search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.08k stars 509 forks source link

dark API endpoint / two layer vpn #1849

Open aep opened 6 months ago

aep commented 6 months ago

We're looking into contributing the following feature:

Currently the API endpoint to bootstrap the VPN is on the public Internet. Wireguard has the huge advantage that it's invisible until you know the key. With net bird we're loosing that.

Letsencrypt is easily tricked into breaking tls for any mitm, so we use mtls or pinning for security related things. https://notes.valdikss.org.ru/jabber.ru-mitm/

Ideally we'd have the ability to hide the entire API behind wireguard itself, which avoids a whole category of issues. But would involve a two-stage login where some services (like login) need to be available to a user before oauth.

There's some solutions we can come up with if there's a general willingness to accept a PR for it.

mlsmaycon commented 6 months ago

@aep we would love to discuss your concerns and feature proposal. Would you join our slack workspace and reach out?