pivpn VS Nebula

PiVPN for classic VPN software https://pivpn.io - Wireguard would be my choice

Linux retropie 5.10.103-v7l+ #1529 SMP Tue Mar 8 12:24:00 GMT 2022 armv7l GNU/Linux

Wondering what people are using these days to get a VPN (Wireguard?) up and running easily. Is Wireguard itself simple enough that one can just ... do this? I'm thinking of something like PiVPN which does appear to still exist but I'm unsure of how up-to-date it is. Specifically, I like terminal commands just fine, but would prefer not to have to manually configure a basic VPN (internet gateway) and its associated profiles/certificates.

If you really want some hand holding, PiVPN is even easier.

They're easily set up via the guided PiVPN installation script. Should work on everything that's Debian-based, not just on Rasbian running on a Pi.

under Features in [1]:

* Doesn't need to be a Raspberry Pi™, It runs on any x86_64 system

[1] https://pivpn.io/

yes the webui now has some convenience options for generating and importing configs, but there's still a gap (as in default package installed) in client profile management or network management on cli.

What pivpn (and similar tooling wrapping lower level commands) bring along is this client management and even some network topology/routing management : https://docs.pivpn.io/wireguard/ and https://github.com/pivpn/pivpn/tree/master/scripts/wireguard

I think it's a interesting spectrum between wg-cli and tailscale.

(I am a Nebula maintainer.) We recently merged support for gVisor-based services, although it's very new, and I don't know of much experimentation that's been done with it yet: https://github.com/slackhq/nebula/pull/965

Nebula, originally from Slack[0].

Wireguard rightly gets a lot of attention, but Nebula is a really simple and easy to deploy mesh network that is often overlooked.

It does lack a management GUI and that stuff is very much DIY.

[0] https://github.com/slackhq/nebula

Fair enough about the android mobile client... My use case only involves meshing linux appliances across various networks so we only need the nebula core binaries which are under MIT license

https://github.com/slackhq/nebula/blob/master/LICENSE

nebula seemed like a very interesting choice, when we were looking for a mesh vpn, but the lack of ipv6 support led to it being removed from consideration very quickly

so i have been checking https://github.com/slackhq/nebula/issues/6 every time im reminded nebula exists, for the last few years, without success

That's not at all confusing with Slack's Nebula. https://github.com/slackhq/nebula

Headscale looks nice. Another option that I don't see mentioned much is Slack's Nebula (https://github.com/slackhq/nebula).

Sounds like a bunch of your pain points are just related to needing an online CA or ICA. But, looking through the Nebula docs I don't know that it supports things like CRL addresses where you could host the CRL, or OCSP responders. Someone got support for an OCSP responder but never submitted a PR with completed code: https://github.com/slackhq/nebula/issues/72

Nebula is a scalable, cross-platform overlay networking tool focused on performance, simplicity, and security. This portable tool is equally adapted for linking a small number of computers or scaling to connect tens of thousands. It integrates encryption, security groups, certificates, and tunneling into a powerful, cohesive connectivity solution. Thanks for the recommendation go to jmeador42.

But both Nebula and tinc max out at around 1 Gbit/s on my Hetzner servers, thus not using most of my 10 Gbit/s connectivity. This is because they cap out at 100% of 1 CPU. The Nebula issue about that was closed due to "inactivity" [2].

I also observed that when Nebula operates at 100% CPU usage, you get lots of package loss. This causes software that expects reasonable timings on ~0.2ms links to fail (e.g. consensus software like Consul, or Ceph). This in turn led to flakiness / intermittent outages.

I had to resolve to move the big data pushing softwares like Ceph outside of the VPN to get 10 Gbit/s speed for those, and to avoid downtimes due to the packet loss.

Such software like Ceph has its own encryption, but I don't trust it, and that mistrust was recently proven right again [3].

So I'm currently looking to move the Ceph into WireGuard.

Summary: For small-data use, tinc and Nebula are fine, but if you start to push real data, they break.

[1]: https://github.com/gsliepen/tinc/issues/218

[2]: https://github.com/slackhq/nebula/issues/637

[3]: https://github.com/google/security-research/security/advisor...