Identity management for WireGuard
Since its inclusion in the Linux kernel, the WireGuard VPN tunnel has become increasingly popular. In general, WireGuard is simpler to configure than other VPNs, but the approach that it takes to authentication can present some challenges. Each node in a WireGuard network has a cryptographic key that serves as the node's identity; nodes that do not know each other's keys cannot directly communicate. Keeping track of these keys and distributing them to the other nodes in a mesh network quickly becomes a chore as the network grows. Fortunately, there are now several open-source tools that can automate the management of these keys and make using WireGuard easier for both administrators and end users.
Key management can be particularly challenging for non-technical end users, who are used to logging into services with a username and password. Thus, the main feature that all of these tools have in common is that they allow a user to log into a WireGuard network using a username and password (and possibly a second factor, such as a one-time password). This is usually accomplished by integrating with an identity provider that implements the OpenID Connect (OIDC) standard. OIDC is built on top of the OAuth 2.0 protocol and can be used to implement the ubiquitous "Sign in with Some Big Company" functionality seen on many web sites.
Some of the software discussed in this article requires an OIDC provider; there are several open-source options for people who aren't already running their own and don't want to farm the task out to some big company. Keycloak is one of the most mature and popular choices and Authelia is an up-and-coming alternative.
Tailscale
Tailscale is a commercial service that provides managed WireGuard networks. When a network administrator creates a new network on Tailscale, they must choose an identity provider; they can choose to have their users sign in with Google, GitHub, Microsoft, or any other provider that supports OIDC. The approach of connecting key management for WireGuard to an identity provider was pioneered by Tailscale, and likely served as inspiration for the other projects covered in this article.
To connect to a Tailscale network, a user must install Tailscale's client software. The client talks to Tailscale's API and manages WireGuard interfaces on a user's device. When a user connects to a Tailscale network, the client generates a WireGuard key pair, and then submits the public key to Tailscale's API. The user is then directed to Tailscale's web site, which sends them to a login page for the identity provider chosen for the network. After a user is logged in (and after their device is approved, depending on how the administrator has configured the network), their public key is made available to be retrieved by the Tailscale clients running on the other nodes. The other clients add the new key to their WireGuard configurations, allowing them to communicate with the new node.
The Tailscale client is available for Linux, macOS, and Windows, as well as iOS and Android. The source of the command-line version of the Tailscale client (which is written in Go) is released under the 3-clause BSD license, as is the Android client. Unfortunately, the server software is proprietary. That's where Headscale comes in.
Headscale
Headscale is an independent implementation of Tailscale's server-side API; like the Tailscale client, it is written in Go. Tailscale's command-line interface (CLI) client has a --login-server flag that allows users to override the URL to the Tailscale API, which can be used to connect the client to Headscale. Despite Headscale's unofficial status, Tailscale seems to be fully supportive of its efforts; Tailscale has coordinated with Headscale's creator on API changes and hired one of Headscale's maintainers. On Android, changing the API URL was originally accomplished by recompiling the client, but a pull request that adds a hidden menu to Tailscale's official builds of the client was recently merged. Tailscale's Windows and macOS clients can also be used with Headscale, but support for changing the API URL in the iOS client is currently incomplete.
The list of Tailscale features that Headscale doesn't support is surprisingly short. Headscale does not yet support Tailscale's SSH key-management feature. Other than that, users of Headscale can enjoy most of Tailscale's features, including network-level access-control lists (ACLs), DNS for the VPN, and use Tailscale's NAT-traversal mechanism.
Headscale doesn't include a web-based administrative interface (although a third-party interface is available); it is configured using a YAML file. Headscale can be used with an OIDC provider, but it also supports using an internal database of usernames and passwords; this could be convenient for small setups or home labs that don't already have an identity provider set up. Unlike Tailscale's backend, the Headscale server doesn't support multi-tenancy; each instance of Headscale can only play host to a single network.
Though it has close ties to the Tailscale proprietary service, Headscale does enable creating a completely self-hosted WireGuard VPN using only open-source software. The project's friendly relationship with Tailscale bodes well for Headscale's continued usefulness. Unless Tailscale's management has a sudden change of heart, it is unlikely that Tailscale will make changes to its clients that make them incompatible with Headscale, at least without coordinating with the project.
NetBird
NetBird is another commercial service that provides managed WireGuard networks. The architecture of NetBird is similar to that of Tailscale. A client application (the NetBird agent) generates keys for a node and submits the public key to a management service. The user is directed to an identity provider to log in; after the user is logged in and their device is authenticated, their public key is distributed to the other clients in the network, which add the key to their WireGuard configurations. NetBird doesn't seem to have a built-in user database, and requires the use of an OIDC provider; people that don't already have one running will have to install and configure one before trying it.
Unlike Tailscale, NetBird is fully open-source; the sources to both the client and the server-side components are BSD-licensed and available on GitHub, although one needs to agree to a Contributor License Agreement (CLA) before contributing. Agreeing to the CLA grants NetBird the right to relicense contributions in any way that it might choose; it also contains some additional language about patent rights. There are also instructions for hosting your own NetBird server.
The NetBird server consists of the management API service and a signaling server to help clients find each other. A dashboard is also included; unlike Headscale, the same web interface is available to both users of the NetBird service and those who are self-hosting NetBird. Beyond that, NetBird also needs a 3rd-party STUN/TURN server to assist with NAT traversal. Instead of inventing a new protocol like Tailscale did, NetBird's NAT-traversal functionality is based on the WebRTC standard.
NetBird offers many features similar to those offered by Tailscale. Like Tailscale, NetBird supports network-level ACLs, and it also has an SSH key-management feature. NetBird doesn't currently have all of the DNS functionality that Tailscale does, and its client is currently only available for desktop platforms. Mobile clients and private DNS for the VPN are both listed as "coming soon" in the project's README, though.
It's not quite at parity with all of Tailscale's features, but NetBird largely replicates the core functionality of Tailscale's product, without any proprietary software. It has yet to achieve the same level of popularity as Tailscale or to build the kind of community that Headscale has, though; its core contributors are all NetBird employees. Compared to Tailscale, more of NetBird's software is open source, but the fate of that software is likely to be tied to that of NetBird's business endeavors.
Firezone
Firezone is a another company that aims to provide managed WireGuard networks, although its hosted offering doesn't appear to have actually launched yet; the pricing page is scant on details and the documentation features a "Join the Beta" link at the top of the page.
Firezone is written in Elixir. Its source code is available now under an Apache 2.0 license; contributions do not appear to require a CLA. Instructions for self-hosting Firezone are provided in the documentation. Like Headscale, Firezone can authenticate users using an OIDC provider or a built-in user database.
Firezone does not (yet?) provide any sort of client software. Instead, users generate WireGuard keys for themselves, and then upload them to Firezone's web interface. Users can then download a configuration for the standard WireGuard client from the web interface. Firezone allows filtering traffic between nodes but doesn't include any additional features like DNS or SSH key-management. No NAT-traversal methods are mentioned in the documentation; without assistance from NAT traversal, WireGuard nodes that are behind NAT may have trouble connecting to the VPN depending on the network configuration.
It's hard to tell if Firezone is intentionally minimal, or if it's still just early in its development; there is no public roadmap that I could find. The project's commit history starts a little over a year ago, and the vast majority of the commits are attributed to the company's founder. In its current state, it could be appealing to someone who is already comfortable managing their own WireGuard networks and is just looking for integration with an OIDC provider.
Netmaker
Netmaker is yet another provider of managed WireGuard networks. Like Tailscale, Headscale, and NetBird, Netmaker's software is written in Go. The source is available under the Server Side Public License (SSPL). Instructions for self-hosting Netmaker are available, but the license implies that the creators of Netmaker would prefer that you not attempt to make a business of it.
The SSPL is similar to the GNU Affero GPL license in that it requires source code to be made available to any user who interacts with a service over the network, but contains additional language that requires the source of any components that are used to manage the service to be released under the SSPL as well. The SSPL is designed to protect the business interests of companies that release software under it. The additional restrictions that it imposes make it legally unpalatable for other companies to offer the software as a service; according to the Open Source Initiative, it is not an open-source license. Like NetBird, Netmaker also requires contributors to agree to a CLA, which grants patent rights and allows Netmaker to relicense the contribution.
Based on the release notes for the earliest versions of Netmaker, it doesn't look like the authors set out with the intention of building a competitor to Tailscale. Instead, it was originally built for use with Kubernetes, and this use case is still supported. Netmaker uses WireGuard to enable building Kubernetes clusters that span multiple data centers and to securely connect clusters to external services and clients.
More recent versions of Netmaker have become more like Tailscale. Originally, Netmaker's client software authenticated to the API using a pre-shared key; this makes sense for automatically-deployed virtual machines and cloud instances but isn't suitable for end users. Netmaker still supports this method of authentication, but more recent versions also support logging in with a username and password, using either a built-in user database or via an OIDC provider. Netmaker also supports access-control lists; earlier versions included a DNS server, but more recent versions have switched to adding VPN hostnames to /etc/hosts instead. Like Firezone, no NAT-traversal methods are mentioned in the documentation.
Netmaker appears to have attracted more community contributions than NetBird or Firezone, but its development is still primarily employee-driven. Its origin in the world of Kubernetes is still readily apparent; prospective users can choose from multiple deployment options and the advanced server installation guide presents a vast array of ways in which an installation of Netmaker can be customized. Netmaker's client software runs on Linux, macOS, and Windows, as well as FreeBSD, but it only offers a command-line interface at the moment. Networking experts and people who are already running their own Kubernetes clusters will likely be happy and comfortable with Netmaker, but people looking for a VPN that is easy for non-technical users might want to look elsewhere.
Conclusion
For someone who wants to build a self-hosted WireGuard VPN for possibly non-technical end users, Headscale (in combination with Tailscale's client software) is the most complete solution, and the only solution if being able to connect mobile phones to the network is a requirement. If relying on Tailscale's clients is a non-starter, NetBird provides a similar experience to users, but NetBird doesn't have mobile clients yet. Firezone looks to be off to a promising start, but it still has a lot of catching up to do relative to Headscale and NetBird; its complete lack of client software still puts a lot of the work of managing WireGuard configurations on the user. Meanwhile, Netmaker's end-user experience is unpolished, but its other use cases might make it interesting to people managing Kubernetes clusters or other large deployments of virtual machines.
Despite its close association with Tailscale and dependence on its clients, Headscale is the only truly community-driven project of the bunch. All of the other solutions are open source (or, depending on how you feel about the SSPL, source available), but they are all built by venture-backed companies. Given the relative lack of community contributions, these projects may not have much of a future if the companies associated with them are unable to find their way to commercial success.
| Index entries for this article | |
|---|---|
| GuestArticles | Webb, Jordan |