Comment by int0x29 - Hacker Neue

int0x29 Oct 29, 2025 parent

Wireguard can't punch through NATs or firewalls without third party software like Tailscale. Also I'm pretty sure each peer to peer connection needs to be individually set up in a config file ahead of time

HowardStark Oct 29, 2025

Nebula[0] addresses this and is IMO an improvement over WireGuard. Came out of Slack originally, and it supports peer discovery, NAT hole punching, and some other cool features. Also still uses the Noise Protocol.

In practice, the extra networking features + better first class peer config management baked in is very nice (Nebula’s “lighthouses” are configured with a tool similar to DSNet for Wireguard[1])

[0] https://github.com/slackhq/nebula [1] https://github.com/naggie/dsnet

sneak Oct 30, 2025

I use Nebula but the relay config is somewhat clunky and the macOS port is pretty buggy.

greenavocado Oct 30, 2025

What's the story with removing uncooperative endpoints from Nebula?

halJordan Oct 29, 2025

So now we're back "tailscale but with different steps"

justahuman74 Oct 30, 2025

tailscale appears to be a paid product with a free tier, nebula (while DIY) is free

dvtkrlbs Oct 30, 2025

there is an open source control plane called headscale which covers almost all of the features for free (while DIY)

embedding-shape Oct 30, 2025

People keep saying that, but haven't we learned already that eventually Tailscale gets bought, then priorities change, then they make incompatible changes because they're need to grow, and headscale either can't keep up, or gets pushed away by Tailscale themselves, and we're back to using $TailscaleCompetitor who promises to not do the same thing.

Just don't rely on centralized for-profit entities, rely on stuff produced by non-profits and foundations, that you know isn't gonna screw you over as soon as they need money.

5 More Comments →

vidarh Oct 29, 2025

It punches through my NAT just fine without third party software.

It's not as simple to make it reliable as it is with Tailscale, but it works

It doesn't universally work without a helper script and a STUN server, though - you need a suitably "friendly" NAT that has reasonably predictable behaviour with respect to port mapping and/or just one side of each pair behind a NAT.

conradev Oct 29, 2025

Folks have solved these problems and open sourced solutions: https://github.com/tonarino/innernet

But all that I've seen are still centralized/federated

bschwindHN Oct 30, 2025

(I help maintain innernet)

We have _some_ NAT traversal logic in place, but it's very basic. Tailscale does a much more thorough job on it. It would be cool to add peer relays to innernet but I imagine it's a fair amount of work.

From what I recall, tailscale has their own Wireguard implementation so they have more control over the socket and how things are routed. innernet is just a wrapper around managing wireguard peer lists, and yeah there's a central coordination server which is unfortunate. If the server goes down, you can still connect to peers so thankfully it doesn't bring down your whole network, but you won't be able to learn about new peers or peer endpoints over time until you re-establish connectivity with the coordination server.

throwwgisgreat Oct 30, 2025

> Wireguard can't punch through NATs or firewalls without third party software like Tailscale.

That's a false or incorrect statement, I've been using Wireguard and a cheap VPS (actually free on OCI) for several years, and with a cheap VPS at AWS Lightsail before that. No third party software in use at all. The only thing running on the VPS is Wireguard. The only thing running on my peers is Wireguard.

> Also I'm pretty sure each peer to peer connection needs to be individually set up in a config file ahead of time

That's how I do it but there are tools available to make it easy.

givinguflac Oct 30, 2025

My netgear pr460x supports WireGuard with NAT & firewall; granted it’s not a consumer router.

akerl_ Oct 29, 2025

Neither can tinc.

yardstick Oct 29, 2025

Last I checked, tinc supported NAT port punching natively.

akerl_ Oct 29, 2025

As far as I’m aware, that works the same as things like tailscale is doing, where you need at least one node that is publicly reachable to facilitate.

yardstick Oct 29, 2025

Correct. This is not something Wireguard does, which was the original comparison.

tinc: One public node, thousands of private nodes, with NAT punching. That's fine and typical in my experience.

Dylan16807 Oct 29, 2025

Which is a much smaller requirement than needing extra software on every NATed node.

So yes it is a differentiated thing between wireguard and tinc, as you phrased it in your other comment.

blueflow Oct 29, 2025

... because its an problem with NAT and not with the protocol.

akerl_ Oct 29, 2025

Yes. I’m replying to a comment thread debating WireGuard vs tinc where someone said that WireGuard couldn’t, as if it was a differentiated thing between them.

qwertox Oct 29, 2025

A $2.5/month vps solves this issue.

1vuio0pswjnm7 Oct 30, 2025

Yes. Only use it as rendezvous server for publishing port numbers and establishing direct connections. Do not use for passing traffic

sneak Oct 30, 2025

It does not. I push hundreds of TB across my private mesh.

gajgajendra Oct 30, 2025

When networks get used for unethical or criminal workloads, reliability problems aren’t the tooling's fault. A tiny VPS does the job fine for the rest of us.

sneak Oct 30, 2025

What are you talking about? Nothing I am pushing across my mesh is unethical or criminal, from whence these baseless accusations?

gottorf Oct 30, 2025

I assume the GP assumed that it was pirated media material.

Hundreds of TB over what timeframe? It does seem like quite a bit of data.

This item has no comments currently.

Preferences

Keyboard Shortcuts

Story Lists

Navigation

Miscellaneous