yggdrasil-go
ziti-doc
Our great sponsors
yggdrasil-go | ziti-doc | |
---|---|---|
23 | 23 | |
3,331 | 34 | |
2.0% | - | |
8.5 | 9.5 | |
about 1 month ago | 1 day ago | |
Go | HTML | |
GNU General Public License v3.0 or later | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
yggdrasil-go
-
Tinc, a GPLv2 mesh routing VPN
> The next version will make it much simpler to deploy isolated networks by using TLS roots to prevent accidental peerings.
Is that PR #1038 [1]? Any info on how to use that feature and whether it works over multicast as well?
I noticed this PR uses SHA-1 for matching fingerprints. SHA-1 has been broken for 13 years now. Is it possible to use something more secure?
> It's also worth noting that Yggdrasil doesn't have the equivalent of "peer exchange" — only directly connected peers would ever find out your public IP address. Yggdrasil will not form new peerings automatically, with the single exception being multicast-discovered nodes on the same LAN.
Right, my worry is that by having a server with a public IPv4 address and Yggdrasil running on an open port (so that my other nodes can connect to it) will allow someone to connect to it (either on purpose or accidentally) and cause my traffic to route over their node(s) and/or the public mesh.
Thanks!
[1] https://github.com/yggdrasil-network/yggdrasil-go/pull/1038
- Yggdrasil
- Release Version 0.4.7 · yggdrasil-network/yggdrasil-go · GitHub
-
Tailscale/golink: A private shortlink service for tailnets
From a purely networking perspective, there are far better solutions than tailscale.
Have a look at full mesh VPNs like:
https://github.com/cjdelisle/cjdns
https://github.com/yggdrasil-network/yggdrasil-go
https://github.com/gsliepen/tinc
https://github.com/costela/wesher
These build actual mesh networks where every node is equal and can serve as a router for other nodes to resolve difficult network topologies (where some nodes might not be connected to the internet, but do have connections to other nodes with an internet connection).
Sending data through multiple routers is also possible. They also deal with nodes disappearing and change routes accordingly.
tailscale (and similar solutions like netbird) still use a bunch of "proxy servers" for that. You can set them up on intermediate nodes, but that have to be dealt with manually (and you get two kinds of nodes).
-
The Iran Firewall: A preliminary report
The only real solution long-term is completely peer-to-peer ad-hoc networking that doesn't depend on BGP.
A few projects are in similar territory but none I've seen are working at the layer of bypassing BGP. Many are just acting as an overlay; which works to an extent. https://github.com/yggdrasil-network/yggdrasil-go
It's probably begging for a different model of the "internet" and where data lives.
My requirements:
1. Offline-first applications that sync via a pub/sub DHT of trusted peers. More details here but basically allows bypassing BGP.
-
Make the Internet Yours Again With an Instant Mesh Network
It seems like you can limit connections to your node with AllowedPublicKeys (ref).
- Was war vor 15 Jahren möglich, aber wäre heute undenkbar?
-
[Fanatical] Mindustry - 24 Hour Star Deal (83% off - $1.00 / £0.79 / €0.79)
at least on the official discord the recommended way if you don’t want to play on a public server is using yggdrasil
- Multiplayer Between Steam Owner/Non-Steam Owners
ziti-doc
-
OpenZiti - *everything* you need to implement your own secure, zero trust overlay network
OpenZiti vs BoringProxy has some similarities for sure. The simplest OpenZiti deployment is similar to a boring proxy deployment. The main differences will be that the listening ports "on the network" are going to be from the OpenZiti edge-router which will authenticate before allowing any connection using a strong x509 identity (not a token) and then after that the same identity can be authorized to access one or more services. That's one killer difference to me. There are lots of other things OpenZiti is doing that boringproxy isn't trying to as well. I filed an issue to do a comparison to that some day https://github.com/openziti/ziti-doc/issues/176 thanks for the idea! :)
-
Site-to-Site IPsec VPN with dynamic public address at remote site
Use our open source solution, OpenZiti, and host/manage it all yourself - https://openziti.github.io/
-
Extrovert Wednesday - Telling the World about OpenZiti
You can definitely read more about what OpenZiti is over on the docs page if you're looking for more info about the project https://openziti.github.io/
-
How bad it is ? Security of self-hosted server
If you're interested in it, you can find it over at github - https://openziti.github.io. It's one more thing to setup and maintain so maybe that's a dealbreaker but since this is selfhosted - maybe not ;)
-
How to setup OpenZiti on an OpenWRT device as an alternative to VPNs / private APNs
If you want to go fully open source and self-hosted, use an OpenZiti quickstart - https://openziti.github.io/ - while ignoring steps 1, 2, 3, and 5 ... i.e., step 4 is where you deploy an OpenZiti tunneler on an OpenWRT box.
-
Alternative to manual IP exposing
I not long ago discovered OpenZiti, and to be honest I fell in love with it. I also have a dinamic IP, and I have even some other cases wheren from my place some IoT devices need to find my laptop wherever I may go (I travel a lot).
-
How we use and Secure SaltStack
https://openziti.github.io/ - gives a good intro
-
Help making an Ansible collections
More details: What I'm trying to do is setup a Zero Trust Host Access on my Kubernetes cluster using OpenZiti. Ziti has 4 binaries (controller, router, tunneler and admin console), configuring all these to work together is kinda complex, that's why I thought about making custom modules.
-
Recommended solution secure that will allow my assistant to access a vm in my Azure environment
Probably overkill for your need, but you can give access to your VM without requiring a bastion or VPN, only outbound ports on a NAT gateway using opensource OpenZiti - https://openziti.github.io/. The user would load a client on their device and get access only the the specific resources you define (IP, DNS, port etc). This also means you don't need to assign the IP of the users home (added benefit they can access when not at home).
-
Gaming on the go: How I game remotely and keep my firewall “Perfect Dark”
Create the identity for the Hosting workstation. You can assign as many attributes as you want. Openziti works with an "attribute-enabled role-based access control (ARBAC) model. So, if you have used hashtags, you’re probably familiarized with it.
What are some alternatives?
Nebula - A scalable overlay networking tool with a focus on performance, simplicity and security
ZeroTier - A Smart Ethernet Switch for Earth
cjdns - An encrypted IPv6 network using public-key cryptography for address allocation and a distributed hash table for routing.
AdGuard-WireGuard-Unbound-Cloudflare - The ultimate self-hosted network security guide ─ Protection | Privacy | Performance for your network 24/7 Accessible anywhere [Moved to: https://github.com/trinib/AdGuard-WireGuard-Unbound-DNScrypt]
mesh-networking - :globe_with_meridians: LEGO blocks for networking, a Python library to help create and test flexible network topologies across real and simulated physical links.
boundary-reference-architecture - Example reference architecture for a high availability Boundary deployment on AWS.
PJON - PJON (Padded Jittering Operative Network) is an experimental, arduino-compatible, multi-master, multi-media network protocol.
docker-adguard-unbound-wireguard - This solution is a combination of WireGuard, AdGuard Home, and Unbound in a docker-compose project with the intent of enabling users to quickly and easily create and deploy a personally managed full or split-tunnel WireGuard VPN with ad blocking capabilities (via AdGuard), and DNS caching with additional privacy options (via Unbound).
pinecone - Peer-to-peer overlay routing for the Matrix ecosystem
ziti - The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti