Hacker News new | past | comments | ask | show | jobs | submit login
VPN service for hosting public-facing services on non-hosting ISP circuits (holepunch.io)
63 points by voidmain0001 30 days ago | hide | past | web | favorite | 46 comments

Looking through the https://github.com/CypherpunkArmory/punch/blob/master/tunnel... seems to indicate it is just using a ssh connection between your box and their server and then forwarding traffic through that ssh connection.

If ssh is blocked by your IT admin, this will not work. In that sense this isn't doing any holepunching. In a more traditional definition of holepunching it meant to establish connection between two machines behind NAT stateful firewall and neither have static public IP addresses.

Also, looking at the code, there seems to not much emphasis on security w.r.t ssh host key verification or bootstrapping the chain of trust with pre-verified credentials etc. Weird choices for a project with cypherpunk in it's name.

Author here. You're right. The project is still in beta - so we're still working on ironing out some of the kinks. The host key verification issue is being worked on today actually. I'm not sure what you mean by "bootstrapping the chain of trust with pre-verified credentials" though. If you want to open an issue on https://github.com/CypherpunkArmory/holepunch we'd love to get your feedback about how we can improve security prior to a general release.

This might actually be the future of running net-accessible stuff on your own devices, if the NAT-imposed unreachability continues to cement itself as the default expectation for people. Great that they have a free tier.

Though I think you can do this same thing with many existing tunnel providers too, no?

> This might actually be the future of running net-accessible stuff on your own devices

I sure hope not, demand ipv6.

Possession of an IPv6 address does not automatically imply that your ISP allows incoming connection to your ports.

port blocking is a whole other problem.

I'm referring to the rapidly growing number of people behind CGNAT.

Yes, this kind of proxying is the plan D.

Tor is another helpful tool for working around NAT.

Remind me of http://pagekite.net It has been around for a few years, their software is open source and seems pretty easy to use. Never used it myself though so I cannot vouch for their stability.

How does this compare with ngrok?

Why don't you find out and tell us?

The website looks good. Obviously early days since pricing is missing. Probably sorting out value proposition, how much they can get away with charging, etc.

A comparative point is using Cloudflare and Argo tunnel which I'm currently using.

If you are technically capable to set it up by yourself using OpenVPN, you can get a dirt cheap VPS with one IPv4 address for less than $1/month ($12/year). lowendtalk.com is a community that discusses these deals.

My experiences have been that these businesses generally disappear after a few months and leave you holding the bag, with a service disruption and data loss.

Recommendations for any “low end box” that’s about $12 a year and not a fly by night scam would be appreciated.

If you up your budget a little, you can get a bog standard Hetzner VPS for $2.50 a month.

Well, the one I have since several years for $8/year was a temporary offer. But if you pick an ISP that has been around for a couple of years with decent reviews on that forum you should be ok. If you wait for a sale (like black Friday) you will have plenty of offers.

I've used ramnode for 4 years with no problems. My usage is extremely light so I don't know what the performance is like.

I've been a Ramnode customer with several $15ish/year VPSes for a few websites and small services since 2012, and can second checking them out.

I've used hostus and alpharacks for multiple years at that price range.

I've used alpharacks and considering the performance of their VPSs, I'm sure they're heavily overselling their services. Same is the case with i83 and their cheap NATed VPSs.

On the other hand, I've been using Frantech/buyVM and the dirt cheap $2.50 VPS from vultr, and never faced any problems with them.

Alpharacks is super spammy and IMO a bit shady. Do not give them an email address that isn't specific to them.

Agreed. Also, Alpharacks has regularly shut down servers of mine and had to give me new VPSes with 100% data loss on the previous servers.

Its a GreenValueHost repeat :c

Another option is algo using wireguard with port forwarding.


I'm really confused why this creates an IPsec server AND an wireguard server, or do I read that wrong? Managing two server which basically do the same thing seems to double the attack surface without any gains. One selling point of wireguard is to be an easier but still as least as secure alternative to IPsec.

It is so that you can use the same VPN server with devices which support wireguard and which only support IPsec.

I've only used it once. As I recall, you can install IKEv2 or WireGuard. Or both.

Looks like a service many people could use -- I wish you the best of luck in your business endeavor!

One thing I'd like to see though is an "About Us" page, if you're a company; or maybe a link to your LinkedIn profile if you're an individual...

Reason: I'd like to know more about the company or person that I'd be dealing with before establishing a business relationship... I'm sure I'm not alone, either.

Anyway, best of luck with your venture!

It might just be me, but I feel like this is going to be abused...badly. I know of a few other similar services that have had huge abuse issues.

Yeah, the very first thing I thought of was along the lines of "Oh, so this is how attackers will compromise a machine and run http://my-favorite-bank.com.holepunch.io/login-and-give-me-a... on a compromised computer."

I do see the benefit of the service, but I think it would be cool if they offered a self-hosted version. A LowEndBox for $20/year gets you a box and an IP to tunnel through.

I am using a free tier instance in GCP and using tinc to accomplish exactly this. It's not "click and play" but setting it up is simple. If I ever outgrow the f1-micro its easy enough to add another node with a public IP.

It has the added benefit of being a full-on VPN, though I don't generally use it for regular internet browsing.

Well, this is working around externally imposed lack of internet connecivity after all. It might be called abuse by your local Mordac^Wperson disagreeing with you about risk assessments. You may want to try getting your net fixed, as an alternative to this proxying.

Never shut down your computer and pay electricity bills. Don't reboot too often. And hope your provider will never have outages.

I know, some people have always-on computers, some people have low prices for electricity, some don't care about downtimes. But it all looks so fragile, too many "if".

If only there would be some layer to cover main instance outages...

There's also Serveo[0] which I use pretty often:

[0] https://serveo.net

Nice but be careful when doing this sorta thing at work that you dont compromise company policy.

Oh jesus don't do this at work without permission!

This is an option to build on demand disposable openvpn endpoints on AWS https://github.com/ttlequals0/autovpn

Typo: “With our low cost, secure tunneling service, you won't run out __or__ reasons or ways to use it.“

I'll try to use this for SSH.

What's the best way to embed an SSH session inside of HTTP requests?

Running SSH as a Tor service might be easier if you're confident in the security of your SSH setup. (Key authentication is highly recommended for any public-facing SSH setup.)


Usually you can just port forward a port above 1024 on your router to port 22 (SSH) on your computer inside your home network. This has worked for me for the ISPs I have used.

It seems to be using ssh to tunnel your http connection in the first place. So, if ssh is blocked in your network, this won't work.

That's not how networking works. Incoming connections are usually blocked which is what this is for. It punches a hole through your firewall by using an established ssh tunnel to forward traffic over. You don't need to allow incoming anything to use this service

Yes, but there are organizations that block outgoing ssh connections.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact