Can Netbird or Nebula perform at the edge? (like Tailscale)

fakebizprez · July 29, 2024, 05:50:03 PM

Does anyone have experience using Netbird, Nebula, or any of the other open source/free-to-self-host providers at the edge w/ OPNsense?

I looked at configurations in which Tailscale was setup at on the firewall with OPNsense for the purpose of SSH tunneling + assisting with load balancing as some sort of a psuedo-reverse proxy, but with an actual Reverse Proxy/Web Server (like NGINX or Traefik) sitting behind it.

Assuming, I'm not misunderstanding this and this is a legit configuration, could Netbird or Nebula perform the same function at the edge?

You may ask, "why not just use Tailscale?" and my answer is I don't believe the full version is free to self-host. I understand there is Headscale, but what I have read about it so far does not seem to be a simple solution for me, therefore not making it a viable solution.

Hobby-Student · August 25, 2024, 04:25:45 PM

just FYI: https://github.com/netbirdio/netbird/issues/2200

Patrick M. Hausen · August 25, 2024, 04:57:55 PM

What is the purpose of such a setup in the end? Getting a fixed IP address for your dynamic home uplink?

For self hosting you can always rent a VPC at e.g. Digitalocean or Vultr for around 5 €/$ per month, set up a WireGuard tunnel and be done with it. Linux or FreeBSD on the VPC - whatever you are most familiar with.

Hobby-Student · August 25, 2024, 08:56:41 PM

Quote from: Patrick M. Hausen on August 25, 2024, 04:57:55 PM
What is the purpose of such a setup in the end? Getting a fixed IP address for your dynamic home uplink?

For self hosting you can always rent a VPC at e.g. Digitalocean or Vultr for around 5 €/$ per month, set up a WireGuard tunnel and be done with it. Linux or FreeBSD on the VPC - whatever you are most familiar with.

I think fakebizprez is searching for a full feature self host alternative for tailscale and headscale is not what he wants.

The plugin I referenced is not the management server, it's just to connect OPNsense as a peer / router / exit node. One always needs a seperate server for the management host.

fakebizprez · August 26, 2024, 01:43:24 AM

Quote from: Hobby-Student on August 25, 2024, 04:25:45 PM
just FYI: https://github.com/netbirdio/netbird/issues/2200

Thank you for this, sir. I appreciate it, big time!

fakebizprez · August 26, 2024, 01:54:12 AM

Quote from: Patrick M. Hausen on August 25, 2024, 04:57:55 PM
What is the purpose of such a setup in the end? Getting a fixed IP address for your dynamic home uplink?

For self hosting you can always rent a VPC at e.g. Digitalocean or Vultr for around 5 €/$ per month, set up a WireGuard tunnel and be done with it. Linux or FreeBSD on the VPC - whatever you are most familiar with.

Hi Patrick, thank you for your response, I appreciate your time.

I apologize that my initial post lacked the content and clarity that it should have; as I learn more about networking, I am able to explain myself more descriptively.

What I should have asked is "does Netbird or Nebula have a feature like Tailscale Funnel?"
(https://tailscale.com/kb/1223/funnel) (https://tailscale.com/blog/introducing-tailscale-funnel).

What I have found out since the time of my post is that none of the Tailscale alternatives (Zero Tier, Netbird, Netmaker, Nebula, Twingate, Shieldoo, Cloudflared, or even Headscale have this feature. So, it looks like I will be paying monthly for Tailscale. I generally prefer to donate to open source projects, not pay for subscriptions, but this is an important feature to me.

Patrick M. Hausen · August 26, 2024, 09:36:13 AM

You can do exactly that with a single virtual server at any cloud provider, connect all your locations via e.g. WireGuard and have a self hosted self managed transparent solution. You will have to pay about a fiver per month for that virtual server.

I would never use any "VPN provider" because I care about my privacy.

fakebizprez · August 27, 2024, 09:25:19 PM

Quote from: Patrick M. Hausen on August 26, 2024, 09:36:13 AM
You can do exactly that with a single virtual server at any cloud provider, connect all your locations via e.g. WireGuard and have a self hosted self managed transparent solution. You will have to pay about a fiver per month for that virtual server.

I would never use any "VPN provider" because I care about my privacy.

This is very interesting and the first time I've heard of such a solution. I will explore further.

Thank you, Patrick.

Gauss23 · August 27, 2024, 10:56:21 PM

You should also consider using Netbird selfhosted on such a small vps as control server.
Netbird is a really nice product. It also adds Rosenpass over Wireguard to be post quantum encrypted.

I use Netbird as a MPLS replacement to connect multiple offices very seamlessly together.

There are some guys building a Netbird plugin for OPNsense: https://github.com/netbirdio/netbird/issues/2200

I really hope that this plugin finds it way to the OPNsense plugins like Tailscale.

fakebizprez · August 28, 2024, 01:44:08 AM

Quote from: Gauss23 on August 27, 2024, 10:56:21 PM
You should also consider using Netbird selfhosted on such a small vps as control server.
Netbird is a really nice product. It also adds Rosenpass over Wireguard to be post quantum encrypted.

I use Netbird as a MPLS replacement to connect multiple offices very seamlessly together.

There are some guys building a Netbird plugin for OPNsense: https://github.com/netbirdio/netbird/issues/2200

I really hope that this plugin finds it way to the OPNsense plugins like Tailscale.

One thing I'm confused about is why does the control server have to be a VPS at a data center? Why can't the control center be the PowerEdge R730 that is hosting OPNsense?

Gauss23 · August 28, 2024, 06:21:10 AM

It doesn't have to. You can host this control server at one of your sites on-prem. It needs some ports opened on the WAN side. Netbird is falling back to a hub connection (with the control sercver as the hub to relay connections) as soon as two sites are not able to talk to each other directly, which is the preferred way. Therefore it's a good idea to choose the location with the best internet connection in terms of bandwidth.

Patrick M. Hausen · August 28, 2024, 08:46:15 AM

In any self managed network you need at least one node with a static IP address.

Gauss23 · August 28, 2024, 09:40:54 AM

I can only speak for Netbird. In theory it should be possible to use some dyndns service to update the IP of the control server, but a static IP would also be my minimum requirement 8), otherwise yöu can suffer some short outages.

fakebizprez · September 05, 2024, 05:36:31 AM

Quote from: Patrick M. Hausen on August 28, 2024, 08:46:15 AM
In any self managed network you need at least one node with a static IP address.

I have 5 static IPs and 5GBe fiber

Patrick M. Hausen · September 05, 2024, 07:44:05 AM

Then why would you need tailscale? You can connect anything to your OPNsense from anywhere any time.

Can Netbird or Nebula perform at the edge? (like Tailscale)

fakebizprez

July 29, 2024, 05:50:03 PM

Hobby-Student

August 25, 2024, 04:25:45 PM #1

Patrick M. Hausen

August 25, 2024, 04:57:55 PM #2

Hobby-Student

August 25, 2024, 08:56:41 PM #3

fakebizprez

August 26, 2024, 01:43:24 AM #4

fakebizprez

August 26, 2024, 01:54:12 AM #5

Patrick M. Hausen

August 26, 2024, 09:36:13 AM #6

fakebizprez

August 27, 2024, 09:25:19 PM #7

Gauss23

August 27, 2024, 10:56:21 PM #8

fakebizprez

August 28, 2024, 01:44:08 AM #9

Gauss23

August 28, 2024, 06:21:10 AM #10

Patrick M. Hausen

August 28, 2024, 08:46:15 AM #11

Gauss23

August 28, 2024, 09:40:54 AM #12

fakebizprez

September 05, 2024, 05:36:31 AM #13

Patrick M. Hausen

September 05, 2024, 07:44:05 AM #14