forwarding, NAT, or dynamic DNS and decided to create this. Message me if you want a signup link.

xrisk

I tried your service and it just works™, which is great. But a couple of points:

1) I saw that you're basically using one OVH box per IP. How do you plan to ever monetize this then?

What prevents a user from creating their own VPN instance on their own box and port forwarding from there? Granted this process is somewhat involved, but the kind of user who needs to do this is likely to be somewhat technically inclined anyway. (Some ideas: negotiate long-term deals for IP addresses and try to map > 1 IP per box / remove the static IP guarantee and keep a rotating pool of addresses – public IPs are more valuable than static IPs anyway IMO and you can integrate dynamic DNS into your service)

2) How do I know that you're not sniffing my traffic? Granted that most traffic being encrypted these days is a thing, but still I think it's a genuine concern.

3) I live in Asia, so latency was off-the-charts for me. (On the order of 500ms). But this problem could easily be solved by introducing servers in more locations.

rubatuga

1) I have monetization figured out. That's as much as I'll say for now.

2) that's a hard question, mainly because if I was using this service I would ask the same thing. Personally, I think a strong mission statement, privacy policy, and maybe a warrant canary would be good enough. At least with a strong privacy statement, I would be legally bound to never sell/peek at your data which is loads better than current ISPs.

I can't do much better than promise I wouldn't.

3) Did the Chicago server fare any better?

Also, thank you for the comments! I really appreciate them.

xrisk

1) That's nice to know. Best of luck!

I think two tiers with a cheaper roaming IP + dynamic DNS plan and a more expensive static IP plan would be smart. But that's for you to decide.

3) Only the Canada server was available when I signed up ~2 weeks ago unfortunately. I'll take a look again.

redis_mlc

FYI: There is a funded, global, commercial gaming VPN service with HQ in SF also called Subspace that hss had deals with major gaming networks since 2019.

You might want to sort out the Subspace name and trademark, sooner than later.

tyingq

On #1, OVH does charge a $3/IP setup charge, but then does not charge monthly per IP so long as it's routable...up to a full /24 per server. https://www.ovh.com/world/dedicated-servers/free-ips.xml

Alternatively, their VPSs are dirt cheap. $3.35/month.

pkaye

> 2) How do I know that you're not sniffing my traffic? Granted that most traffic being encrypted these days is a thing, but still I think it's a genuine concern.

How does this work? I thought WireGuard encrypts the traffic?

BenjiWiebe

The GP would be terminating the wireguard tunnel, so they could have access to the traffic inside the tunnel.

stiray

2) Would be a show stopper for me. You need to solve this issue...

dmayle

There's already a service that supports this general concept called NGrok ( https://ngrok.com/ ).

They support plaintext tunnels for free, and encrypted tunnels starting at eight dollars a month.

I cam across the service when learning how to accept incoming traffic on kubernetes.

rubatuga

That's true. However, ngrok adds a lot of restrictions like "40 connections a minute", or capping the number of port forwardings. It's unclear if ngrok support port 25 either. Also, paying a premium for encrypted transport in 2020?

microcolonel

I think it's less that you're paying a premium for encrypted transport, but that the uncomfortable unencrypted one is set up primarily as a demo/trial service.

atonse

ngrok paid for itself in time saved within my first half an hour of using it. Excellent product.

I use it to develop a lot with twilio and salesforce callbacks.

jo909

I'm sure there is and will be demand for good static IPv4 tunnel brokers. I'm personally fine with dealing with dynamic DNS and port forwards for my home setup for now, but once I no longer have a public IPv4 assigned I would be a potential customer.

How do you deal with the global scarcity of IPv4-addresses that you would need to scale your service? I think this can only work long term if you own the address space yourself and are not dependent on some specific provider or cloud.

Also very important is a local endpoint to get a reasonable end to end latency.

resume384

Hey cool! Nice job, I'm been working on nearly the same thing, been using it for a bit and find this pattern has really nice properties, like it's great to access my servers at local network speed (ssh, file copy, etc really fast,) having the option to easily move the server to another network, adding something like cloudflare to the mix I'm thinking one could host quite well from home. What is the use case that inspired you to build it? I'm really curious to see what interest and dynamics you find. It would be great if you could post an update as things progress.

OJFord

Yes, but just to check / point out that I don't think it's clear in current docs.txt (I know you said they're still WIP) - the 'hoppy server' that I add as a peer would be routed straight through to my own right, as in the public key for 'ca1.hoppy.network' is generated by me?

Or do I have to add a peer that's out of my control, which you use for routing between the two that are under my control?

rubatuga

It's the latter, you peer with Hoppy, and then connections to your assigned public IP simply use Hoppy as a "hop" before arriving to you.

OJFord

Oh, I'm less keen on that. Doesn't it defeat the point of a secure tunnel if you give away a maintenance shaft in the middle?

choward

> Is there anybody interested in building or using a service that routes static public IPs to self-hosted servers, over WireGuard?

I don't get how this helps me "build" a service. Can't find source code anywhere.

On a related note the whole reason I self host is so I don't have to rely on things I don't control so there is no way I would use something like this. Defeats the purpose of self hosting IMO.

resume384

Control is one element of self hosting, albeit full control may be difficult to obtain and also maintain speed and privacy. Pushing your ingress out to an edge node affords interesting properties. One of which is privacy (keeps your home ISP IP hidden from the public.) A service like Cloudflare gets you the same for browser traffic, a service like hoppy can work for all ports, email, ssh, voip, etc. Control can and perhaps should be implemented not at the channel layer but through cryptographic means such as authentication and end to end encryption.

jamilbk

Interesting -- bookmarked! I've had a need for something like this from time to time.

Is there any concern over people using your service for illegal/unfavorable activities like torrenting? Or are you planning to keep logs to provide to law enforcement requests?

mmm_grayons

I'm curious, how does one go about obtaining IPv4 address space these days? I thought it had become quite a pain, and usually expensive enough to need serious cash?

api

There are auction services, but its not cheap. V6 address space is basically free.

mmm_grayons

Yeah, the auctions are about all I've seen and they're pricey enough one would probably need some investment or a substantial loan to obtain enough space for this sort of thing. I'm not sure how a trial hobby project gets the money for that.

naggie

Shameless plug time: those interested in subspace might want to check out a project of mine: dsnet https://github.com/naggie/dsnet/

dsnet is a simple wiregard management command that manages key generation and IP allocation, generating config files. I'm using it for a few networks at the moment.

I recently tried to add decent documentation and a blog post in the hope that it's useful to someone. I should so a Show HN really.

Here's the blog post: https://callanbryant.co.uk/blog/how-to-set-up-a-wireguard-vp...

piquadrat

This looks very interesting, thanks.

Side note, any particular reason for having `user-select: none` set on your blog? That seems somewhat counterproductive for a blog with code examples...

naggie

> This looks very interesting, thanks.

I'm glad you like it.

> Side note, any particular reason for having `user-select: none` set on your blog? That seems somewhat counterproductive for a blog with code examples...

Ah -- that's not intentional. Thanks for letting me know, I've pushed a fix!

I developed the hugo theme for something else where it made sense (a portal) then converted it for use with my blog and missed that.

PeterStuer

Anyone else thought of 'Subspace', the pioneering internet multiplayer space shooter from the 90's that was in many ways ahead of it's time? Great times were had.

https://en.wikipedia.org/wiki/SubSpace_(video_game)

schrectacular

I came here to say the same lol! I remember vividly playing that game as a young boy at the local University computer lab and my jaw hitting the floor. Could never get good enough connection over dial-up to overcome the frustration. Still play continuum some, it's still the same and still amazingly fun.

boringg

This ^^^. Posted comment before I read all the comments :). Great time indeed. The tolerance for lag in that game was unreal but also, it played incredibly well considering most people were on dial-ups!

PH00

For anyone who liked Subspace checkout Airmash:

https://airmash.online/

Originally released on HN. The game was abandoned by the developer. Entire thing was rewritten by the community and refuses to die.

Lots of fun and great people involved. Keyboards can take a bit of a beating though.

tiborsaas

No, I had a nastier association :)

reading-at-work

Surprised I had to scroll this far to find this - same here!

cyborgx7

Yup, same here.

dnr

Yup! I had many (many) hours of fun, and got pretty deeply into the development community that sprung up after the publisher abandoned it. I learned a lot from that and it definitely had an effect on my career.

joadha

Yep! Weirdly, I didn't get into it until the mid-00's when my older brother showed me Continuum. The game is still fun today!

Daishiman

What became of it?

elric

It's still being played. There are some plans to write an android client (notably by Trench War's poid, on patreon as quantumspace). Its golden days are long gone, but it's not uncommon to find games with 40 active players in Trench Wars these days.

jalada

It's still a thing, it was re-released on Steam: https://store.steampowered.com/app/352700/Subspace_Continuum...

docflabby

I played this game for years in the competitive leagues and as a moderator running special events before life responsibilities took over (still pop in occasionally) is super fun. I was never very good at it though :)

boringg

Let's be clear here. Subspace is and always will foremost be a fantastic massive online game from the late 90s. See wikipedia for more info. Slight disappointment that it wasn't related.

hu3

I had no notion about the Subspace game and as time passes my parcel of the population will only grow relative to people who do know the Subspace game.

It's not fair nor feasible to reserve names permanently.

boringg

It's cool - I'm having fun with nostalgia.

hombre_fatal

fwiw, the Continuum client is available even on Steam and some zones, like Trench Wars and Extreme Games still have full lobbies.

I got back into Extreme Games (30-flag CTF) for 6 months last year. Good times all over again.

simias

I don't mind the wg-quick command line interface but I must say that the #1 thing that bothers me with wg is that the private keys are stored directly in the config. That means that every time I add a new users the keys are plainly readable on my screen.

Is there a simple way to work around this issue? Can I include the keys from a 3rd party file for instance? I guess I could always just pre-process the config file to generate the final one from multiple sources.

BCM43

PostUp should do what you want. https://wiki.archlinux.org/index.php/WireGuard#Store_private...

I have it grabbing a key from AWS Secret Manager, haven't had a problem with that.

atonse

In case others got confused by this thread (I thought for a minute "how do you know which private key goes with which peer", is PostUp per peer, etc)... There is only one private key per interface on the server (or anywhere for that matter) and all the other peers are public keys.

I might be the only one who confused myself :)

simias

Right, my use of the plural was confusing. It's just that in general when you add a client you end up editing both the client and the server config, so both keys end up being disclosed on the screen.

simias

That's perfect! Thank you.

cyphar

What I do is that I have scripts to manage the configuration file, rather than manually editing it. So you never open the configuration file in a terminal in order to see the private key.

undefined

[deleted]

lykr0n

I giggled at this project name.

Seriously. This is cool. CLI rules all, but man, sometimes it's nice to use a GUI.

hawski

In my early Linux days I remember Subspace Continuum a 2d MMO space ship battle game. I did suck at it, but it was massively interesting.

abdulqabiz

Not sure following is related to the post, but it might help a few like me who are still using High Sierra (macos), and can't use the official WireGuard GUI client (becuase it targets newer versions of macos).

You might want to check WireGuardStatusBar - https://github.com/aequitas/macos-menubar-wireguard

I like it over wg-quick (which requires sudo, and prompts for password all the time). The WireGuardStatusBar uses a privileged helper, so you only need to authorize it once and use it all the time.

Cheers.

undefined

[deleted]

econcon

Anyone who uses wireguard UI on Mac? I tried downloading it from app store, with error " unable to download to Macintosh HD "

I am only one version behind the latest Mac, so what could be the problem?

unixhero

Could anyone refer to a definite guide to what Wireguard is, what painpoint it solves and effective applications of it?

What kind of magic can I use it for to pipe data around securely in my AWS fortress?

danielbln

It's pretty clearly stated on the landing page of their website: https://www.wireguard.com/

- simplicity

- sound crypto

- minimal attack surface

- high performance

- well defined

ochronus

Kudos! Nice work, I hope this helps with the adoption of WireGuard

Daily Digest email

Get the top HN stories in your inbox every day.