Our great sponsors
-
netbird
Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
-
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
n2n is neat! It is super simple to self-host the signaler in STUN/TURN in the case of weron as well: https://github.com/pojntfx/weron#1-start-a-signaling-server-... and `coturn` is even vendored through the Debian repos nowadays.
that is indeed a performance decrease. But the idea of this project is just great!
There is another way of combining WebRTC and Wireguard.
Netbird uses ICE protocol (used in WebRTC) for NAT traversal and then reuses that punched holes to establish a direct Wireguard tunnel.
https://github.com/netbirdio/netbird
P.S. I'm author of Netbird (formerly know as Wiretrustee)
> Is what makes this a "P2P" VPN [...] that it supports the group/"community" network behavior?
More or less! Compared to say OpenVPN there is no central server that all traffic is routed through (unless you choose to activate TURN of course, see the `--force-relay` flag), so hosting it is much cheaper as the only public part of the infrastructure is the part that exchanges the candidates ^^ Its pretty close to how n2n[1] does it, but has proper NAT hole punching support due to the WebRTC backend.
> When you do that, are you building a full-connected overlay network [...]
Yes! Its a full mesh; it seems to scale pretty well to a fairly large number of nodes, although I haven't tested it with more than ~100 peers in a single community yet. If the overhead of maintaining all of the connections is too much or peering between nodes in an issue, TURN can help to connect those peers with the rest of the mesh. Orchid looks interesting!
[1] https://github.com/ntop/n2n
Thanks for your work on Pion! I really enjoyed working with it, even in other places (STFS[1], a file system for tape drives that I wrote in January, uses it to access remote servers behind NAT for example). NAT-PMP/PCP support would be awesome!
[1] https://github.com/pojntfx/stfs
Thanks! Its using the Pion library[1] which doesn't seem to be using a constant bitrate; that would definitely be an interesting addition though. Sending e.g. zeroes when its not transmitting packets/frames is totally doable, but atm not implemented.
[1] https://github.com/pion/webrtc
Hi! n2n was a huge inspiration for the project, in fact I wrote Go bindings for n2n before starting it: https://github.com/pojntfx/gon2n
Weron also allows tunneling - just specify a TURN server on `--ice` and enable `--force-relay`, in which case it will probably scale to well over 100 nodes ^^ The signaling servers are fully horizontally scalable, so that you can benefit from a faster backbone on a global scale scenario - Redis coordinates messages, kicks etc. between them and a Postgres database maintains central state, such as credentials for persistent communities and client counts.
In terms of key rotation & encryption - weron heavily depends on DTLS as provided by Pion/WebRTC and thus inherits similar security properties. It is not possible to disable encryption of WebRTC, but tbf the performance benefits of using plain SCTP don't seem to be worth it as the RTT latency and resulting decrease in throughput[1] is the dominant performance bottleneck.
[1] https://tuhat.helsinki.fi/ws/portalfiles/portal/167373638/Es...
There is a very neat implementation of a TURN from Pion
https://github.com/pion/turn
Wow, some awesome work here. I would be interested to know your thoughts on OpenZiti (https://openziti.github.io/). Its an open source project that allows you to embed private connectivity into your app using one of the many SDKs together with strong identity allowing outbound only connections. It is a mesh overlay similar to TURN but uses a concept of smart routing to normally reduce latency through circumvention of BGP. Various superpowers can be seen here - https://www.youtube.com/playlist?list=PLMUj_5fklasKF1oisSSuL...