A couple questions from me, if you don't mind.

I currently use Tailscale for my home lab. My current model is similar to old-school road warrior VPNing, where I have my router as a node that routes to the LAN using the internal (non-meshed) IPs. Does your solution support that? How easy is it to deploy and configure it in that way?

Another feature I use is "exit nodes", i.e. my router as a gateway to the Internet, similar to what consumer VPNs (Mullvad, PrivateInternetAccess, etc) do. This offers me 2 things: more security when I'm on insecure networks (airport or other public WiFi, etc); and allows me to access things as though I'm at home when I'm traveling abroad. This is a one-time configuration and I can easily switch it on and off on demand via the desktop or phone app. Is this an option in your product?

Edit: s/customer/consumer/

I believe we actually had a feature like exit nodes before Tailscale released theirs :) Our is called an "egress gateway" and it acts in pretty much the same way.

Thanks for your reply, I will try to deploy Netmaker alongside Tailscale and compare for my needs!

The "hardest" part is managing the tailscale installation on the router, since the OpenWRT packages seem to be quite old. I went old-fashioned and just download the ARM tarballs and uncompress them.

I lifted the init.d script from someone else's blog post [0] and adjusted the path to the binaries.

After that I've pretty much just followed the official docs to implement LAN routing [1] and the exit node [2], then set the router's cert so it doesn't expire, which is done on the Tailscale GUI.

Install the app on the devices, connect everything to the tailnet and Bob's your uncle.

[0] https://willangley.org/how-i-set-up-tailscale-on-my-wifi-rou... [1] https://tailscale.com/kb/1019/subnets/ [2] https://tailscale.com/kb/1103/exit-nodes/

Shown on the marketing pages, the controller supports pushing configurations which include commands for `postup` and `postdown`; does this mean that it implicitly has root code execution on every participant in the network? I don't think it would be designed like that, but I'm a bit confused how this could be working without introducing that as a concern.

However, we're adding a switch for this pretty soon which will allow disabling the edit-ability of those fields.

Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.

Edit - I see you mention that Tailscale uses userland WireGuard. Is that the biggest difference between the two? Do you foresee yourselves running into issues by not using the userland implementation?

With Nebula, they're a lot closer on speed, but also we've got a management GUI which makes things a lot easier. We were very close to using Nebula in our early days. The main thing that stopped us was, we decided WireGuard was going to be the standard in the future, and wanted to be based on WireGuard.

That leads to a bit more fundamental of a difference which is a bit harder to quantify. Our aim is to really be a "WireGuard controller." You should be able to shut down our server and agents and your network should still run fine, and you should be able to manually modify all your WireGuard interfaces if necessary. We're getting close to that vision but aren't quite there yet.

That last point leads back to the kernel thing. We use kernel by default, but really, Netmaker can use any WireGuard implementation. If users are scared of the security implications of using kernel, they can use the userland version, and Netmaker should be able to pick that up just fine. They can even run it in a docker container on their machine.

We briefly considered building something atop Wireguard in the early days of Nebula, but decided not to do so because of scaling. Wireguard's protocol necessitates that all nodes have existing keypairs for each other ahead of time. At Slack's scale, that means every time a fresh node is launched, you would have to tell 50,000 other nodes it exists.

Obviously you can smarten this up and tell only hosts it might talk to. But this adds complexity. Using PKI eliminates this key distribution problem and means that you don't have the same scaling limitations as something built on WG.

Wireguard is a very very good VPN, but I cannot imagine trying to run something on the scale of tens of thousands of nodes when you need such complex coordination systems to exchange keys/trust, especially in a dynamic environment where nodes are coming and going all the time.

I totally get that it solvable overall, but Slack has had 4 years of nearly perfect uptime on Nebula, whilst using it to pass >95% of all backend traffic. These considerations may seem simple to address, but there are fundamentals that mattered and led us to writing Nebula. We didn't want to create something new, but to do what Slack needed, we had to.

How do you handle NAT compared to these other options? I've run into issues with WireGuard when both sides are behind residential NATs (or AWS EC2 IGW); as you know, Nebula solves this with "lighthouse" servers (which are self-hosted but externally accessible), and Tailscale uses its third-party intro devices.

Do the Gravitl servers have to always listen on an exposed port?

On the NAT side, we provide 3 layers of traversal options:

#1 (default) port forwarding: This actually works in a surprisingly well, for about 90% of environments, but does require an exposed port.

#2 UDP Hole Punching: The server acts similarly to a Nebula "lighthouse" and will tell clients where to reach each other. This covers that small situation of dualing NAT's, and doesn't require the exposed port.

#3 Relay: In situations where neither works such as CGNAT, you can set a public node as a relay to route traffic to the "hidden" node

Don't take this the wrong way, but subtly/implictly implying that some software is not going to be reliable in the long run because it only has a community behind is low-key FUD.

This is excellent.

When I set it up, I have chosen ZeroTier instead of WireGuard. It does the following: (a) Hosts discovery and initiating handshake between clients with the help of a server from ZeroTier, (b) NAT hole punching, (c) pushing centrally managed routes to hosts, (d) network ACL rules. I primarily have chosen it because it is easy to setup by anyone (e) and I do not have to manage a server (f).

- Can you tell a little bit how Graviti compares to it. I guess WireGuard itself does not have the features (a) to (f). I guess the Netmake server replaces the ZeroTier servers and provides some of these features.

- Are you inclined to install Netmaker client on any host or use one node in a LAN as a router?

- Is this more geared to servers/professional managed hosts or also for laptops?

For my usecase with ZeroTier I found the following currenlty missing features useful:

- Easy setup of a node as a router (or virtual switch) to connect a local network to the virtual one without installing it on all devices (hardware like GPS receiver do not allow to install new software). Of course, you can do it with the normal Linux tools.

- Installing it only inside a Docker container and not on the host. But I guess that will not be possible because it has to live in the kernel.

Router is obviously preferable when routing to LAN but is harder to support. If it's FreeBSD or OpenWRT, go router, but otherwise a client on a Linux node works fine as a router.

This is definitely geared more towards servers/VM's etc, but does work on Laptops as well. We have Windows support and you can even loop in your phones.

We do actually have a docker image for the client. We're not strictly tied to the kernel version of WireGuard, and you can use userspace wherever it is a necessity.

Quick question, does Gravitl plan to become a company donor to Wireguard in the near future[1]? I think it would be great if companies which, as is their right, profit from FLOSS, also give back to FLOSS, not just with code.

Again, good luck with your adventure :) .

[1] https://www.wireguard.com/donations/

I'm not expecting that I'd actually get into trouble for running a small network with my friends, but I prefer not violating software licenses. :)

This is probably fine for internal usage within a company (as the whole company is legally the same entity) but for individual use it's concerning. Although it might also be problematic if you ever want to give a contractor access to your VPN too.

Covers the contractor use case I think (provided the contractor isn't running services they intend to expose to you on the VPN), but not my hobbyist use case (both me and a friend share services with each other via our VPN).

[0] https://docs.netmaker.org/external-clients.html

There's a few offerings in this space, some geared toward edge, some toward orgs. For example:

- tailscale https://tailscale.com/download

- Innernet https://github.com/tonarino/innernet

- wiretrustee https://wiretrustee.com/

Care to differentiate from those above?

Our aim is to really be a "WireGuard controller." You should be able to shut down our server and agents and your network should still run fine, and you should be able to manually modify all your WireGuard interfaces if necessary.

This isn't something that any of those options allow you to do and I think is a fundamental difference in how we're viewing the scope and role of Netmaker.

Most companies choose between not securely connecting their stuff correctly or having a complete mess of an internal network.

So congratz and all the power to you.

Tools like this allow users to own their network and avoid that lock in. All that's needed here is auto-scaling integrated w/ various cloud providers, and some canned templates for creating K8s clusters and common services. At that point- we've got a self hosted cloud w/ 80% of what the big guys offer.

I am a user of this solution for my company, and also for my homelab. It works great! Just wanted to say that, and thank you for the open source free as in libre license.

- Named groups/subnets for a single NetMakerServer (lets say [Users] and [Servers])

- Access control capability: Allow/disallow inter/intra group connectivity. For example, using the previous groups : [Users] can connect to [Servers] only (not other [Users]) and [Servers] can connect to other [servers] only (not [Users]). Basically, for this case, the peer list returned to NetClient's only contain the [Servers]. More generally, it is the concept of public vs private - not sure if this is needed on a group/subnet or individual netclient level.

- MFA requirement for certain Groups. Example: [Users] who have not connected to the network in the last X hours/other criteria will need to MFA (provided by NetMaker+TOTP or other IDP like Okta). Server-server connections will never need to MFA. This is one of those Enterprise security check list items in security reviews.

- Ideally: Ability to run the NetMakerServer on Windows (IIS, Nginx, Apache) without having to launch containers/install VM's.

Congratulation ons on your launch. Will keep an eye on things.

Edit: This is a requirement for self-hosted but if your enterprise solutions offers it as a highly available service that would by-pass this issue. It would need to be HA and spread in such a way that a single cloud provider going down does not affect things.

Can any client be an egress node?

This does look fantastic and like something I dreamed about making a few months ago otherwise. Good work.

*edit: clarity

I was just about to ask about differences with Tailscale, which is solving a lot of the challenges outlined in the post, but you answered it:

"First off, Netmaker is super fast because it can use kernel WireGuard. There are some other WireGuard-based solutions like Tailscale, but they use userspace WireGuard, which is much, much slower."

Good luck!

I have my iOS client set up with a egress node on Netmaker, it gave me a vanilla WireGuard config and then I passed that to my iOS device.

So single point of failure?

1. For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software.

2. It doesn't actually replace a USB drive. Most people I know e-mail files to themselves or host them somewhere online to be able to perform presentations, but they still carry a USB drive in case there are connectivity problems. This does not solve the connectivity issue.

3. It does not seem very "viral" or income-generating. I know this is premature at this point, but without charging users for the service, is it reasonable to expect to make money off of this?

/s[1]

In all seriousness, congrats on the launch. It looks like you're solving an interesting problem. Having done at least little work on multi-region platforms I can attest to how painful it is. Hopefully your product will help solve this.

[1]: See https://news.ycombinator.com/item?id=9224 if the above doesn't make sense.

2. USB's aren't a viable long-term strategy. With supply chain issues they are likely to cost $3000/gb this year.

3. This is actually an NFT-based platform. So-called "money" is not a concern for us.

Hopefully the "/s" isn't necessary for this one but I better add it anyway. Thanks for the good words!

Very glad you're going down the NFT route, solves so many problems.

@vertis, if you are looking at multi-region or multi-cloud, you may be interested in how Ozone solved this for private k8s https://ozone.one/blog/ozone-zitifies-private-kubernetes-dep...

disclaimer: i am founder of a company which builds saas on the openziti open source which Ozone used in their solution as well. however, doesn't seem competitive with this solution from vertis - openziti being built for different use cases.

If it was 2004, i would have understood, but this is a problem already solved decade ago

"private slack channel" won't be enough to justify 70 dollar a month

The existing subscription isn't really what we're looking to sell. We started offering it because some users asked us for extra support, so we created it for them, but really the main product will be the enterprise version in a couple months.