Wiretap is a transparent, VPN-like proxy server that tunnels traffic via Wireguard and requires no special privileges to run.
Wireguard configs are generated and deployed on all of the servers. Clients can then interact with local network resources as if on the same network as the server, and optionally chain additional servers to reach new networks. Access to the Wiretap network can also be shared with other clients.
A Wiretap Server is any machine where a Wiretap binary is running the serve command. Servers receive and relay network traffic on behalf of Wiretap Clients, acting like a VPN "exit node." A Wiretap Client is any machine running the Wireguard configurations necessary to send and receive network traffic through a Wiretap Server. It functions much like a client in a VPN connection. Clients are also able to reconfigure parts of the Wiretap network dynamically using the Wiretap binary.
Seems to work like Nebula, only without the certificates expiring every year.
Self-hosting the things you used to put on the cloud might be appealing for you. Problem is, you'd like to be able to access your devices from anywhere. The solution is a virtual private network, or VPN. If you work remotely, you almost certainly are familiar with the process of connecting to a VPN to access your organization's network assets. Individuals can set up the same.
There are plenty of commercial implementations of Wireguard. Probably the best-known (and best-regarded) is Tailscale. And Tailscale is indeed fantastic! But in the spirit of owning as much of our stack as possible, I'm going to show you how to implement a Wireguard-based network from scratch, without third-party tools.
An open source, self-hosted implementation of the Tailscale control server.
Tailscale is a modern VPN built on top of Wireguard. It works like an overlay network between the computers of your networks using NAT traversal. Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the control server. The control server works as an exchange point of Wireguard public keys for the nodes in the Tailscale network. It assigns the IP addresses of the clients, creates the boundaries between each user, enables sharing machines between users, and exposes the advertised routes of your nodes.
Headscale's goal is to provide self-hosters and hobbyists with an open-source server they can use for their projects and labs. It implements a narrow scope, a single Tailnet, suitable for a personal use, or a small open-source organisation. Please note that we do not support nor encourage the use of reverse proxies and container to run Headscale.
Seems like I could replace Nebula with this. And worry much less about Nebula certs silently expiring and fucking things up.
Works with any Wireguard server (but if you use theirs you get some additional functionality). Supports MFA.
WireGuard road warrior installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora. This script will let you set up your own VPN server in no more than a minute, even if you haven't used WireGuard before. It has been designed to be as unobtrusive and universal as possible.