Long live the MESH king

Networking & Firewalls
1

There have been some very good and interesting YouTube episodes explaining MESH network like Tailscale, ZeroTier, Nebula and latest on Homelab, Headscale. Right now, we are using OpenVPN, and it have always been very loyal to us and worked as it should. But I can’t turn my head away from the MESH family and have been very intrigued.

But witch one to choose? In general, I love opensource and would prefer a system based on that, not that I have anything against paying for a good product, sometimes you must go that way.

In my search I stumbled over Netmaker that are opensource and have a license-based version that will add some more options and support.

Does anyone have any experience with Netmaker?

2

I have heard of it but have not used it. They seemed to have copied how Tailscale works, except I don’t see in their documentation how they are handling the private Wireguard key. The Tailscale documentation is very detailed on key handling and architecture.
https://docs.netmaker.org/architecture.html

3

Why change anything as long as everything is working as it is supposed to? OpenVPN is still great for RoadWarrior / RemoteAccess VPN scenarios and will not disappear just because there are newer alternatives. It is also still being actively developed and improved.

Overlay Networks like Tailscale are especially useful when you are behind CGNAT and can’t forward any ports. (Of course there are other usecases) However in most scenarios you need an external control server for these solutions to work and you are therefore dependent on external infrastructure and service providers. Even if it is only a VPS in order to install e.g. Headscale, which would be Open Source btw. :slight_smile:

4

I couldn’t agree more bb77 :grinning:, I am actually very old fashion “if it works, don’t fix it”. We are therefore also in no hurry at all. But I see a potential in using a MESH network internal also. We have multiple servers that a developer group must access and another server another group must access. With the control MESH is giving us with ACL control, we can open for SSH for only developers and no one else. I have even thought about giving access to all internal critical servers only trough MESH network. This is just some thoughts I have been messing with, not sure if it is a good solution, but it will enhance the security.