undefined | Better HN

0 pointsash5y ago0 comments

Why is userland TCP/IP stack needed? I didn't get this part of the story.

0 comments

Work through it. You need WireGuard to talk to SSH on our instances; that can't change, it's a security rule. You can get userland WireGuard; that's how most people WireGuard. But you can't create an OS tun device: you need root to do that; you might as well just install WireGuard. Ok: you handshaked a WireGuard connection in Go. What's next?

Let's simplify it: from your Go WireGuard connection, just do an HTTP GET. What's your next step?

ashOP5y ago

I think I got it now!

I was confused because Tailscale does not bring its own userland TCP/IP. It can - as a VPN solution - rely on OS-provided TCP/IP stack, but you wanted to avoid having to hook up flyctl into OS as a virtual network interface, right?

tptacek5y ago

I think you've got it. Tailscale is installing WireGuard. You have to have privileges to install Tailscale. They can tell the OS to route packets through their virtual interface.

We could too! This is all in `wireguard-go`. But we'd have to prompt users to escalate privileges every time they tried to SSH somewhere (or, worse, install a long-term resident thingy, just to SSH to things). We don't want to own your VPN connections!

This is an end-run around all of that; we just take responsibility for all of TCP/IP, in our dumb little command line program.

1 more reply

j / k navigate · click thread line to collapse

0 comments

tptacek5y ago

Let's simplify it: from your Go WireGuard connection, just do an HTTP GET. What's your next step?

ashOP5y ago

I think I got it now!

tptacek5y ago

I think you've got it. Tailscale is installing WireGuard. You have to have privileges to install Tailscale. They can tell the OS to route packets through their virtual interface.

This is an end-run around all of that; we just take responsibility for all of TCP/IP, in our dumb little command line program.

1 more reply

j / k navigate · click thread line to collapse