Stop Using VPNs! Peer-to-Peer Zero-Trust Communication With Twingate
Вставка
- Опубліковано 1 сер 2024
- Discover why VPNs may not be the most secure or efficient option for your online communication needs anymore. Introducing Twingate, a peer-to-peer zero-trust communication solution that changes the way we connect and share data online. Join us as we delve into the world of Twingate and explore its advanced features, unrivaled privacy measures, and effortless user experience. Say goodbye to VPN hassles and embrace the future of secure, seamless online communication with Twingate!
#vpn #twingate #peer-to-peer
Consider joining the channel: / devopstoolkit
▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬
➡ Gist with the commands: gist.github.com/vfarcic/43333...
🔗 Twingate: twingate.com
▬▬▬▬▬▬ 💰 Sponsoships 💰 ▬▬▬▬▬▬
If you are interested in sponsoring this channel, please use calendly.com/vfarcic/meet to book a timeslot that suits you, and we'll go over the details. Or feel free to contact me over Twitter or LinkedIn (see below).
▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬
➡ Twitter: / vfarcic
➡ LinkedIn: / viktorfarcic
▬▬▬▬▬▬ 🚀 Other Channels 🚀 ▬▬▬▬▬▬
🎤 Podcast: www.devopsparadox.com/
💬 Live streams: / devopsparadox
▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬
00:00 Peer-to-Peer Zero-Trust Communication
01:26 How VPNs Work and Why It's Silly to Use Them Today?
07:07 What Is Peer-to-Peer Communication?
08:57 Twingate Peer-to-Peer Communication In Action
16:59 How Does Twingate Work?
18:56 Twingate Pros And Cons - Наука та технологія
Are you using VPNs?
I have a problem with people saying "VPN's suck" when all of the solutions to this are also VPNs. What you have a problem with is the management nightmare that simple vpn's become at scale. Twingate and friends build vpns between endpoints with centralized management, that's it. Obviously useful, especially if the management can be self hosted else you're adding an additional company to your sphere of trust. We don't say "nginx sucks" because manual configuration becomes a nightmare at scale.
You also mention that "vpn's allow full access to the destination network". That has nothing to do with vpn's, that's firewall policy. Nor do vpn's require you to route all of your internet traffic over them.
I worked for a bank and every environment had a different vpn, that with lots of environments that banks usually have is an nightmare
yes, VPN is still needed, this is a great tool, but covers a very narrow use case, using this doesn't not mean you can throw VPN away.
VPN are outdated, and i am still waiting for a complete solution that will allow me to get rid of it
Yes, Wireguard on my router, keys managed on my LAN, with no 3rd party access.
I'm not sure if I understand correctly. When you say "you need multiple VPNs for multiple networks", how are "networks defined exactly? The only situation I can think of right now are site to site VPNs which the end user mostly doesn't even have to know about. But they require administration of course.
This is indeed really great solution, but one drawback of this solution is once you register your device you cannot remove it from the UI or by sending API request, you need to open a support request in order for registered device to be permanently removed from their system. By observing this fact from privacy standpoint, I really dislike it.
Three thing prevent me for using it:
1. SSL does not work on a service level (or here called resoucres) if you terminate it on the gateway as most distributed systems do. Thus when you access an internal web app the browser will show "insecure" and redirect urls will not comply with OAuth2 standards for production.
2. You would need to serve all applications on port 80 in order to have them available without the port addition. Adding the ports after a FQDN is not user friendly at all and should not be done if you're a serious business.
3. Missing K8s operator.
My company is with twingate over 2y now. Im having 1y experience with it.
Its very good.. makes everything soo easier
Great video and overview of Twingate. Big fan of the tool❤
I felt your aversion against VPNs! In my former workplaces it was a pain too!
"They are an incarnation of evil" OMG I laughed so hard at that! Thank you, Victor. I needed that!
How are you handling TLS termination so you don't get HTTPS errors with your aliases in this setup. I thought of using ingresses and certmanager to sign Lets Encrypt certs but to your point, this isn't entirely necessary.
You can register TLS certs for aliases if they are based on company domains.
Awesome! love the examples with "silly" word!
tailscale is usually the go to when using mesh vpn. Why are you going for Twingate specifically? Could you please highlight its advantages over tailscale?
I will explore tailscale in one of the following videos and use that opportunity to compare them.
@DevOpsToolkit I would appreciat it, thanks for your efforts
Tailscale is great, I love it
@DevOpsToolkit the create UI for a resource has a section called ports, if you look to the right of address, perhaps that would fix your issue with the port? :D
I believe you can also enter the Kubernetes service's fully qualified domain name instead of typing out the IP.
The docs say it support CIDR ranges too so you could have typed the entire Kubernetes cluster CIDR range 😅
The port section will also restrict the ports that are accessible, otherwise by default Tailgate allows all TCP and UDP ports.
You're right. It can be service name as well.
The last time I used it, there we no ports. I know they were working on adding it though so you're probably looking at a newer version.
Thank you very much for this great overview of the tool. I'm so glad you brought the point about the lack of a self-hosted solution. Personally I would never take the risk of using SaaS solutions for such security centric functionalities, even for my personal infrastructure. Any self-hosted alternative already known to you?
@olivierfournier3120 OpenZiti. Its open source and self hosted. It can also be used for 'east-west' traffic where Twingate on does 'north-south'.
Those that i used are all SaaS so I'm not sure what to recommend as a self-managed choice.
@@DevOpsToolkit I did a short research, but didn't find any potential alternative. Hopefully Twingate will hear our voice, us security paranoid guys 😂
Is OpenZiti a self-hosted alternative?
@@robertfichtinger Yes with differences. OpenZiti, like Twingate (TW), is a zero trust overlay network which cares abour connecting "services" with ZTN concepts, including least privilege, micro-segmentation, and attribute-based access etc, while being 'closed-by-default'. This is different to anything Wireguard which connects hosts and is 'open-by-default'. Differences between them incl. (1) OpenZiti is open source and can be self-hosted, (2) Ziti can do 'north-south', like TW, while also being able to apply ZTN to 'east-west' traffic in local LAN... in fact, Ziti has no concept of client or server (TW does), any endpoint can host or connect to any other service, (3) OpenZiti has richer endpoints incl. SDKs which can be compiled in apps, serverless, edge/IoT and even clientless endpoints, (4) under the hood, Ziti and TW may have some architectural changes (e.g., I am pretty sure TW is P2P whereas Ziti has a smart routing mesh network).
i like wiregaurd anything based on wiregaurd is going to be slower due to abstraction.. plus wiregaurd you can self host, while others paywall you and some are difficult to install,
alternatively you have zerotier and zrok .
if i just need to tunnel my home server to the web then rathole
Thanks, great video as always, what is your opinion on the use of personal VPN like NordVPN to increase security etc? opinions seems to be divided on the subject
I think personal VPNs are too risky. Many providers are in the business of sniffing and selling data. So, you might be more protected from outsiders but exposed to the VPN provider.
I might be completely wrong though. I used one of them only briefly while I was in China since that's probably the only way to avoid their restrictions.
Good point, this is probably the question of where is the higher risk, would that be the outsiders or the vpn provider:)
Would you recommend twingate over zero tier? Have you tried zero tier yet? From my understanding both services are kind if similar, but zero tier allows more nodes on the free plan
I have only superficial experience with zero tier so i cannot compare them 😔
Can you make video for the opposite problem? We have internal cluster, but want webhook callable from the internet
What do you mean by "webhook calleble from the Internet"? Do you mean access to that cluster or a resource inside that cluster from outside (from Internet)? If that's the case, that should work without a problem (that I'm aware of) with Twingate.
@@DevOpsToolkit For example that argocd can have a webhook that github calls on commits.
What software do you use for your editing and graphics?
I'm sending raw material to an agency that does editing and everything else so I'm not sure. Back when I was doing it myself, I used final cut pro.
Can Twingate be only controlled via UI? Or can we use GitOps too?
It can also be used through their API. Since gitops tools are focused on managing kubernetes resources, you would need to wrap it into a controller with a CRD or use the API would kubernetes Jobs.
And Now for Something Completely Different: Will there be any more "Ask Me Anything" or any other sessions for random questions etc?
I haven't organized an AMA session in a long while. I had too many thing on my plate for months now and th rest of the year will be very packed so I'm not sure. Starting from 2024 I will lower the number of tasks I commit to so that might be the time to restart AMA.
Thanks for the video.
Man, you destroy years of VPNs in just some minutes 😂
Looks similar to Teleport. Did you have a chance to try it? If yes - how do you compare Teleport to Twigate?
Teleport is in a similar domain as twingate and i already have it on my to-do list to compare them.
Teleport operates at L7 and gives capabilities such as recording commands etc. Twingate, Tailscale, OpenZiti etc all operate at L3/4 on the wire.
Thanks a lot for the interesting video. One question though: How does this compare to cloudflare zero trust solutions? I assume from a security perspective cloudflare is perhaps even more robust than twingate. Do these zero trust solutions also allow script access to a service or do they always need a human in front of it to pass the login?
Anything allowed to access such services can access them. That can be humans or processes.
I forgot to comment on your request for cloud flare. I'm putting it to my to-do list and explore it in more depth in one of the upcoming videos. I'll use that opportunity to compare it to twingate.
@@DevOpsToolkitThanks a lot. Btw, inspired by your video I also found openziti which seems to be quite similar to twingate but fully open source and with Apache 2.0 license. So at first glance maybe a self hosted alternative
@@DevOpsToolkit man rly??? you are deleting my comments about cloudflare zerotrust??
@siarheimakarevich4944 I never deleted a single comment. However, UA-cam itself sometimes deletes those it thinks are spam. Those are often comments with links. If your comments had a link that is likely the issue and you can repost it without the link. If link is important, feel free to dm me in Twitter or LinkedIn and I'll post it myself. I'd love to give you a better answer or to prevent comments deletion but, as far as I know, channel owners do not have a say in what UA-cam chooses to remove.
Thanks for the great content. Suggestion for a video: Terraform Business Source License, OpenTF and impacts
It's hard for me to make such a video as my own choice. I am deeply involved with crossplane and some people might consider terraform a competitor (even though I do not think it is). As such, i might be branded as biased and intentionally going after competition. So, i am trying to avoid such subjects and except when someone asks me directly in a live stream, conference, a chat, etc.
@@DevOpsToolkit got it. I totally agree with you. In your case dealing directly with crossplane is hard to talk about that subject. Anyway, thanks for being so transparent...I really enjoy your channel
Teleport ( reviewed in ua-cam.com/video/zVEbml1IAOQ/v-deo.html ) also has a similar capability: if you dedicate a DNS zone to it with wildcard records, you can expose any k8s internal app with ClusterIP service and no ingress, use a DNS name inside this zone, and authenticate with Teleport to access it. Teleport is OSS and self-managed. Of course you must expose Teleport itself, which makes it a critical bastion point, but for the rest of the needs it fits well.
Do I need to have public IP?
With twingate you do.
How does it compare to Gravitational Teleport?
They are similar. For me, the major difference is simplicity and speed.
It’s absurd that VPN had to specify IP address of the service, if the connector lives in Kubernetes it has access to the service DNS name(IP address could change and should not be relied upon). Regardless, ports, URL’s and other better application are basic need for proper application access.
The explanation of exchanging IP’s and than directly communicating is impossible(both client and service are with private IP’s nad they have to go through mediator(can only be the connector, which might do basic routing but still go through it).
That's on me. I used the IP but service name works as well.
Good explanation of Victor. But I also doupting that the communication between my Laptop (private IP range) goes peer-to-peer to the SVC network (private IP range) of the cluster. The routing would be technically still not possible without the mediator-client on the Laptop and the Connector which lives in the cluster. I think that all traffic goes first to the mediator, to the public IP of Twingate and than reaches the SVC network of the cluster. Probably the Connector initiates an outgoing connection to the Twingate and the cluster has to allow Egress to Internet
Check the "How Twingate works" and you will see there is a TLS-Tunnel which goes via Twingate-Relay. So, no really a peer-to-peer communication here?
@BK-wi6cl yeah. I should have explained it better.
what about access to non web services like dbs
No problem.
the client for access is browser based tho, how does it work allowing say mysql cli access?
@MichaelDodwell it will work if that CLI is running on the machine where the client is running.
currently using pomerium for zero trust, if this can do mongodb access and sql might be worth the switch
any self hosted alternative?
I think they introduced a self hosted version in the mean time. I might be wrong so better double check it.
@@DevOpsToolkit thanks! btw, your channel is very good
Looks like another Tailscale/WireGuard solution. Especially when you click the pricing tab!
Twingate and other zero trust solutions are focused on connecting services, rather than hosts while being 'open-by-default' rather than closed. They do not natively do least privilege, micro-segmentation, and attribute-based access etc. Tailscale does have ACLs but this is not quite the same and I hear does not scale well.
@@philipgriffiths5779 can you tell us where did you hear/read that about Tailscale scaling?
Tailscale price is way lower and it has much, much more features. There is also a 100% open source (server) version called Headscale.
@@impaque Tailscale is lower cost than Twingate? I don't understand atm what is cheaper/better featured than what. I am aware of Headscale, and I understand (please correct me if wrong) that it is not feature parity to Tailscale in many ways.
first^^
@8:13 Were ?! Ahem.. xD
Many thanks for the video !
# til
Pidgeons > VPN 🤣🤣🤣
Closed-source VPN with such limiting free tier? No and no, hard pass.