Ah, this is a fork, NOT the original. I came across the original subspace long time ago when switching from strongSwan (IPsec based VPN) to WireGuard for my own good. There has been no development work for the original project in a while.
If you are looking for user friendly web UI for quickly building a VPN for remote access (encrypting traffic / data path between the device and Internet), with easy client management (scan the QR code for client profile thingy) try
- wg-access-server [1]
- wg-gen-web [2]
- wg-ui [3]
They all work well in a containerized fashion, all created around the same time when WireGuard was merged into Linux kernel mainline ;-)
Simple script worked better for my remote access use case for now, for use cases at scale I'd seriously take Tailscale into account (100 clients for personal - free account).
Pretty sure this is a fork because the original has arbitrary user limits due to it wanting to be a commericial product. Que hundreds of forks with the user limits removed.
I am a happy user of the mentioned wg-gen-web (https://github.com/vx3r/wg-gen-web), it helps enormously to manage WG profiles and most importantly sites only this.
Specifically it written not try to manage your firewall and whatnot (how to do that is explained, though).
I'd recommend wg-access-server to start with (the one web UI that I tried first), fundamentally they are pretty much the same, just UI style difference.
Is there anybody interested in building or using a service that routes static public IPs to self-hosted servers, over WireGuard? I made a prototype a week ago, here's the homepage:
I tried your service and it just works™, which is great. But a couple of points:
1) I saw that you're basically using one OVH box per IP. How do you plan to ever monetize this then?
What prevents a user from creating their own VPN instance on their own box and port forwarding from there? Granted this process is somewhat involved, but the kind of user who needs to do this is likely to be somewhat technically inclined anyway. (Some ideas: negotiate long-term deals for IP addresses and try to map > 1 IP per box / remove the static IP guarantee and keep a rotating pool of addresses – public IPs are more valuable than static IPs anyway IMO and you can integrate dynamic DNS into your service)
2) How do I know that you're not sniffing my traffic? Granted that most traffic being encrypted these days is a thing, but still I think it's a genuine concern.
3) I live in Asia, so latency was off-the-charts for me. (On the order of 500ms). But this problem could easily be solved by introducing servers in more locations.
1) I have monetization figured out. That's as much as I'll say for now.
2) that's a hard question, mainly because if I was using this service I would ask the same thing. Personally, I think a strong mission statement, privacy policy, and maybe a warrant canary would be good enough. At least with a strong privacy statement, I would be legally bound to never sell/peek at your data which is loads better than current ISPs.
I can't do much better than promise I wouldn't.
3) Did the Chicago server fare any better?
Also, thank you for the comments! I really appreciate them.
FYI: There is a funded, global, commercial gaming VPN service with HQ in SF also called Subspace that hss had deals with major gaming networks since 2019.
You might want to sort out the Subspace name and trademark, sooner than later.
> 2) How do I know that you're not sniffing my traffic? Granted that most traffic being encrypted these days is a thing, but still I think it's a genuine concern.
How does this work? I thought WireGuard encrypts the traffic?
That's true. However, ngrok adds a lot of restrictions like "40 connections a minute", or capping the number of port forwardings. It's unclear if ngrok support port 25 either. Also, paying a premium for encrypted transport in 2020?
I think it's less that you're paying a premium for encrypted transport, but that the uncomfortable unencrypted one is set up primarily as a demo/trial service.
I'm sure there is and will be demand for good static IPv4 tunnel brokers. I'm personally fine with dealing with dynamic DNS and port forwards for my home setup for now, but once I no longer have a public IPv4 assigned I would be a potential customer.
How do you deal with the global scarcity of IPv4-addresses that you would need to scale your service? I think this can only work long term if you own the address space yourself and are not dependent on some specific provider or cloud.
Also very important is a local endpoint to get a reasonable end to end latency.
Hey cool! Nice job, I'm been working on nearly the same thing, been using it for a bit and find this pattern has really nice properties, like it's great to access my servers at local network speed (ssh, file copy, etc really fast,) having the option to easily move the server to another network, adding something like cloudflare to the mix I'm thinking one could host quite well from home. What is the use case that inspired you to build it? I'm really curious to see what interest and dynamics you find. It would be great if you could post an update as things progress.
Yes, but just to check / point out that I don't think it's clear in current docs.txt (I know you said they're still WIP) - the 'hoppy server' that I add as a peer would be routed straight through to my own right, as in the public key for 'ca1.hoppy.network' is generated by me?
Or do I have to add a peer that's out of my control, which you use for routing between the two that are under my control?
> Is there anybody interested in building or using a service that routes static public IPs to self-hosted servers, over WireGuard?
I don't get how this helps me "build" a service. Can't find source code anywhere.
On a related note the whole reason I self host is so I don't have to rely on things I don't control so there is no way I would use something like this. Defeats the purpose of self hosting IMO.
Control is one element of self hosting, albeit full control may be difficult to obtain and also maintain speed and privacy. Pushing your ingress out to an edge node affords interesting properties. One of which is privacy (keeps your home ISP IP hidden from the public.) A service like Cloudflare gets you the same for browser traffic, a service like hoppy can work for all ports, email, ssh, voip, etc. Control can and perhaps should be implemented not at the channel layer but through cryptographic means such as authentication and end to end encryption.
Interesting -- bookmarked! I've had a need for something like this from time to time.
Is there any concern over people using your service for illegal/unfavorable activities like torrenting? Or are you planning to keep logs to provide to law enforcement requests?
I'm curious, how does one go about obtaining IPv4 address space these days? I thought it had become quite a pain, and usually expensive enough to need serious cash?
Yeah, the auctions are about all I've seen and they're pricey enough one would probably need some investment or a substantial loan to obtain enough space for this sort of thing. I'm not sure how a trial hobby project gets the money for that.
No, because I may want it reachable from somewhere that doesn't have good v6 support. Plus this guy's project is literally based on v4, so I'm not sure how that would work.
Great idea for a service! I do this for a bunch of personal services I host in le basement, where I don't want to either have any ports open it even expose my ip.
Pushing your ingress out to a full internet node simplifies behind the NAT/dynamic IP hosting. Once you have a static IP and no NAT or port restrictions it's much easier to run a from home personal cloud system.
..that might go something like this...
Raspberry Pi at home running docker containers with a reverse proxy like Nginx or Caddy. The Pi is set to automatically connect to the wireguard service once it has a network connection. The hosting server with the external public IP forwards port 80/443 browser traffic to the Pi sitting in your home LAN. Your domains can be mapped through Cloudflare to the public IP of your external server for an extra layer of privacy and caching. Requests to your Pi webserver reverse proxy through other containerized services on the Pi or to other hosts within your private home network running services like Wordpress, GOGS, Express Node app, Verdaccio (npm cache/proxy,) pretty much anything. Things get even more interesting if you run a reverse proxy on the remote server. It's also great to have a static public address by which to reach and manage your internal servers via ssh.
Shameless plug time: those interested in subspace might want to check out a project of mine: dsnet https://github.com/naggie/dsnet/
dsnet is a simple wiregard management command that manages key generation and IP allocation, generating config files. I'm using it for a few networks at the moment.
I recently tried to add decent documentation and a blog post in the hope that it's useful to someone. I should so a Show HN really.
Side note, any particular reason for having `user-select: none` set on your blog? That seems somewhat counterproductive for a blog with code examples...
> Side note, any particular reason for having `user-select: none` set on your blog? That seems somewhat counterproductive for a blog with code examples...
Ah -- that's not intentional. Thanks for letting me know, I've pushed a fix!
I developed the hugo theme for something else where it made sense (a portal) then converted it for use with my blog and missed that.
Anyone else thought of 'Subspace', the pioneering internet multiplayer space shooter from the 90's that was in many ways ahead of it's time? Great times were had.
I came here to say the same lol! I remember vividly playing that game as a young boy at the local University computer lab and my jaw hitting the floor. Could never get good enough connection over dial-up to overcome the frustration. Still play continuum some, it's still the same and still amazingly fun.
This ^^^. Posted comment before I read all the comments :). Great time indeed. The tolerance for lag in that game was unreal but also, it played incredibly well considering most people were on dial-ups!
Yup! I had many (many) hours of fun, and got pretty deeply into the development community that sprung up after the publisher abandoned it. I learned a lot from that and it definitely had an effect on my career.
It's still being played. There are some plans to write an android client (notably by Trench War's poid, on patreon as quantumspace). Its golden days are long gone, but it's not uncommon to find games with 40 active players in Trench Wars these days.
I played this game for years in the competitive leagues and as a moderator running special events before life responsibilities took over (still pop in occasionally) is super fun. I was never very good at it though :)
Let's be clear here. Subspace is and always will foremost be a fantastic massive online game from the late 90s. See wikipedia for more info. Slight disappointment that it wasn't related.
I had no notion about the Subspace game and as time passes my parcel of the population will only grow relative to people who do know the Subspace game.
It's not fair nor feasible to reserve names permanently.
I don't mind the wg-quick command line interface but I must say that the #1 thing that bothers me with wg is that the private keys are stored directly in the config. That means that every time I add a new users the keys are plainly readable on my screen.
Is there a simple way to work around this issue? Can I include the keys from a 3rd party file for instance? I guess I could always just pre-process the config file to generate the final one from multiple sources.
In case others got confused by this thread (I thought for a minute "how do you know which private key goes with which peer", is PostUp per peer, etc)... There is only one private key per interface on the server (or anywhere for that matter) and all the other peers are public keys.
Right, my use of the plural was confusing. It's just that in general when you add a client you end up editing both the client and the server config, so both keys end up being disclosed on the screen.
What I do is that I have scripts to manage the configuration file, rather than manually editing it. So you never open the configuration file in a terminal in order to see the private key.
Not sure following is related to the post, but it might help a few like me who are still using High Sierra (macos), and can't use the official WireGuard GUI client (becuase it targets newer versions of macos).
I like it over wg-quick (which requires sudo, and prompts for password all the time). The WireGuardStatusBar uses a privileged helper, so you only need to authorize it once and use it all the time.
Great news this was forked. It was pretty clear the previous project was not really a project but a code dump (still: thank you to the original devs for sharing this with the world!), and so I refrained from using it. Really great this has become a more open project with continued development!
Interesting. I wonder if it re-creates the connection each time you login.
The biggest issue I have with Wireguard is that it's not set up for Roadwarriors. If you have an endpoint with a dynamic IP address (like your home router), but you give wireguard a DNS name, it doesn't store the DNS name. It only stores the resolved IP address.
The official solution is a script they have in their contrib repo that you stick in cron and it scans for changes and resets the endpoint if your DNS changes.
Wireguard also can't bind to a specific adapter on a multi adapter server. Since it doesn't respond with anything with unauthenticated packets, the official solution is that is shouldn't matter. Just iptables on everything and only accept packets on the adapter you want public.
The problem is, the egress packets will just go over the default adapter, so now you have incoming and outgoing packets taking different routes.
Overall thought, I like wireguard way more than OpenVPN. They still need to fix those and other issues though.
I setup Wireguard using Algo on a home server I kept behind a home router with no problems. It was definitely a dynamic IP because Comcast doesn't provide static IPs for residential connections.
Am I misunderstanding the limitation you're claiming?
> It was definitely a dynamic IP because Comcast doesn't provide static IPs for residential connections.
In my experience, Comcast IPs aren't contractually static, but they very rarely change. Months or years of having the same IP doesn't seem to be uncommon.
I've had the same IP address with Comcast for 5+ years. That includes moving to a different city and multiple different modems. Only thing that has stayed consistent is my router.
I think the question is — does it still work when you get a new IP from Comcast? Even if you don’t have a static IP, your Comcast IP probably doesn’t change all that often. If WG stores the resolve IP instead of a dynamic dns domain name, you’d eventually have issues.
I’m in the same boat, but my ISP almost never changes IPs.
I have configured a box with Wireguard listening on it, put a dynamic DNS updater on it, and gave it to my parents (they have a different ISP than I do). My .conf file had a DNS name as the peer, and it has worked just fine since it was installed. I don't know what issue GP is referring to; maybe an old version of wg-quick or something?
If you are looking for user friendly web UI for quickly building a VPN for remote access (encrypting traffic / data path between the device and Internet), with easy client management (scan the QR code for client profile thingy) try
- wg-access-server [1]
- wg-gen-web [2]
- wg-ui [3]
They all work well in a containerized fashion, all created around the same time when WireGuard was merged into Linux kernel mainline ;-)
Simple script worked better for my remote access use case for now, for use cases at scale I'd seriously take Tailscale into account (100 clients for personal - free account).
[1]: https://github.com/Place1/wg-access-server
[2]: https://github.com/vx3r/wg-gen-web
[3]: https://github.com/EmbarkStudios/wg-ui