800-63-3 VS VxWireguard-Generator

I see you got your regex, but please consider reading the nist guidelines https://pages.nist.gov/800-63-3/ It is an excellent resource in password policies that isn't shared nearly enough.

Even NIST outright recommends against SMS/phone 2FA.

ID.me is the first NIST 800-63-3 approved company. https://www.businesswire.com/news/home/20180816005147/en/ID.me-Becomes-First-Identity-Provider-to-Be-Approved-as-NIST-800-63-3-Conformant & https://insights.id.me/article/what-are-the-nist-800-63-digital-identity-guidelines/

NIST has made a series of sensible guidelines:

https://pages.nist.gov/800-63-3/

They now need to be made enforceable, whether by government requiring them in government contracts, or indirectly by insurers excluding coverage if they are not met.

I just tell our customer's compliance systems and vendors (there's usually a space to explain why you're not doing a given thing) that we'll start rotating passwords as soon as NIST recommends it (again) , and no sooner. Nobody has ever failed a test nor have I even been asked about this stance. Flies right under the radar.

Several hundred pages if you want to read it all - https://pages.nist.gov/800-63-3/.

Tinc was my goto for years, but there is a non-trivial performance penalty for it's userspace implementation.

If you can enumerate all your endpoints into wireguard, and squint, it'll kinda-sorta act like a mesh.

And if you want to go a little crazy with it, You can run https://github.com/m13253/VxWireguard-Generator + babeld, and get routing around failures in the mesh.

https://github.com/m13253/VxWireguard-Generator

I'm using that in production with Babel (managing dynamic routes) with great success. Tinc had been solid for us for years, but once I actually payed attention to the performance hit, it was worth a bit of hassle to make it work over wireguard.