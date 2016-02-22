Hacker News new | comments | show | ask | jobs | submit login
Meshbird – Distributed private networking (github.com)
60 points by wjh_ 3 hours ago | hide | past | web | 20 comments | favorite





Just took a quick look at the crypto implementation. It uses AES-256 in CBC mode but..... without an authentication tag (HMAC).

Development seems to be.. on hold, at the very least. The last commit was almost 6 months ago (2016-08-23), and the most recently closed issue was closed over 8 months ago (2016-06-06), and before that a year ago (2016-02-22).

The real win here is clearly that abomination of a GoPher

How is this doing discovery of other nodes? Says it is fully decentralized but just doing a `meshbird new` to get a key and then running `MESHBIRD_KEY="key" meshbird join` doesn't explain the discovery mechanism to me. Haven't dug into it much though.

  > Technologies used
  >     DHT

Thanks!

Soit's like zerotier?

Does anyone here have any experience with other distributed VPNs?

I used to use n2n:

https://github.com/meyerd/n2n

Haven't found anything else quite like it.

Tinc (http://www.tinc-vpn.org) works well for me and can do meshing.

PeerVPN – Open-source peer-to-peer VPN

https://news.ycombinator.com/item?id=9025792

Check out wireguard: https://www.wireguard.io/

Wireguard supports roaming but it's not distributed in a p2p global sense.

True. tinc: https://www.tinc-vpn.org/ is another option for distributed VPN

But if you're ok with discovery going through master/server and then connecting directly to peers for traffic, I'd stick with Wireguard.

"Better encryption" in the roadmap and then "curl ... | sh".

No. Thanks.

"curl ... | sh" is absolutely fine. If you want to complain about something, complain about the fact that the URL being used is an http URL instead of an https one.

"curl | sh" is not in itself any less secure than "npm install" or "go get", but it is often a good indicator of a project that takes usability more seriously than security. IMO, it's also seen as "the new way" to do installs, and implies a lack of respect for the fodgy old way to do things (e.g. with a package manager).

> … is not in itself any less secure … takes usability more seriously than security.

You're contradicting yourself. If it's not any less secure, then how does using it mean you're not taking security securely? And you're also treating usability as if it's not important, when in fact usability is very nearly the most important part. If your software isn't usable, then nobody will use it, and if nobody is using it then it doesn't matter how secure it is.

Many of these scripts actually install through package managers, dockers curl | sh like a year or two ago basically just set up an apt repo and ran some apt commands. I think the hurdle they're gunning for is having X number of distro targets and the explanation cost for a user that just wants to jump in.

At least, that's how I've read it to be.

If you want to complain about something, complain about the completely pointless fragmentation of the Linux ecosystem that pretty much mandates "curl|bash" to ship software for "Linux."

