Rendered at 20:24:35 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
linsomniac 19 hours ago [-]
I adore Nebula and half wish I had chosen it instead of Tailscale+Headscale, the one thing about headscale that I really like is how easy it is for users to just grab the client and then login using their gmail account and they're on the network. The biggest downside I've found to tailscale is their "network shenanigans" with firewall rules and route tables on Linux. In my testing 3-5 years ago, Nebula worked great in my test environment.
I'm tempted to add Nebula support to WeEncrypt for automated handing out of the certs using a LetsEncrypt-style short lived certs. I could even imagine a fairly easy to build workstation client that would require end-users to login to get their refreshed certs once they expire, like we do with Tailscale+Headscale.
> I adore Nebula and half wish I had chosen it instead of Tailscale+Headscale...
Could I ask you to expand on that a little? Besides Tailscale's "network shenanigans" with firewalls and routing tables, what else do you find that Nebula does better than Tailscale? Why would you recommend Nebula instead of Tailscale to someone who hasn't used either one before; what's Nebula's big "win" over Tailscale? (Assuming that this person's usage would fit within Tailscale's free tier so price isn't a consideration, because obviously free is nicer than $$$/month if your usage is large enough to be outside free-tier limits).
baq 13 hours ago [-]
Not OP - my two issues with tailscale today:
- breaks wsl mirrored network to the point a reboot is needed (not sure how much of this is on windows, though)
- break dns randomly on an Debian system to the point I have a watchdog timer systemd unit to restart tailscaled
(preface: I'm talking about personal/homelab experience and usage)
I know this is not going to be popular, however: I still use plain and simple OpenVPN and frankly i've been very happy. It can do both ipv4 and ipv6 and with some more work also layer-2 bridging.
Yeah performance is lower in theory but frankly that has never been the issue for me.
I'm pretty much always bottlenecked by bandwidth rather than cpu time.
tarasglek 16 hours ago [-]
So I understand how you could onboard hosts on a static network using reverse DNS, but I do not understand how you would unboard a portable laptop onto Nebula using reverse DNS
linsomniac 15 hours ago [-]
Agreed, a roaming laptop would need to have a secured ethernet/wifi connection. I'm using it for servers, about half of them we respin nightly.
ghthor 18 hours ago [-]
I believe you can disable this and it isn’t really required for TS to work
c0balt 11 hours ago [-]
The IPv6 for the overlay is neat. I won't use it probably (as my number of hosts is <100) but I would prefer better support for dualstack underlay.
unethical_ban 16 hours ago [-]
Neat, I just finished getting acquainted with some IPv6 internals. Other than the long names and lack of DNS integration, it's really a great thing.
I've been meaning to mess with tailscale or similar, perhaps I'll take a look at this.
denkmoon 16 hours ago [-]
What do you mean by lack of DNS integration?
11 hours ago [-]
simoncion 16 hours ago [-]
> Other than ... lack of DNS integration...
I'm confused. What do you mean by this? Does dnsmasq not put the names of DHCPv6 clients into its hostname database? If ISC DHCPd is commanded to update DNS, does it only update for DHCP clients and not DHCPv6 clients?
yosamino 12 hours ago [-]
They probably mean that when using SLAAC - I guess the easiest way to get ipv6 connectivity - there is no equivalent to the way you can update DNS the way it would work with DHCPv4 or DHCPv6.
You pointed out one way - justuse DHCPv6, but that looses some of nice SLAAC properties.
A different way is to run mdns and let the devices announce their own hostnames.local.
Different tradeoffs, but in practice not too difficult to get to work.
I guess one could even do both...
yjftsjthsd-h 5 hours ago [-]
> You pointed out one way - justuse DHCPv6, but that looses some of nice SLAAC properties.
Android refuses to implement DHCPv6. So (if you have any Android devices in play) at best you can use DHCPv6 for some of your devices while still needing to also have SLAAC. And yes, mDNS might work, but that's another service (or two, right? One to resolve other devices, another to advertise this device) to run on every device, and you'd better hope that every device can run the needed services. Which... actually brings us back to Android; AFAICT, Android can resolve mDNS but doesn't show up itself. As someone who can and does SSH to my phone (termux), this is kind of a sticking point.
simoncion 11 hours ago [-]
> They probably mean that when using SLAAC...
If that's the case, then you've got to think of SLAAC as operating exactly like IPv4 address autoconfiguration (sometimes called "IPv4LL")... except that you usually get globally-routable IP addresses out of it.
If you want the management niceties that you often get when using DHCP, then you have to use DHCP.
Some very loud purists might say "SLAAC is the only way to use IPv6!". I completely ignore the convenience of LAN-side prefix delegation and say two things:
1) "Good luck with telling your IPv6 clients about things like your preferred NTP server."
2) "For ages, Router Advertisements have had entirely independent 'autoconfigure your addresses', 'use stateful configuration for your "other" configuration' [0], and 'use stateful configuration for your addresses' bits. It's legal to have any number of them enabled. This is a deliberate choice by the folks defining IPv6."
In general, the folks who scream about how IPv6 NAT and DHCPv6 should not exist and should never be used should be ignored... at least about that topic.
[0] Things like NTP and DNS that other good stuff that DHCP can be used to tell hosts about.
labcomputer 5 hours ago [-]
> Things like NTP and DNS that other good stuff that DHCP can be used to tell hosts about.
Look up RFC 6106 (published 15 years ago). Router advertisements have carried DNS resolver info for a long time now.
Once again, the old adage “IPv6 haters don’t understand IPv6” applies.
As much as I would like hosts to use the local NTP server, most will ignore the NTP server you specify in DHCP anyway, so it’s kind of a moot point.
Edit: RFC 6016 actually supersedes RFC 5006 from 2007. That’s nearly two full decades we have had DNS info in RAs. That’s the year Itanium2 came out (any greybeards here old enough to remember that one?)
unethical_ban 6 hours ago [-]
I mostly meant that DHCPv6 was an afterthought, and was complaining about the length of IPv6 addresses when they are truly random/EUI64. As a network guy who has had to write down or quickly type IP addresses down for troubleshooting thousands of times, v4 is much easier for humans to work with than a full v6.
(Oh and Android doesn't support DHCPv6 at all, but that doesn't matter much for server environments/DNS reachability).
In hindsight of EUI64 being shunned in favor of privacy addresses, plus how much of the IPv6 space is reserved for future use, I wonder if IPv6 could have achieved all of its goals with a 64 or 80 bit address instead of 128.
I'm tempted to add Nebula support to WeEncrypt for automated handing out of the certs using a LetsEncrypt-style short lived certs. I could even imagine a fairly easy to build workstation client that would require end-users to login to get their refreshed certs once they expire, like we do with Tailscale+Headscale.
That would dove-tail nicely with the existing TLS and SSH signed host keys support. https://github.com/linsomniac/weencrypt
Could I ask you to expand on that a little? Besides Tailscale's "network shenanigans" with firewalls and routing tables, what else do you find that Nebula does better than Tailscale? Why would you recommend Nebula instead of Tailscale to someone who hasn't used either one before; what's Nebula's big "win" over Tailscale? (Assuming that this person's usage would fit within Tailscale's free tier so price isn't a consideration, because obviously free is nicer than $$$/month if your usage is large enough to be outside free-tier limits).
- breaks wsl mirrored network to the point a reboot is needed (not sure how much of this is on windows, though)
- break dns randomly on an Debian system to the point I have a watchdog timer systemd unit to restart tailscaled
I know this is not going to be popular, however: I still use plain and simple OpenVPN and frankly i've been very happy. It can do both ipv4 and ipv6 and with some more work also layer-2 bridging.
Yeah performance is lower in theory but frankly that has never been the issue for me.
I'm pretty much always bottlenecked by bandwidth rather than cpu time.
I've been meaning to mess with tailscale or similar, perhaps I'll take a look at this.
I'm confused. What do you mean by this? Does dnsmasq not put the names of DHCPv6 clients into its hostname database? If ISC DHCPd is commanded to update DNS, does it only update for DHCP clients and not DHCPv6 clients?
You pointed out one way - justuse DHCPv6, but that looses some of nice SLAAC properties.
A different way is to run mdns and let the devices announce their own hostnames.local.
Different tradeoffs, but in practice not too difficult to get to work.
I guess one could even do both...
Android refuses to implement DHCPv6. So (if you have any Android devices in play) at best you can use DHCPv6 for some of your devices while still needing to also have SLAAC. And yes, mDNS might work, but that's another service (or two, right? One to resolve other devices, another to advertise this device) to run on every device, and you'd better hope that every device can run the needed services. Which... actually brings us back to Android; AFAICT, Android can resolve mDNS but doesn't show up itself. As someone who can and does SSH to my phone (termux), this is kind of a sticking point.
If that's the case, then you've got to think of SLAAC as operating exactly like IPv4 address autoconfiguration (sometimes called "IPv4LL")... except that you usually get globally-routable IP addresses out of it.
If you want the management niceties that you often get when using DHCP, then you have to use DHCP.
Some very loud purists might say "SLAAC is the only way to use IPv6!". I completely ignore the convenience of LAN-side prefix delegation and say two things:
1) "Good luck with telling your IPv6 clients about things like your preferred NTP server."
2) "For ages, Router Advertisements have had entirely independent 'autoconfigure your addresses', 'use stateful configuration for your "other" configuration' [0], and 'use stateful configuration for your addresses' bits. It's legal to have any number of them enabled. This is a deliberate choice by the folks defining IPv6."
In general, the folks who scream about how IPv6 NAT and DHCPv6 should not exist and should never be used should be ignored... at least about that topic.
[0] Things like NTP and DNS that other good stuff that DHCP can be used to tell hosts about.
Look up RFC 6106 (published 15 years ago). Router advertisements have carried DNS resolver info for a long time now.
Once again, the old adage “IPv6 haters don’t understand IPv6” applies.
As much as I would like hosts to use the local NTP server, most will ignore the NTP server you specify in DHCP anyway, so it’s kind of a moot point.
Edit: RFC 6016 actually supersedes RFC 5006 from 2007. That’s nearly two full decades we have had DNS info in RAs. That’s the year Itanium2 came out (any greybeards here old enough to remember that one?)
(Oh and Android doesn't support DHCPv6 at all, but that doesn't matter much for server environments/DNS reachability).
In hindsight of EUI64 being shunned in favor of privacy addresses, plus how much of the IPv6 space is reserved for future use, I wonder if IPv6 could have achieved all of its goals with a 64 or 80 bit address instead of 128.