Recently I've been reading a lot about the topic of mesh VPNs (tinc, Nebula, Tailscale, ZeroTier, Netmaker, Netbird, etc) and find them pretty interesting. Is anyone here using these in some capacity at home or maybe at work?
My problem so far is that many of the options seem to be aimed at corporate use, understandably, so the developers can earn enough to keep doing it. This means the focus is on a centralized control plane, one server which knows everything about the entire network and manages firewall rules for all of it.
This is why I'm leaning towards Nebula, since I think the decentralized design just makes more sense. There is some centralization for issuing certs though. How do I go about setting up PKI? Is there some open source solution for managing certificates and automatically renewing them?
There's also the option of using vanilla WireGuard. This is my current setup, but I really like the idea of meshing, since it means I don't need to care if my devices are physically on the same network or not, the best connection will be used. Basically the layer of abstraction is a nice convenience that lets me think about hosts or services independently of the physical network topology.
I'm interested to hear your thoughts on this topic! What's your setup like and what do you use it for?
I use yggdrasil which, I believe, is wireguard under the hood, but the key generation and routing are all done automatically using LAN discovery or by connecting to peers on the network. I've tested out other overlay netw, rks like tinc and cjdns, but yggdasil has been the most reliable of the bunch. Its nice because the host key is used to derive an ipv6 address that can be physically relocated without doing any manual route changes.
I used to run a bunch of services over yggdrasil, but I had some economic struggles for a while and I had to delete most of it. I'll bring it back at some point though, this time with even more yggdrasil.
Cool! I was really intrigued by yggdrasil, do you use it for a private network only, or do you connect with the public peers? And do you recall any connectivity issues related to NAT or firewalls (if mobile clients are part of your network)?
Mostly private, but I've used public peers in the past to give myself more flexibility. I usually have a cheap VPS setup as a gateway. The auto routing is really powerful, I just have a couple of hosts on my LAN that peer directly with the gateway and the rest is handled by local discovery. My mobile clients will usually have the same gateway setup for roaming, but if I'm hanging out at a library I might use a public peer over TLS if my gateway's port is blocked.