Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
Geyser
A bridge/proxy allowing you to connect to Minecraft: Java Edition servers with Minecraft: Bedrock Edition.
-
Paper
The most widely used, high performance Minecraft server that aims to fix gameplay and mechanics inconsistencies
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
It looks like the authentication rests upon looking up the owner of the incoming packet's (tailnet) IP address[0].
Does anyone know whether they have measures in place to protect against IP spoofing?
Background: The post here on HN reminded me of innernet (a Tailscale alternative) which was presented here on HN last year[1] and which is – at least in principle – vulnerable to IP spoofing[2] because it assumes incoming IP packets (with a WireGuard IP address as "source") must originate from WireGuard's wg0 network interface and cannot e.g. originate from eth0 – which, unfortunately, is not the case on most systems.
As far as I can tell from briefly looking at tsnet[3] (which is what their authentication proxy[4] uses under the hood), tsnet runs WireGuard in user space(?), so this should prevent IP spoofing. Can anyone confirm this?
[0] https://tailscale.com/blog/grafana-auth/
[1] https://news.ycombinator.com/item?id=26628285
[2] https://github.com/tonarino/innernet/issues/26
[3] https://github.com/tailscale/tailscale/blob/main/tsnet/
[4] https://github.com/tailscale/tailscale/tree/main/cmd/proxy-t...
It looks like the authentication rests upon looking up the owner of the incoming packet's (tailnet) IP address[0].
Does anyone know whether they have measures in place to protect against IP spoofing?
Background: The post here on HN reminded me of innernet (a Tailscale alternative) which was presented here on HN last year[1] and which is – at least in principle – vulnerable to IP spoofing[2] because it assumes incoming IP packets (with a WireGuard IP address as "source") must originate from WireGuard's wg0 network interface and cannot e.g. originate from eth0 – which, unfortunately, is not the case on most systems.
As far as I can tell from briefly looking at tsnet[3] (which is what their authentication proxy[4] uses under the hood), tsnet runs WireGuard in user space(?), so this should prevent IP spoofing. Can anyone confirm this?
[0] https://tailscale.com/blog/grafana-auth/
[1] https://news.ycombinator.com/item?id=26628285
[2] https://github.com/tonarino/innernet/issues/26
[3] https://github.com/tailscale/tailscale/blob/main/tsnet/
[4] https://github.com/tailscale/tailscale/tree/main/cmd/proxy-t...
Just wanted to point out that there's a pretty interesting project called Geyser[0] (along with a plugin called Floodgate[1]) that allows Java and Bedrock Minecraft users to connect to the same Java server. This might be an avenue the author could take to allow the tailscale auth here to work. In my implementation I'm using PaperMC[2] as well.
[0] https://github.com/GeyserMC/Geyser
[1] https://github.com/GeyserMC/Floodgate
[2] https://papermc.io/
Just wanted to point out that there's a pretty interesting project called Geyser[0] (along with a plugin called Floodgate[1]) that allows Java and Bedrock Minecraft users to connect to the same Java server. This might be an avenue the author could take to allow the tailscale auth here to work. In my implementation I'm using PaperMC[2] as well.
[0] https://github.com/GeyserMC/Geyser
[1] https://github.com/GeyserMC/Floodgate
[2] https://papermc.io/
Just wanted to point out that there's a pretty interesting project called Geyser[0] (along with a plugin called Floodgate[1]) that allows Java and Bedrock Minecraft users to connect to the same Java server. This might be an avenue the author could take to allow the tailscale auth here to work. In my implementation I'm using PaperMC[2] as well.
[0] https://github.com/GeyserMC/Geyser
[1] https://github.com/GeyserMC/Floodgate
[2] https://papermc.io/