
VPN service for hosting public-facing services on non-hosting ISP circuits - voidmain0001
https://holepunch.io/
======
vinay_ys
Looking through the
[https://github.com/CypherpunkArmory/punch/blob/master/tunnel...](https://github.com/CypherpunkArmory/punch/blob/master/tunnel/tunnel.go)
seems to indicate it is just using a ssh connection between your box and their
server and then forwarding traffic through that ssh connection.

If ssh is blocked by your IT admin, this will not work. In that sense this
isn't doing any holepunching. In a more traditional definition of holepunching
it meant to establish connection between two machines behind NAT stateful
firewall and neither have static public IP addresses.

Also, looking at the code, there seems to not much emphasis on security w.r.t
ssh host key verification or bootstrapping the chain of trust with pre-
verified credentials etc. Weird choices for a project with cypherpunk in it's
name.

~~~
prater
Author here. You're right. The project is still in beta - so we're still
working on ironing out some of the kinks. The host key verification issue is
being worked on today actually. I'm not sure what you mean by "bootstrapping
the chain of trust with pre-verified credentials" though. If you want to open
an issue on
[https://github.com/CypherpunkArmory/holepunch](https://github.com/CypherpunkArmory/holepunch)
we'd love to get your feedback about how we can improve security prior to a
general release.

------
fulafel
This might actually be the future of running net-accessible stuff on your own
devices, if the NAT-imposed unreachability continues to cement itself as the
default expectation for people. Great that they have a free tier.

Though I think you can do this same thing with many existing tunnel providers
too, no?

~~~
sdwisely
> This might actually be the future of running net-accessible stuff on your
> own devices

I sure hope not, demand ipv6.

~~~
altfredd
Possession of an IPv6 address does not automatically imply that your ISP
allows incoming connection to your ports.

~~~
sdwisely
port blocking is a whole other problem.

I'm referring to the rapidly growing number of people behind CGNAT.

------
random45345
Remind me of [http://pagekite.net](http://pagekite.net) It has been around for
a few years, their software is open source and seems pretty easy to use. Never
used it myself though so I cannot vouch for their stability.

------
steve_taylor
How does this compare with ngrok?

~~~
old-gregg
Why don't you find out and tell us?

------
stedaniels
The website looks good. Obviously early days since pricing is missing.
Probably sorting out value proposition, how much they can get away with
charging, etc.

A comparative point is using Cloudflare and Argo tunnel which I'm currently
using.

~~~
Tepix
If you are technically capable to set it up by yourself using OpenVPN, you can
get a dirt cheap VPS with one IPv4 address for less than $1/month ($12/year).
lowendtalk.com is a community that discusses these deals.

~~~
dannyw
My experiences have been that these businesses generally disappear after a few
months and leave you holding the bag, with a service disruption and data loss.

Recommendations for any “low end box” that’s about $12 a year and not a fly by
night scam would be appreciated.

~~~
lohszvu
I've used hostus and alpharacks for multiple years at that price range.

~~~
metildaa
Alpharacks is super spammy and IMO a bit shady. Do not give them an email
address that isn't specific to them.

~~~
icelancer
Agreed. Also, Alpharacks has regularly shut down servers of mine and had to
give me new VPSes with 100% data loss on the previous servers.

~~~
metildaa
Its a GreenValueHost repeat :c

------
mirimir
Another option is algo using wireguard with port forwarding.

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
syntonym
I'm really confused why this creates an IPsec server AND an wireguard server,
or do I read that wrong? Managing two server which basically do the same thing
seems to double the attack surface without any gains. One selling point of
wireguard is to be an easier but still as least as secure alternative to
IPsec.

~~~
ubercow13
It is so that you can use the same VPN server with devices which support
wireguard and which only support IPsec.

------
peter_d_sherman
Looks like a service many people could use -- I wish you the best of luck in
your business endeavor!

One thing I'd like to see though is an "About Us" page, if you're a company;
or maybe a link to your LinkedIn profile if you're an individual...

Reason: I'd like to know more about the company or person that I'd be dealing
with before establishing a business relationship... I'm sure I'm not alone,
either.

Anyway, best of luck with your venture!

------
leetbulb
It might just be me, but I feel like this is going to be abused...badly. I
know of a few other similar services that have had huge abuse issues.

~~~
geocrasher
Yeah, the very first thing I thought of was along the lines of "Oh, so this is
how attackers will compromise a machine and run [http://my-favorite-
bank.com.holepunch.io/login-and-give-me-a...](http://my-favorite-
bank.com.holepunch.io/login-and-give-me-all-your-moneys) on a compromised
computer."

I do see the benefit of the service, but I think it would be cool if they
offered a self-hosted version. A LowEndBox for $20/year gets you a box and an
IP to tunnel through.

~~~
jlogsdon
I am using a free tier instance in GCP and using tinc to accomplish exactly
this. It's not "click and play" but setting it up is simple. If I ever outgrow
the f1-micro its easy enough to add another node with a public IP.

It has the added benefit of being a full-on VPN, though I don't generally use
it for regular internet browsing.

------
EugeneOZ
Never shut down your computer and pay electricity bills. Don't reboot too
often. And hope your provider will never have outages.

I know, some people have always-on computers, some people have low prices for
electricity, some don't care about downtimes. But it all looks so fragile, too
many "if".

If only there would be some layer to cover main instance outages...

------
ronsor
There's also Serveo[0] which I use pretty often:

[0] [https://serveo.net](https://serveo.net)

------
giancarlostoro
Nice but be careful when doing this sorta thing at work that you dont
compromise company policy.

~~~
diminoten
Oh jesus don't do this at work without permission!

------
Ttlequals0
This is an option to build on demand disposable openvpn endpoints on AWS
[https://github.com/ttlequals0/autovpn](https://github.com/ttlequals0/autovpn)

------
CodeWriter23
Typo: “With our low cost, secure tunneling service, you won't run out __or__
reasons or ways to use it.“

------
sandov
I'll try to use this for SSH.

What's the best way to embed an SSH session inside of HTTP requests?

~~~
vinay_ys
It seems to be using ssh to tunnel your http connection in the first place.
So, if ssh is blocked in your network, this won't work.

~~~
lohszvu
That's not how networking works. Incoming connections are usually blocked
which is what this is for. It punches a hole through your firewall by using an
established ssh tunnel to forward traffic over. You don't need to allow
incoming anything to use this service

~~~
avh02
Yes, but there are organizations that block outgoing ssh connections.

