> With a little bit of effort you can run a userspace WireGuard on the Nanos unikernel, combining the security of WireGuard and unikernels to make a secure VPN gateway
What a time to be alive... we can create a single purpose operating system, to run under a hypervisor, to forward traffic inside a NAT firewall, with patches applied that bypass the separation of user-space configuration parsing and move them into kernel functions.
It's just sandboxing taken to the extreme. The idea of freestanding (meaning requiring nothing more than the hardware to run) applications isn't anything new, in fact it's how all old applications worked! And doing it this way gives you a lot more control over the execution environment. Though, from a certain point of view it's starting to look more and more like we're just making an operating system who's components are separated by IP address space instead of traces through silicon.
Yeah, I always get a kick when we deploy containers that don’t do anything other than set up some kernel networking structures and then more or less just sleep. Truly the future of devops.
Not directly related to the article, but I've been doing a lot of interesting stuff with WireGuard for the past few years. I've observed some odd behavior by some mobile service providers. Right now I have two permanently deployed WireGuard VPNs using terrestrial wireless carriers. One VPN uses AT&T Wireless while the other uses T-Mobile. That AT&T VPN worked fine out the box. The T-Mobile VPN required some odd tweaks to MTU/MRU in order to get it working. I found that the MTU on the mobile end needed to be 1220 or less, and the MTU on the remote end needed to be 1380 or less. This took a while to debug.
Wireguard is so useful, and intuitive, and straightforward, and easy to use, that I suspect it'll be as ubiquitous as TCP someday. Not before a billion look-alike VPN apps or services pop up, of course.
I was just thinking of trying to do similar. The main thing I’d deviate from this configuration is using masquerading- for a multiuser setup you’d want an ip pool and arp for one address per tunnel.
Trying to diagnose issues or track traffic per user becomes nigh impossible transiting a PAT-NAT.
What a time to be alive... we can create a single purpose operating system, to run under a hypervisor, to forward traffic inside a NAT firewall, with patches applied that bypass the separation of user-space configuration parsing and move them into kernel functions.