Open wallpunch opened 1 month ago
mmmray
commented
1 month ago You have the fundamentals of it with tailscale. Maybe you can add some basic obfuscation on top of its wireguard (such as: add some noise UDP packets that will be dropped by the server anyway), but I think the NAT traversal itself will always stand out as an extremely suspicious characteristic.
immartian
commented
1 month ago it's why I'm simply using Yggdrasil(E2E) mentioned in #105 from anywhere back to the home server. It's now even working on IOS although in testflight only.
wallpunch
commented
1 month ago You have the fundamentals of it with tailscale. Maybe you can add some basic obfuscation on top of its wireguard (such as: add some noise UDP packets that will be dropped by the server anyway), but I think the NAT traversal itself will always stand out as an extremely suspicious characteristic.
Nice, I didn't know Tailscale supported using phones as exit servers.
Aren't there some common, innocuous NAT traversal use cases like VoIP? Or have governments started blocking those connections as well?
wallpunch
commented
1 month ago it's why I'm simply using Yggdrasil(E2E) mentioned in #105 from anywhere back to the home server. It's now even working on IOS although in testflight only.
It's an interesting project but as they state that really isn't their intended use case at all. I'm thinking something a non-technical user could get a VPN server up and running with minimal hassle.
immartian
commented
1 month ago I'm thinking something a non-technical user could get a VPN server up and running with minimal hassle.
Someone should tell you that running a VPN server on a mobile device is not a good idea due to several challenges:
And ultimately, if you really want to run such thing up, you still need a stack with NAT-free like Yggdrasil as I mentioned which gives you most of the hands to wrap into an "App" you wished.
wallpunch
commented
1 month ago
- Limited resources
These days many people self-host on cheap cloud servers with quite limited resources.
- Security risks
An app running in the iOS sandbox is going to be more secure than a Linux server running as root.
immartian
commented
1 month ago These days many people self-host on cheap cloud servers with quite limited resources.
again, it's why Yggdrasil is so useful from my personal experience. I ran Oracle Cloud free tier for years already with several IPv4 changes, but the IPv6 offered by Yggdrasil never changed at my Wireguard client-ends because the address is derived from public key and the private key is hold by myself. For devices under a mobile network, the situation can be more challenging than cloud services so to speak.
One more thing: App stores like Apple's can be quite strict about VPN applications, especially anything that turns a user device into a VPN server. Security concerns, including the potential for misuse or exploitation, tend to lead to rejections for apps offering this functionality. I should have mentioned this earlier as i'm so familiar with this scrutiny in my first account.
Tw-C
commented
1 month ago Imagine an app that users can install from App/Play Store onto any phone or computer, then use that device as a VPN server without needing to jailbreak, root etc.
Has this been tried before? (The closest I know of is Snowflake) Would it be helpful for getting around censorship? Are there other big issues I'm missing?
I reached similar conclusions on current state of deploy-ability as shown here -> https://github.com/net4people/bbs/issues/363#issuecomment-2276344849
One big issue is NAT, since devices behind a symmetrical NAT could not work as a VPN server.
My implementation:
ValdikSS
commented
1 month ago Has this been tried before?
Many free VPNs do exactly that: they provide the user with censorship circumvention and in turn sell third-parties the access via their internet connection.
Tw-C
commented
1 month ago Has this been tried before?
Many free VPNs do exactly that: they provide the user with censorship circumvention and in turn sell third-parties the access via their internet connection.
Effectively reselling / Effective use of internet bandwidth by adding value through censorship circumvention.
Imagine an app that users can install from App/Play Store onto any phone or computer, then use that device as a VPN server without needing to jailbreak, root etc.
I think it would reduce the barrier to self-hosting a lot and also get around data center IP blocks.
One big issue is NAT, since devices behind a symmetrical NAT could not work as a VPN server.
Also I think it's impossible to let the app run in the background on phones, only foreground, so that may be too inconvenient.
Has this been tried before? (The closest I know of is Snowflake) Would it be helpful for getting around censorship? Are there other big issues I'm missing?