Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This doesn't really seem to do what Tailscale is doing, which is to create a mesh network with a central beacon node for facilitating handshakes.

I am currently researching this area and have found the following solutions in the mesh VPN space. In order of how locked down the source code is—which also seems to correlate with ease of use—there is Tailscale, ZeroTier, Netmaker, Nebula, and also Innernet (this last one is only mac/linux).



The originally submitted title said "Tailscale Alternative" but this appears to have been an error and we've taken it out now. More at https://news.ycombinator.com/item?id=31542122.


Yeah you can't really use FZ for Tailscale use cases, though maybe OP is just referring to how it uses WireGuard. Netmaker and Innernet are the two Tailscale alternatives which are using WireGuard. And in fact, both are much faster than Tailscale because they use Kernel WireGuard. So they'd probably be the best options for "Tailscale Alternative."


Worth noting, the biggest closed source thing from Tailscale is the server side, which has an open source re-implementation call Headscale[0].

[0] https://github.com/juanfont/headscale


Thanks! Yggdrasil ( https://yggdrasil-network.github.io/ ) should probably in this list too, except that it doesn't need a central beacon node.


Very interesting. I will add it to my list.


aaaaaand Netbird ..


ZeroTier doesn't use WireGuard, but is a mature option that fills the same niche.


You can probably add https://enclave.io to that list; creates mesh VPN networks based on tags + policy.


Would any of those can be used against China's GFW?

Tailscale could be blocked by the GFW [1]. I guess that's because it uses a central beacon node?

Also they are built on WireGuard, which is not obfuscated, so they can be detected by DPI?

[1] https://forum.tailscale.com/t/does-tailscale-work-in-mainlan...


I have actually lived in China for 2 years and travelled there for maybe 6 months in total in addition to that. I've always just used a traditional, commercial VPN service such as ExpressVPN. In theory, those can also easily be blocked, but in my experience it rarely happens in practice.

The main issue with living in China is the fact that the connections to the outside world are so clogged that using something like Youtube is often so slow that it's not even worth trying; that was the case in the Beijing area between 2016-2018 at least.


There is a "conspiracy" theory that those VPN works in China because they have a connection to the CCP.

It would be amazing if Tailscale can use ExpressVPN kind of services for handshaking so that it can work inside the GFW.


I think self-hosting is the better solution if you're worried about someone blocking a VPN's IP address.

I've heard those conspiracy theories, but to be honest I just accepted that everything was monitored when I was in China anyway. Installing something like Wechat/微信 basically gives tencent permission to everything that's on your (Android) phone anyway. To me, the VPN was solely about granting access to what was otherwise blocked, not about privacy.


Yes. I am looking for something like Tailscale but can be self-hosted.


That would be headscale, mentioned above.


I am note able to reply to your other comment, so I'll reply here.

Everything except for Tailscale (and possibly ZeroTier) on that list can be entirely self-hosted.


Thanks. I will take a look.


A ton of people seem to use ZeroTier in China. It's harder to block since you can self-host everything, which many in China do.


fully self-hosted is usually best, e.g.wireguard. zerotier is close. openziti, especially in cases in which app-specific VPNs help (each session looks like different encrypted apps, and you choose what apps).


Tinc is another mesh option. Doesn't use wireguard but is still highly regarded and liked: https://www.tinc-vpn.org/


Fortinet has a (cloud controlled, IPSec based) mesh VPN solution. Maybe other networking equipment vendors also have their own offerings.


why would anyone want to have IPSec in 2022 ? It means remaining stuck with a mid-90ies committee-driven-crypto protocol (and the design is far from best practice in modern security).

I really like the design principles[1] of Wireguard. It does away with all the key-negotiation nonsense and eliminates a whole cluster of potential flaws right out of the gate. Also Jason Donenfeld's software development cycle is a skill level that can only be described as a 10000x-developer.

[1] https://securitycryptographywhatever.buzzsprout.com/1822302/...


I think your average enterprise sysadmin/networking person doesn't really care about IPSec vs Wireguard.


another well vetted one is OpenZiti (NetFoundry SaaS products are built on top of OpenZiti). full mesh, although default-closed model instead of default-open model:

https://openziti.github.io/ziti/overview.html




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: