
Subspace – A simple WireGuard VPN server GUI - jamilbk
https://github.com/subspacecommunity/subspace
======
terrywang
Ah, this is a fork, NOT the original. I came across the original subspace long
time ago when switching from strongSwan (IPsec based VPN) to WireGuard for my
own good. There has been no development work for the original project in a
while.

If you are looking for user friendly web UI for quickly building a VPN for
remote access (encrypting traffic / data path between the device and
Internet), with easy client management (scan the QR code for client profile
thingy) try

\- wg-access-server [1]

\- wg-gen-web [2]

\- wg-ui [3]

They all work well in a containerized fashion, all created around the same
time when WireGuard was merged into Linux kernel mainline ;-)

Simple script worked better for my remote access use case for now, for use
cases at scale I'd seriously take Tailscale into account (100 clients for
personal - free account).

[1]: [https://github.com/Place1/wg-access-
server](https://github.com/Place1/wg-access-server)

[2]: [https://github.com/vx3r/wg-gen-web](https://github.com/vx3r/wg-gen-web)

[3]: [https://github.com/EmbarkStudios/wg-
ui](https://github.com/EmbarkStudios/wg-ui)

~~~
oregontechninja
Pretty sure this is a fork because the original has arbitrary user limits due
to it wanting to be a commericial product. Que hundreds of forks with the user
limits removed.

~~~
Angostura
'Cue' not 'Que' \- just in case you want to use the word in more formal
circumstances.

~~~
bakoo
Que?

------
rubatuga
Is there anybody interested in building or using a service that routes static
public IPs to self-hosted servers, over WireGuard? I made a prototype a week
ago, here's the homepage:

[https://hoppy.network](https://hoppy.network)

I realized that I didn't want to ever deal with port-forwarding, NAT, or
dynamic DNS and decided to create this. Message me if you want a signup link.

~~~
xrisk
I tried your service and it just works™, which is great. But a couple of
points:

1) I saw that you're basically using one OVH box per IP. How do you plan to
ever monetize this then?

What prevents a user from creating their own VPN instance on their own box and
port forwarding from there? Granted this process is somewhat involved, but the
kind of user who needs to do this is likely to be somewhat technically
inclined anyway. (Some ideas: negotiate long-term deals for IP addresses and
try to map > 1 IP per box / remove the static IP guarantee and keep a rotating
pool of addresses – _public_ IPs are more valuable than _static_ IPs anyway
IMO and you can integrate dynamic DNS into your service)

2) How do I know that you're not sniffing my traffic? Granted that most
traffic being encrypted these days is a thing, but still I think it's a
genuine concern.

3) I live in Asia, so latency was off-the-charts for me. (On the order of
500ms). But this problem could easily be solved by introducing servers in more
locations.

~~~
rubatuga
1) I have monetization figured out. That's as much as I'll say for now.

2) that's a hard question, mainly because if I was using this service I would
ask the same thing. Personally, I think a strong mission statement, privacy
policy, and maybe a warrant canary would be good enough. At least with a
strong privacy statement, I would be legally bound to never sell/peek at your
data which is loads better than current ISPs.

I can't do much better than promise I wouldn't.

3) Did the Chicago server fare any better?

Also, thank you for the comments! I really appreciate them.

~~~
xrisk
1) That's nice to know. Best of luck!

I think two tiers with a cheaper roaming IP + dynamic DNS plan and a more
expensive static IP plan would be smart. But that's for you to decide.

3) Only the Canada server was available when I signed up ~2 weeks ago
unfortunately. I'll take a look again.

------
boringg
Let's be clear here. Subspace is and always will foremost be a fantastic
massive online game from the late 90s. See wikipedia for more info. Slight
disappointment that it wasn't related.

~~~
hu3
I had no notion about the Subspace game and as time passes my parcel of the
population will only grow relative to people who do know the Subspace game.

It's not fair nor feasible to reserve names permanently.

~~~
boringg
It's cool - I'm having fun with nostalgia.

~~~
hombre_fatal
fwiw, the Continuum client is available even on Steam and some zones, like
Trench Wars and Extreme Games still have full lobbies.

I got back into Extreme Games (30-flag CTF) for 6 months last year. Good times
all over again.

------
PeterStuer
Anyone else thought of 'Subspace', the pioneering internet multiplayer space
shooter from the 90's that was in many ways ahead of it's time? Great times
were had.

[https://en.wikipedia.org/wiki/SubSpace_(video_game)](https://en.wikipedia.org/wiki/SubSpace_\(video_game\))

~~~
tiborsaas
No, I had a nastier association :)

~~~
reading-at-work
Surprised I had to scroll this far to find this - same here!

------
naggie
Shameless plug time: those interested in subspace might want to check out a
project of mine: dsnet
[https://github.com/naggie/dsnet/](https://github.com/naggie/dsnet/)

dsnet is a simple wiregard management command that manages key generation and
IP allocation, generating config files. I'm using it for a few networks at the
moment.

I recently tried to add decent documentation and a blog post in the hope that
it's useful to someone. I should so a Show HN really.

Here's the blog post: [https://callanbryant.co.uk/blog/how-to-set-up-a-
wireguard-vp...](https://callanbryant.co.uk/blog/how-to-set-up-a-wireguard-
vpn-in-minutes-with-dsnet/)

~~~
piquadrat
This looks very interesting, thanks.

Side note, any particular reason for having `user-select: none` set on your
blog? That seems somewhat counterproductive for a blog with code examples...

~~~
naggie
> This looks very interesting, thanks.

I'm glad you like it.

> Side note, any particular reason for having `user-select: none` set on your
> blog? That seems somewhat counterproductive for a blog with code examples...

Ah -- that's not intentional. Thanks for letting me know, I've pushed a fix!

I developed the hugo theme for something else where it made sense (a portal)
then converted it for use with my blog and missed that.

------
simias
I don't mind the wg-quick command line interface but I must say that the #1
thing that bothers me with wg is that the private keys are stored directly in
the config. That means that every time I add a new users the keys are plainly
readable on my screen.

Is there a simple way to work around this issue? Can I include the keys from a
3rd party file for instance? I guess I could always just pre-process the
config file to generate the final one from multiple sources.

~~~
BCM43
PostUp should do what you want.
[https://wiki.archlinux.org/index.php/WireGuard#Store_private...](https://wiki.archlinux.org/index.php/WireGuard#Store_private_keys_in_encrypted_form)

I have it grabbing a key from AWS Secret Manager, haven't had a problem with
that.

~~~
atonse
In case others got confused by this thread (I thought for a minute "how do you
know which private key goes with which peer", is PostUp per peer, etc)...
There is only one private key per interface on the server (or anywhere for
that matter) and all the other peers are public keys.

I might be the only one who confused myself :)

~~~
simias
Right, my use of the plural was confusing. It's just that in general when you
add a client you end up editing both the client and the server config, so both
keys end up being disclosed on the screen.

------
lykr0n
I giggled at this project name.

Seriously. This is cool. CLI rules all, but man, sometimes it's nice to use a
GUI.

~~~
hawski
In my early Linux days I remember Subspace Continuum a 2d MMO space ship
battle game. I did suck at it, but it was massively interesting.

------
djsumdog
Interesting. I wonder if it re-creates the connection each time you login.

The biggest issue I have with Wireguard is that it's not set up for
Roadwarriors. If you have an endpoint with a dynamic IP address (like your
home router), but you give wireguard a DNS name, it doesn't store the DNS
name. It only stores the resolved IP address.

The official solution is a script they have in their contrib repo that you
stick in cron and it scans for changes and resets the endpoint if your DNS
changes.

Wireguard also can't bind to a specific adapter on a multi adapter server.
Since it doesn't respond with anything with unauthenticated packets, the
official solution is that is shouldn't matter. Just iptables on everything and
only accept packets on the adapter you want public.

The problem is, the egress packets will just go over the default adapter, so
now you have incoming and outgoing packets taking different routes.

Overall thought, I like wireguard way more than OpenVPN. They still need to
fix those and other issues though.

~~~
L_Rahman
I setup Wireguard using Algo on a home server I kept behind a home router with
no problems. It was definitely a dynamic IP because Comcast doesn't provide
static IPs for residential connections.

Am I misunderstanding the limitation you're claiming?

~~~
catalogia
> _It was definitely a dynamic IP because Comcast doesn 't provide static IPs
> for residential connections._

In my experience, Comcast IPs aren't contractually static, but they very
rarely change. Months or years of having the same IP doesn't seem to be
uncommon.

~~~
jaywalk
I've had the same IP address with Comcast for 5+ years. That includes moving
to a different city and multiple different modems. Only thing that has stayed
consistent is my router.

------
abdulqabiz
Not sure following is related to the post, but it might help a few like me who
are still using High Sierra (macos), and can't use the official WireGuard GUI
client (becuase it targets newer versions of macos).

You might want to check WireGuardStatusBar -
[https://github.com/aequitas/macos-menubar-
wireguard](https://github.com/aequitas/macos-menubar-wireguard)

I like it over wg-quick (which requires sudo, and prompts for password all the
time). The WireGuardStatusBar uses a privileged helper, so you only need to
authorize it once and use it all the time.

Cheers.

------
microcolonel
Cool, the slick SSO feature means this may be a good choice if I want to set
something up that I won't have to support until the day I die.

I like how many choices there are for off-the-shelf configuration generators.

------
econcon
Anyone who uses wireguard UI on Mac? I tried downloading it from app store,
with error " unable to download to Macintosh HD "

I am only one version behind the latest Mac, so what could be the problem?

------
unixhero
Could anyone refer to a definite guide to what Wireguard is, what painpoint it
solves and effective applications of it?

What kind of magic can I use it for to pipe data around securely in my AWS
fortress?

~~~
danielbln
It's pretty clearly stated on the landing page of their website:
[https://www.wireguard.com/](https://www.wireguard.com/)

\- simplicity

\- sound crypto

\- minimal attack surface

\- high performance

\- well defined

------
ochronus
Kudos! Nice work, I hope this helps with the adoption of WireGuard

------
chrisallick
Best video game ever.

------
icholy
What's the deal with the fork?

~~~
jamilbk
The original project [1] hasn’t seen any commits in a year.

[1]
[https://github.com/subspacecloud/subspace](https://github.com/subspacecloud/subspace)

~~~
DCKing
Great news this was forked. It was pretty clear the previous project was not
really a project but a code dump (still: thank you to the original devs for
sharing this with the world!), and so I refrained from using it. Really great
this has become a more open project with continued development!

