
Vita: simple and fast VPN gateway - yarapavan
https://github.com/inters/vita
======
rkeene2
I have used tinc [0] for this scenario successfully for 15 years. It not only
supports full mesh but automatic full mesh. It will use UDP for the data
stream when possible, supports RSA and Ed25519, and supports transporting
either IP or Ethernet frames.

I used the mode where it supports Ethernet frames to merge the VLANs of two
datacenters across the WAN (with some additional ebtables to prevent some
kinds of frames) to add the ability to migrate systems from one datacenter to
another during a partial outage.

~~~
yjftsjthsd-h
Is tinc okay security-wise? IIRC last time I looked the older crypto was
really iffy looking, and the newer crypto (ED25519 rocks) was only in the
dev/unstable version.

~~~
rkeene2
There were some issues in 1.0 that are fixed in 1.1, for which the protocol is
not yet finalized although the beta releases are stable. The lack of a final
release is annoying, since it does not guarantee upgrades will work with older
clients but this is because the protocol isn't finalized.

They are documented towards the bottom of [http://tinc-
vpn.org/security/](http://tinc-vpn.org/security/)

~~~
mycall
Why 15 years to finish a protocol?

~~~
lugg
[https://youtu.be/qcILD9OJ2wg](https://youtu.be/qcILD9OJ2wg)

Good things take time.

~~~
mycall
All good, I've been using 15 years too. Unsung hero.

------
huhtenberg
Since it's ESP-based, what are the improvements here over a conventional IPsec
VPN?

It would also help to know how different it is from OpenVPN, for example, and
other VPN options including WireGuard.

I mean it's nice to see another VPN, but it'd be useful to know right off the
bat how it compares to existing options.

~~~
wmf
This is polling-based, so it's probably faster. But if you really need the
performance I would lean towards VPP since it seems to be more tested.

~~~
gonzo
From the readme:

“~2.5 Mpps (or ~5 Gbps of IMIX traffic) per core on a modern CPU”

Note CPU unspecified in above.

A Xeon-D 1541 (2.1GHz) will do 2.44 Mpps, (Simple IMIX) and a i7-6950X will do
3.27 Mpps running AES-GCM-128 and VPP.

A kernel-based Linux implementation will do a bit under 500 Kpps running the
same algorithm.

The keying algorithm seems interesting, and is vaguely Wireguard-like (would
be more if it used a public-private keypair).

------
jonathanoliver
ZeroTier has been filling this gap for us for a few years now.

~~~
morpheuskafka
Yeah, ZeroTier is awesome! Works great on every platform, simple
authentication scheme, and it's always connected. I use it for access to
remote servers (have the zt subnet set to bypass firewall for accessing
various debug servers) for a nonprofit project and for all kinds of personal
uses as well. The free hosted version has up to 100 devices on a network and
you can self host as well.

------
fiatjaf
Is it possible to use cjdns for that kind of thing? I'm genuinely asking as I
don't understand it.

Once I tried to set up a VPN using some odd Windows software (OpenVPN, maybe?)
and the results were disastrous. I didn't understand any of the jargon the
program used, and I think I didn't get what was its main use case (most
certainly it wasn't what I was trying to do, that was creating a local subnet
between two computers or two LANs).

Then some months later I tried ZeroTier and was able to understand everything,
it seemed a perfect fit.

But still, people call ZeroTier a VPN. So why is it so different? And why does
it use a jargon so different?

~~~
drewp
I ran cjdns for 5 years but recently switched off it. For one, it seemed to
have too much traffic over my limited outbound link when things should have
been more idle. Also, the commit logs were a little unnerving to me for code
I'm trusting with my network security:

All kinds of "oops" edits:
[https://github.com/cjdelisle/cjdns/commit/3abe50b8e744f72696...](https://github.com/cjdelisle/cjdns/commit/3abe50b8e744f72696aa7ccd5ca5220b4570d020)
[https://github.com/cjdelisle/cjdns/commit/feabb1970fbaecf65c...](https://github.com/cjdelisle/cjdns/commit/feabb1970fbaecf65c651f5b1ea0bf9b8d3b5077)
[https://github.com/cjdelisle/cjdns/commit/c51d89431f1fa42955...](https://github.com/cjdelisle/cjdns/commit/c51d89431f1fa42955dc81652c079eb8ca7e814a)
[https://github.com/cjdelisle/cjdns/commit/1b0c999bd2e5988c3f...](https://github.com/cjdelisle/cjdns/commit/1b0c999bd2e5988c3f7e52232417edcab6f4cbb6)
[https://github.com/cjdelisle/cjdns/commit/355d7d77cc82c52bf1...](https://github.com/cjdelisle/cjdns/commit/355d7d77cc82c52bf1c9a46408f5c5128f264b93)
(function args passed in the wrong order)

Some are about extra traffic:
[https://github.com/cjdelisle/cjdns/commit/8bcfbf227a87020931...](https://github.com/cjdelisle/cjdns/commit/8bcfbf227a8702093114eda041cbd52d169b5fa2)
[https://github.com/cjdelisle/cjdns/commit/0ee9cb7f45b466232b...](https://github.com/cjdelisle/cjdns/commit/0ee9cb7f45b466232b02d5b826e3d5800d6573e5)

Also it's ipv6 only, which took some fussing. Performance was fine, even on
rpi. Reestablishing links was slow and sometimes required restarting of the
daemon. Daemons would occasionally get wedged. Log output is unconventional
and uses a special reader tool (a la adb for android). Occasionally routes
wouldn't be chosen right (two home computers would route via an external cloud
box), which I'd fix by restarting the right daemons.

I laboriously switched to openvpn (two networks) and haven't worked out all
the routing and hotswitching for my roaming phone+laptop yet. Now I'm
considering vita, tinc, zerotier, or wireguard. Probably I'll try out zerotier
to see if it works out of the box, then try wireguard if I'm going to have to
configure it a lot, since it seems like WG is the most unix-toolbox-do-one-
thing out of all of them.

~~~
neilalexander
Check out Yggdrasil - [https://yggdrasil-
network.github.io/](https://yggdrasil-network.github.io/) \- we've tried very
hard to solve the problems that cjdns has, seem to be much more reliable in
real world conditions and we send/receive much less idle traffic to do it. We
also have Wireguard-like crypto-key routing for both IPv4 and IPv6. (I am one
of the developers.)

~~~
fiatjaf
Wow, that's nice. I'm going to start using that now.

cjdns always seems so intimidating when I look at it, Yggdrasil looks super
friendly and easy.

------
dcbadacd
Why not just wireguard?

~~~
willangley
IPsec is pretty much universal in networking hardware and cloud provider
networks nowadays. There's a better chance it'll work for you if you can't or
don't want to control both ends of the connection.

Hardware:

* Cisco: [https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions...](https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/IPsecPG1.html)

* Juniper: [https://www.juniper.net/documentation/en_US/junos/topics/top...](https://www.juniper.net/documentation/en_US/junos/topics/topic-map/ipsec-tunnel-traffic-configuration.html)

Cloud:

* AWS: [https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connect...](https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html)

* Azure: [https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gatew...](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal)

* gcloud: [https://cloud.google.com/vpn/docs/concepts/overview](https://cloud.google.com/vpn/docs/concepts/overview)

Also, some software environments have better support for IPsec than Wireguard;
a glance at the Algo docs
([https://github.com/trailofbits/algo](https://github.com/trailofbits/algo))
suggests that Windows and OpenWRT are both in this category today.

FWIW, I work for Google, I haven't configured IPsec in forever, and I'll
probably reach for Algo first the next time I think I need IPsec; I don't
think I have enough endpoints in my home network to need hardware offloading
:)

~~~
dcbadacd
Last time I configured IPSec it was so horrible, really-really-really
horrible, I will never touch it again with a ten-foot-pole. Starting from the
fact that the software was hard to configure, so was it hard to find working
(new) configuration examples as well as secure configurations. It never felt
right after setting it up and I did not want to spend any more time on it,
wireguard has been a blessing in that aspect.

------
mycall
Reminds me of tinc, which is under appreciated.

------
Jnr
Wireguard just makes more sense to me.

~~~
TrueDuality
For now tinc makes more sense to me. I plan on fully switching everything to
WireGuard once it actually enters the mainline kernel.

~~~
groestl
Tinc could still make sense as a control plane for the WireGuard VPN though.
There have been talks about WireGuard as a backend for tinc [0], hope that
sees some progress.

[0] [http://www.tinc-
vpn.org/pipermail/tinc/2017-February/004755....](http://www.tinc-
vpn.org/pipermail/tinc/2017-February/004755.html)

~~~
rkeene2
Sadly, using wireguard would come with some notable drawbacks since the
protocol isn't as flexible as tinc's.

First while the control plane would be TCP (since it's low traffic), the data
plane would then be UDP-only leading to issues where the data plane would not
work even though the control plane did. tinc currently starts the data plane
out over TCP and migrates it to UDP if it finds it works, and later migrates
it back if it discovers it stops working.

Second, wireguard only supports Ethernet frames, while tinc supports Ethernet
frames or IP packets depending on the mode. This is useful for, for example,
sending a bunch of IEEE 802.1Q VLAN tagged things over the VPN interface. This
use case could be migrated to be VXLANs, but it would require breaking the
existing tinc contract with its users.

Third, RSA keys are not supported and that is the primary mechanism used in
tinc 1.0, it would be a breaking upgrade for all users or require a long
migration time where RSA keys were replaced with wireguard compatible ones but
both were still supported while wireguard was not used.

------
AlphaWeaver
Is this similar to what Hamachi used to do?

~~~
atonse
I remember when Hamachi came out. It felt magical. It just worked™.

~~~
nixme
Have you tried ZeroTier?
[https://www.zerotier.com/](https://www.zerotier.com/)

~~~
atonse
I have but had a lot of trouble getting it working. (Although I only spent
about 30 mins trying)

------
fiatjaf
So, can I easily host the server?

ZeroTier is great, but hosting the server is very complicated (I'm not going
to stop using it now, since it's so easy and is already set, but it's good to
know of alternatives).

~~~
detaro
It's based on Snabb, a user-space networking platform, so it'll need direct
hardware access and supports only a few specific NICs. But in exchange for
that, it should be really fast.

------
vorpalhex
> Each route uses a pre-shared super key that is installed on both ends of the
> route.

Woof, not asymmetric? Is that normal for IPSec? I realize it's never sent over
wire, but still makes me nervous.

~~~
TrueDuality
Static symmetric keys is _one_ of the ways to authenticate an IPSec tunnel. It
does also support certificates for authentication or fully unauthenticated
connections (but still encrypted).

------
otterwww
Their key exchange implementation looks scary and like a last minute scramble
to not be shit. No confidence here

------
Yuval_Halevi
been using wiregurd. How's Vita different from it?

