undefined | Better HN

0 pointsacatton4y ago0 comments

Wireguard is also a good alternative. But you need to connect to a VPN every time you want to SSH.

Here is my personal reasons why I use spiped:

* spiped is transparent by using ProxyCommand[1]. This allow me to do "ssh host" and thanks to my ssh_config, it just connects.

* spiped can be run in a very hardened way.[2] It just needs to listen() to a socket, connect to another one, and access a key file. Wireguard needs complex network access, it needs to create interfaces and open raw sockets.

* spiped is much simple to manage, just run a daemon. With wireguards there are two possibilites:

** Every host runs wireguard, you might need to connect to multiple hosts at the time, you need to manage internal IP conflicts, etc...

** One central wireguard server, you have a single point of failure, and can't ssh anywhere if this host is down.

Don't get me wrong, I love wireguard, use it all the time as a VPN, but I don't think it's appropriate as a layer of protection in front of my SSH server.

Both Wireguard and Spiped are written by very smart people.

[1] https://man.openbsd.org/ssh_config#ProxyCommand

[2] https://ruderich.org/simon/notes/systemd-service-hardening

0 comments

codetrotter4y ago

I use WireGuard and ssh together.

On my two VPSes I have one of them run a WireGuard server, and both of the VPSes have their sshd bound to the WireGuard interface only.

At home I have a computer running a WireGuard server. Two of the other computers at home are clients of both the WireGuard server at home and of the WireGuard server VPS. I can connect directly to the WireGuard VPN at home from anywhere and ssh into the other machines on their WireGuard interfaces of that VPN, but if the WireGuard server at home is down I can connect via the WireGuard VPN that runs on my VPS and still ssh into the other machines at home that way.

I also have WireGuard running on a physical server in a data center that I manage. On that server I use WireGuard only because it makes connections much more stable than connecting via ssh directly.

My three different WireGuard servers all use different private range IP address subnet ranges, so there is no conflict. I use WireGuard for communication between my own hosts but not for tunneling other traffic.

WireGuard is great and the perfect solution for a small number of machines at least. And I am sure that if you have a lot of machines you could come up with some suitable setup using WireGuard even then.

j / k navigate · click thread line to collapse