Hacker News new | past | comments | ask | show | jobs | submit login
Innernet: A private network system that uses WireGuard under the hood (github.com/tonarino)
148 points by cmfcruz on Sept 21, 2022 | hide | past | favorite | 23 comments



Anyone else getting Tim and Eric vibes from the name here?

https://m.youtube.com/watch?v=Y5BZkaWZAAA


Heh, I named it and was specifically going for that reference :)


Yessssss


Nice project.

If I understand correctly, it makes an underlying WG network be closer to default-closed than default-open?

If so, do you plan mTLS and identity-based least-privileged access (e.g. like other FOSS such as OpenZiti and Nebula seem to do) for future?

If not, what is a good use case for innernet compared to those types of solutions?


Does this traverse NATs and outgoing-only firewalls?


Very cool project. One thing that seems lacking, however, is the ability to join a single machine into multiple subnets - what if, based on the example given halfway down the page here [0], I wanted to have access to resources in both the `engineering` and `straylight` subnets? It's not clear to me that innernet lets my computer be part of both, since 'you are your IP address'.

[0] https://blog.tonari.no/introducing-innernet


You can only make "associations" between the subnets, I think, see: https://github.com/tonarino/innernet#adding-associations-bet...


As mentioned in the comparison sections, other products use security tags to achieve this. So I'm assuming that it isn't supported except by relying on external firewalls.

Also interesting to note no mention of zerotier anywhere in the doc or comparisons


Yea, I inferred that was the purpose of the tags, though I didn't see the capability mentioned explicitly anywhere.

It doesn't seem like a fundamental limitation; if innernet let a single machine have multiple wireguard interfaces, each on different subnets, that would seem to be an elegant solution. But I didn't see mention of that, either.


IIRC, what you suggested is exactly how zerotier implements it


Huh. I think you're right. Though, zerotier uses central servers, has a significant performance hit compared to a wireguard solution, and is an L2 rather than L3 solution (the last isn't really a downside though).


It will be very useful and interesting to integrate Innernet with WiPhone to create a modern version of secure Sneakernet on the go e.g. bike intercom system, emergency networks, etc [1].

[1]WiPhone: An Open Source Phone That's Really Yours:

https://news.ycombinator.com/item?id=32762767

[2]Sneakernet:

https://en.m.wikipedia.org/wiki/Sneakernet



> innernet is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld.

Is it typical for open source projects to register trademarks? If not, anyone know why Mr. Donenfeld decided to do so?


It is typical, if only to keep the trademark from being used by a completely unrelated bit of software. See https://www.mozilla.org/en-US/foundation/trademarks/policy/ or https://trademarks.justia.com/771/04/sqlite-77104711.html

It just gives teeth when someone uses them wrongly.


Hence Debian shipping the “Iceweasel” browser instead of “Firefox”. (I may have the history wrong here? In any case, someone forked Firefox and called it Iceweasel for trademark reasons.)


yeah debian was screwing with the builds as they frequently do on their repos, and mozilla lawyers pointed out that the trademark is only allowed for the unmodified software

evidently they worked things out since, as they're calling it firefox again



I don't know about typical, but it does happen when the owners of a project want the (legal) ability to prevent others from misusing the name to cause confusion. Firefox and Linux are both registered, for example.


Noticed listening port 32875. I still wonder why even WG developer chose 51820. Well, I understand on their small containers shit never happens, but I thought they are aware of ip_local_port_range


> innernet is similar in its goals to Slack's nebula or Tailscale,

That's great but doesn't tell me what innernet is or what problems it's going to solve for me. Terrible docs, no idea what this is suppose to do and I won't waste my energy trying to figure it out if the author can't write few sentences to describe the project.

Though, glad the author called out the registered trademarks!! That's really important.


If you knew what Tailscale or nebula was you’d know exactly what this did. If you were someone who had a problem that could be solved by this product, you’d already be familiar with those brands.

Besides, did you read the first two sentences?

> A private network system that uses WireGuard under the hood. See the announcement blog post for a longer-winded explanation.

Did you read the sentence after the one with brands?

> It aims to take advantage of existing networking concepts like CIDRs and the security properties of WireGuard to turn your computer's basic IP networking into more powerful ACL primitives.

Innernet creates a private overlay network using WireGuard. Unlike the brands it mentions which do the same thing, it uses CIDRs and WireGuard to implement ACL and permissions.


The README is pretty clear about what the product is and what it does. The very first line also links to a blog post with more details. What exactly are you expecting?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: