this post was submitted on 24 Jun 2024
98 points (93.8% liked)

Open Source

31128 readers
379 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

"Create P2P tunnels instantly that bypass any network, firewall, NAT restrictions and expose your local network to the internet securely, no Dynamic DNS required."

top 38 comments
sorted by: hot top controversial new old
[–] [email protected] 93 points 4 months ago (1 children)

Join our Discord Support Server

Right into the trash.

[–] [email protected] 30 points 4 months ago* (last edited 4 months ago) (3 children)

Static IP address and Dynamic DNS can expose your network to attackers on the internet. With Holesail, you expose only the port you choose.

Er, wut? If you're exposing a port, then your public IP is being used, as a port is a subset of an IP interface. So even Holesail uses the public IP in some way...thats how the internet works. Unless they're only making outbound connections, which isn't a new idea at all - Hamachi was doing it 20 years ago.

This sounds like FUD to me - of course your public IP is used, whether static or dynamic. How do they supposedly mitigate this risk?

There's nothing on the home page saying how it works, or how it's different than current solutions.

I'm intrigued to see a new tool in this space, but this one is starting off leaving a bad taste. Even Tailscale admits they use Wireguard, and even have a comparison between Wireguard and Tailscale that's pretty honest (though they focus on what Tailscale adds).

Being open and transparent is a minimum today - anything less and it's not worth the time for a second look.

[–] [email protected] 7 points 4 months ago* (last edited 4 months ago) (1 children)

My guess is that this works similar to a Tor hidden service, where you can't even access the open port without a key of some kind and then you can only access that specific port. It's not the same as having a port open on your IPv4 address since from the router's perspective it's only an outgoing connection. Somebody portscanning you wouldn't find that port open. Though I could be wrong.

[–] [email protected] 5 points 4 months ago (1 children)

This VPN protocol usually uses a private key (client) / public key (server) combo that is used to connect through a public IP address (the 2 nodes can’t communicate it without) using the specified TCP or UDP (more often lately) and port to create the VPN tunnel that’s gets established during the handshakes.

There is a whole lot more going on with the process but that’s a high level view. But I have a WireGuard VPN service running on a raspberry pi that I put in a DMZ on my perimeter firewall.

But a port scanner would be able to see that port is open. Make sure you keep your software up to date. Hopefully the software devs of the VPN application is keeping their stuff up to date to avoid any vulnerabilities getting exposed in the code and a backdoor getting created because of it. As long as that doesn’t become an issue, no one will be able to get through without the private key. And those are usually uncrackable in a lifetime with the complexity and length of the key.

[–] [email protected] 2 points 4 months ago

Open UDP ports are pretty secure and rarely found by scanners. The basic issue with scanning for UDP is, that most services don't respond to random garbage you try to probe then with. Without getting a response back, the scanner has no way of knowing if there is something running on that port or not.
Wireguard in particular only responds if the correct key is given.
Also make sure your firewall DROPs (usually the default, but do check) disallowed connections instead of REJECT. This way any UDP probing, whether it's to an open port or closed one just times out with no way for the scanner to distinguish them.

[–] [email protected] 4 points 4 months ago

I know ngrok is something different, but do you know if it uses a technology similar to Hamachi too? I'm asking because I discovered that ngrok works even without a public IP (when you use a mobile connection for example).

[–] [email protected] 1 points 4 months ago

Because you’re only ‘exposing’ the port on the peer to peer network.

You “publish” a port to holesail, then clients have to create a local proxy via holesail before they can access it.

I agree, It’s a dumb pointless claim. But I don’t think it’s misleading.

It looks like holesail is just tailscale, but on a much smaller scale. It’s not networks, it’s just ports.

[–] [email protected] 13 points 4 months ago (2 children)

I don't understand, it says it's P2P, then it also says expose your local network to the internet securely. How can a P2P service expose anything to the internet without a gateway server somewhere?

Static IP address and Dynamic DNS can expose your network to attackers on the internet. With Holesail, you expose only the port you choose.

That's also how NAT works, you only expose the ports you choose.

[–] [email protected] 2 points 4 months ago

This looks like one of those wireguard based solution like tailscale or netbird though I'm not sure they are using it here. They all use a public relay used for NAT penetration as well as client discovery and in some instance, when NAT pen fails, traffic relay. From the usage, this seems to be the case here as well:

Share the local Minecraft server:

$ holesail --live 25565 --connector "holesailMCServer420"

On other computer(s):

$ holesail "holesailMCServer420"

So this would register a "holesailMCServer420" on their relay server. The clients could then join this network just by knowing its name and the relay will help then reach the host of the Minecraft server. I'm just extrapolating from the above commands though. They could be using DHT for client discovery. But I expect they'd need some form of relay for NAT pen at the very least.

As for exposing your local network securely, wireguard based solution allow you to change the routing table of the peers as well as the DNS server used to be able to assign domain name to IPs only reachable from within another local network. In this instance, it works very much like a VPN except that the connection to the VPN gateway is done through a P2P protocol rather than trough a service directly exposed to the internet.

Though in the instance of holesail, I have heavy doubts about "securely" as no authentication seems required to join a network: you just need to know its name. And there is no indication that choosing a fully random name is enough.

[–] [email protected] 2 points 4 months ago

Looks like tail scale for ports.

[–] [email protected] 8 points 4 months ago (1 children)

Trying to figure this out

Hyperswam dht is used as the hole punch intermediary... Which is running on the hole punch swarm...https://github.com/hyperswarm

I can't find a good overview document of how the entire architecture works, there's no Wikipedia page on this system.

At its core, if it's open source, I want to know what I need to run this independently on my own networks without touching any of their stuff.

[–] [email protected] 7 points 4 months ago* (last edited 4 months ago)

There's more information about the components of this system here:

https://docs.pears.com

There really isn't much to this Holesail project - it's a little convenience wrapper around Hyper DHT and that's a part of this Pear project it seems. That site has a list of the various components and links to each one's GitHub.

Pear looks like an interesting project but I haven't looked through the details of how it works.

[–] [email protected] 4 points 4 months ago (2 children)
[–] [email protected] 4 points 4 months ago (2 children)

Sure, I haven't heard of hamachi. It's ok to have multiple tools that do the same thing

[–] [email protected] 18 points 4 months ago (2 children)

@makeasnek @chris

I have a whole list in my bookmarks:
- everybody knows Tailscale (and Headscale)
- Slack Nebula
- NetBird
- NetMaker
- ZeroTier
- OpenZiti
- Wesher
- PineCone
- n2n
- weron
- innernet
- vpncloud
- tinc (the OG)

[–] [email protected] 3 points 4 months ago

Yggdrasil :)

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago)

Ngrok

Twingate (what I use)

[–] [email protected] 5 points 4 months ago
[–] [email protected] 1 points 4 months ago

That brings back memories... trying to play co-op games back in the day wasn't so easy as it is now...

[–] [email protected] 2 points 4 months ago

Is this similar to NetBird and Tailscale?