Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Use WireGuard[1] instead. It's way faster than Tinc and other userland VPN implementations. I've been using it for the same purpose as the author of the article and it has been rock solid - not a single issue during almost two years. Setup and configuration is a breeze[2].

[1] https://www.wireguard.com/ [2] https://github.com/hobby-kube/guide#wireguard-setup

Edit: Benchmarks on Hetzner Cloud (1vCPU, 2GB)

  $ iperf3 -c kube1
  Connecting to host kube1, port 5201
  [  4] local 10.0.1.2 port 57622 connected to 10.0.1.1 port 5201
  [ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
  [  4]   0.00-1.00   sec  77.2 MBytes   647 Mbits/sec   79   1.37 MBytes
  [  4]   1.00-2.00   sec  78.8 MBytes   661 Mbits/sec    0   1.51 MBytes
  [  4]   2.00-3.00   sec  81.2 MBytes   681 Mbits/sec    0   1.62 MBytes
  [  4]   3.00-4.00   sec  85.0 MBytes   713 Mbits/sec  134   1.20 MBytes
  [  4]   4.00-5.00   sec  80.0 MBytes   671 Mbits/sec    0   1.28 MBytes
  [  4]   5.00-6.00   sec  77.5 MBytes   651 Mbits/sec    0   1.33 MBytes
  [  4]   6.00-7.00   sec  88.8 MBytes   745 Mbits/sec    0   1.37 MBytes
  [  4]   7.00-8.00   sec  73.8 MBytes   619 Mbits/sec    0   1.39 MBytes
  [  4]   8.00-9.00   sec  78.8 MBytes   661 Mbits/sec    0   1.41 MBytes
  [  4]   9.00-10.00  sec  80.0 MBytes   671 Mbits/sec    0   1.42 MBytes



Running Kube on their cloud servers? Well have fun with that, the "vCore" is a very inconsistent unit unless you get their dedicated core servers. I moved back to Hetzner Bare Metal because you can't have anything that will push the resource boundaries on these boxes.

Also regarding Wireguard, I really like how tinc will find a new path and allows you to route over other nodes as needed. Wireguard can't really do that out of the box, every link is 1:1. You can of course setup something on top of that, but I miss the ease with which tinc does this.


I was actually surprised at the lackluster performance on the cloud products as well and recently spun up a dedicated box for a workload that actually required consistent performance. I never expected the performance to match a bare metal option of course, but coming from any of the other cloud providers I expected it to be more equivalent than it turned out to be.


along the lines of automatically re-routing, tinc also has some neat anycast-like capabilities -- you can assign the same ip to multiple nodes, and the lowest latency/shortest route node wins


I was considering using autossh to create a private link between servers, because in my case it's only a handful of servers.

Can you comment on how stable a Wireguard tunnel is? Did you manage to get the link/VPN to stay up permanently with little to no maintenance?


There isn't really a up/down of wireguard, once the interfaces are configured, you just start pumping packets through, it's pretty invisible.


Found it to be incredibly stable, plus the links are self-healing due to its design.


I second Wireguard, I've been using it recently instead of an overlay network in Kubernetes (configured as a kubenet). Incredibly easy to set up and very performant.


Could you describe how you did it?


Some information on how to do this would be awesome


I would use WireGuard tbh, but I use pfSense for Networking and there doesn't seem to be a userspace implementation available that runs on it (I did try some FreeBSD binary that I copied over but that didn't quite work out).


The -go version should work, though (if compiled correctly). https://git.zx2c4.com/wireguard-go/


I hope https://github.com/gsliepen/tinc/issues/179 becomes a reality: tinc ui and features on top of wireguard!


I did know about this, but it looks very interesting! Will defo check it out, thanks!




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: