
Hetzner DIY Private Networking with Tinc - romantomjak
https://romantomjak.com/posts/hetzner-private-networking.html
======
pstadler
Use WireGuard[1] instead. It's way faster than Tinc and other userland VPN
implementations. I've been using it for the same purpose as the author of the
article and it has been rock solid - not a single issue during almost two
years. Setup and configuration is a breeze[2].

[1] [https://www.wireguard.com/](https://www.wireguard.com/) [2]
[https://github.com/hobby-kube/guide#wireguard-
setup](https://github.com/hobby-kube/guide#wireguard-setup)

Edit: Benchmarks on Hetzner Cloud (1vCPU, 2GB)

    
    
      $ iperf3 -c kube1
      Connecting to host kube1, port 5201
      [  4] local 10.0.1.2 port 57622 connected to 10.0.1.1 port 5201
      [ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
      [  4]   0.00-1.00   sec  77.2 MBytes   647 Mbits/sec   79   1.37 MBytes
      [  4]   1.00-2.00   sec  78.8 MBytes   661 Mbits/sec    0   1.51 MBytes
      [  4]   2.00-3.00   sec  81.2 MBytes   681 Mbits/sec    0   1.62 MBytes
      [  4]   3.00-4.00   sec  85.0 MBytes   713 Mbits/sec  134   1.20 MBytes
      [  4]   4.00-5.00   sec  80.0 MBytes   671 Mbits/sec    0   1.28 MBytes
      [  4]   5.00-6.00   sec  77.5 MBytes   651 Mbits/sec    0   1.33 MBytes
      [  4]   6.00-7.00   sec  88.8 MBytes   745 Mbits/sec    0   1.37 MBytes
      [  4]   7.00-8.00   sec  73.8 MBytes   619 Mbits/sec    0   1.39 MBytes
      [  4]   8.00-9.00   sec  78.8 MBytes   661 Mbits/sec    0   1.41 MBytes
      [  4]   9.00-10.00  sec  80.0 MBytes   671 Mbits/sec    0   1.42 MBytes

~~~
gant
Running Kube on their cloud servers? Well have fun with that, the "vCore" is a
very inconsistent unit unless you get their dedicated core servers. I moved
back to Hetzner Bare Metal because you can't have anything that will push the
resource boundaries on these boxes.

Also regarding Wireguard, I really like how tinc will find a new path and
allows you to route over other nodes as needed. Wireguard can't really do that
out of the box, every link is 1:1. You can of course setup something on top of
that, but I miss the ease with which tinc does this.

~~~
chrismeller
I was actually surprised at the lackluster performance on the cloud products
as well and recently spun up a dedicated box for a workload that actually
required consistent performance. I never expected the performance to match a
bare metal option of course, but coming from any of the other cloud providers
I expected it to be more equivalent than it turned out to be.

------
mwest
You can achieve something similar with Hetzner's recently introduced "vSwitch
feature". Works across their different DCs, which is nice. Some docs here:
[https://wiki.hetzner.de/index.php/Vswitch/en](https://wiki.hetzner.de/index.php/Vswitch/en)

I've been using ZeroTier to give a common backplane to my Hetzner servers, DO
droplets and AWS instances.

~~~
jmngomes
I understand this may not be an issue in your case, but vSwitches won't
encrypt your data in transit between servers, unlike a VPN or ssh tunnel.

~~~
gant
It depends. I've seen some shit on cheap bare metal providers, including
getting ARP poisoned on Online.net.

Hetzner has been great overall. They've been very very helpful in documenting
me reacting to abuse emails too when I got into some user-generated-content
related legal trouble.

~~~
fapjacks
I really have to second the praise of Hetzner overall here. I have run a
couple of their dedicated machines for several years and have nothing but good
things to say about them and their service.

------
danielh
> Normally you only get one public IP and no private interfaces.

From my understanding, this statement is not quite correct, as Hetzner allows
you to set up VLANs:

> With the vSwitch feature, you can connect your dedicated root servers in
> multiple locations to each other using VLAN via the administration interface
> Robot.

You probably still want to encrypt the traffic passing through those VLANs.

They also offer the option to install custom hardware, so you might even be
able to get a second NIC connected to your own private switch.

~~~
chrismeller
That only applies to their dedicated servers. OP is using their cloud
offering, which doesn't support this feature or custom hardware.

------
TomMarius
Isn't the point of DO's private networking that you don't need to encrypt the
traffic? Or is it just internal, but not private?

~~~
chrismeller
Yeah, I found that an odd comparison to make as well. If you want encrypted
traffic that's all well and good, but there's no reason to assume that the
private network is going to be any different performance wise than the exact
same encrypted solution over the public interface - a network is a network is
a network in this case.

Since the goal was to have a private network between your own boxes, the
encryption was only really "required" to protect private data because it had
to transit the public network in Hetzner. Since DO provides a private network
natively there's (in theory) no justification for the encryption, which means
you'd get native performance, hence the advantage.

~~~
pstadler
Are you sure DO's private network traffic is actually encrypted or even
isolated? Back some time ago, any host within the same private network could
be reached. I wasn't surprised to see connection attempts from random hosts on
eth1.

~~~
TomMarius
Other comment there talks about it, they changed it a while ago and now it's
isolated, but not encrypted.

------
_Codemonkeyism
What about Zerotier with Hetzner?

~~~
chrisper
Zerotier doesn't do PFS Perfect Forward Secrecy... and somehow it is too easy
to add new clients to the network without you noticing.

~~~
manigandham
New clients have to be approved before they can join. How would you not
notice?

~~~
chrisper
Where do you approve them?

~~~
manigandham
The online control panel where you setup your private network in the first
place. This is where you configure the IP range and other settings, and accept
any devices that try to join.

