sigsum
headscale
sigsum | headscale | |
---|---|---|
3 | 222 | |
4 | 19,818 | |
- | - | |
8.9 | 9.2 | |
7 days ago | 5 days ago | |
TeX | Go | |
Creative Commons Attribution Share Alike 4.0 | BSD 3-clause "New" or "Revised" License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sigsum
-
Sunlight, a Certificate Transparency log implementation
Exactly! It's a growing ecosystem including things like https://transparency.dev, the Go Checksum Database, https://www.sigsum.org, SigStore, and even key transparency solutions like WhatsApp's.
One thing you end up needing to deploy tlogs is a way to reassure clients the tree is not forked, and for that you mostly need witness cosigning, where a quorum of third parties attest that a signed tree head is consistent with all the other ones they've seen. I've worked with the Sigsum project and the Google TrustFabric team on an interoperable specification for witnessing (which Sunlight interoperates with), and I am now working to develop a public, reliable ecosystem of witnesses.
Once you have witnessing, running a log can be as easy as hosting a few files in a GitHub repo or S3 bucket, updated with a batch script. I am very excited to make it possible for any project to get better-than-CT accountability for ~free.
(You might want to catch my RWC 2024 talk about this once it comes out!)
-
Mullvad on Tailscale: Privately browse the web
> one of the ways you can evaluate companies is to recognize when they're making sketchy, not-relevant claims to create an air of legitimacy.
This is an excellent heuristic. Personally I like to evaluate trustworthiness in terms of integrity and competence - can I trust their values and can I trust that they know what they are doing? Words are cheap of course. Consistent action across several years is much harder to fake. It also overlaps with another heuristic I use to model and predict the behaviour of a company; a company's behaviour will converge on the shareholders' goals over time.
> This "our servers have no disks" thing is kind of thing is marketing.
You are correct that we considered that aspect while writing the blog post, but please read the content before passing judgement. See the section titled "To recap about “no disks in use”" in particular.
On the topic of "air of legitimacy" I'll just leave these here:
* Our apps have been open-source since we launched in 2009
* Our response to Shellshock: https://news.ycombinator.com/item?id=8385332
* Our thoughts on WireGuard in 2017: https://mullvad.net/en/blog/2017/9/27/wireguard-future/
* Experimental post-quantum KEM support in 2017: https://mullvad.net/en/blog/2017/12/8/introducing-post-quant...
The blog post you commented on also talks extensively about how it was one of our first steps in making our infrastructure transparent. Here are just two things we've done as part of that project:
* "This is the first time a modern off-the-shelf server platform gains coreboot support, and it is an integral part of realizing our vision of transparent and independently auditable VPN servers." - https://mullvad.net/en/blog/2019/8/7/open-source-firmware-fu...
And finally, we've spent 2-3 years designing a transparency log with distributed trust assumptions. One of many critical parts necessary to achieve our vision of transparent server infrastructure. I'll wager that there's no transparency log with a stronger threat model than ours. https://www.sigsum.org
We're certainly not without fault, but hopefully this helps inform your opinion of Mullvad.
Best regards,
- Sigsum vs. Sigstore a frequently asked question
headscale
-
List of ngrok/Cloudflare Tunnel alternatives and other tunneling software and services. Focus on self-hosting.
headscale - Open source implementation of Tailscale control server. Can be used with Tailscale's official open source client. Written in Go.
-
Building a Managed Service Provider Business With Open Source
Headscale
-
Russia has started indiscriminately blocking all OpenVPN/WireGuard connections
You can always use headscale. https://github.com/juanfont/headscale
-
Securely Accessing Private AWS Resources from GitHub Actions with TailScale
One more thing, you can host Tailscale Control Server yourself if you want, which is a plus.
-
A word of caution about Tailscale
https://github.com/juanfont/headscale not to mention but Tailscale has a very good culture, I’m sure they would give notice if they pull the rug. There are also many alternatives such as Zerotier and more are showing up every day and open source options.
- Is HTTPS necessary?
-
Connecting several hundreds IoT (raspberry pi's) devices with a VPN
How about self-hosted Tailscale, known as Headscale
-
Tailscale Kubernetes Operator
Would be nice if https://github.com/juanfont/headscale can be managed by the Tailscale operator.
-
Mullvad on Tailscale: Privately browse the web
You can run your own "head scale" control server and use their clients with it: https://github.com/juanfont/headscale
Requires a lot more setup, but it is an option. I've been self-hosting headscale for some time and it is quite stable.
-
Netbirdio/netbird: Connect devices into a single private WireGuard mesh network
There's an alternative to tailscale service called headscale https://github.com/juanfont/headscale (CLI only server compatible with official tailscale clients)
What are some alternatives?
tailscale - The easiest, most secure way to use WireGuard and 2FA.
Netmaker - Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
zero-ui - ZeroUI - ZeroTier Controller Web UI - is a web user interface for a self-hosted ZeroTier network controller.
netbird - Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
ZeroTier - A Smart Ethernet Switch for Earth
Nebula - A scalable overlay networking tool with a focus on performance, simplicity and security
firezone - Open-source VPN server and egress firewall for Linux built on WireGuard. Firezone is easy to set up (all dependencies are bundled thanks to Chef Omnibus), secure, performant, and self hostable.
innernet - A private network system that uses WireGuard under the hood.
docker-cloudflare-ddns - A small amd64/ARM/ARM64 Docker image that allows you to use CloudFlare as a DDNS / DynDNS Provider.
cloudflared - Cloudflare Tunnel client (formerly Argo Tunnel)
WGDashboard - Simplest dashboard for WireGuard VPN written in Python w/ Flask
network-manager-wireguard - NetworkManager VPN Plugin: Wireguard