 Alright, I guess we're ready to start. So thanks everyone for coming. I really appreciate it I know we're at the end of the conference people are probably catching flights soon, but I love seeing so many people here It's been an awesome conference. I really enjoyed it. I hope all you guys did so Yeah, I'm here today to talk about wire guard and the future of cloud networking So with that we'll go ahead and get started Just a bit of info about me. So I'm Alex Faisley I'm from Asheville, North Carolina. It's a beautiful town if you've never been there You know move there during the remote work era. I love being there. We're a completely virtual team So no reason to be in a hub anymore in my opinion at least Yeah, in my personal life. I am a music hobbyist. I like making music on the computer and Piano, I'm kind of terrible at guitar, but I try to do it a little bit if I can Yeah, and my background technically I was at IBM as a DevOps engineer doing Multicloud and data science infrastructure. I did similar stuff with Crossvale, which is a Red Hat partner So I got to do some really cool big projects there as well Yeah, and then I went and founded NetMaker So that's what I've been doing for a few years now, but that's not what the talk is about So I'll get started talking about wire guard, but NetMaker is a wire guard virtual networking platform Okay, so with that I'll go ahead and get started So we'll talk about a little bit is VPNs Kind of the rise and demise of them in the popular mindset We'll then go into what the new sort of popular mindset in the culture is in the zero trust We'll move on to wire guard and how it changes the game in terms of how we think about VPNs and Then I'll give you a quick demo just of what wire guard looks like in case you're not familiar with it and we'll talk about Where you can actually go to bring wire guard into your organization and how you can start implementing it Then we'll wrap up with a brief Q&A and that'll be it. So okay Getting started VPNs. What are they? I'm sure most of you guys are pretty familiar if you're in this talk but just trying to keep it very simple and maybe Get around some of the misconceptions of what a VPN is So it's a virtual private network and it's very simplest form. It's like encrypted tunnels between devices and Typically creates secure connections over the internet So we have some thoughts around what a VPN is Conceptually, but in its simplest form you could have just two devices each one has a virtual address on it and It encrypts the traffic on device a sends it over to device B and there you go That's a VPN, but it takes many many other forms obviously so in terms of more Popular conceptions of a VPN. There's you know, kind of the private internet access Thought around VPN, which is what most personal users probably think when they think VPN So you have some provider you are encrypting the data Sending it over to that provider and then they forward it on to the internet for you Very similarly if you're in the corporate space, you're probably more familiar with a remote access VPN Which is basically the same thing, but rather than go to the internet You're going to your corporate resources, whatever those are Encrypting the traffic on your device Going to a server and then on into the corporate network. So those are kind of the two most common ones But moving on from there. There's a lot of other different types of VPNs different ways of implementing them They can take pretty much any arbitrary configuration to form whatever Topology you're trying to create with your network So you probably heard site-to-site where you're mostly forwarding traffic between routers rather than to the end user devices So that site a can talk to site B and vice versa and that can take many many sites Or you could have something more modern like a mesh VPN so this is less known I think in the popular mindset and Also doesn't have really a fixed terminology yet because it's I think relatively new in the space So in this case you still have that original thing of just device a talks device B but in this case you have many devices and you're basically forming a Subnet of those devices where each device has a direct connection to the other devices So this can be very helpful if you're trying to form Basically a virtual LAN between all of the devices wherever they are and not have to route through any additional devices So a short timeline on kind of where it was popularly I'd say nearly two thousands it was rising with the rise of the internet as people started using the internet more Corporations realized. Oh, we have to send data over the internet Let's encrypt that keep it safe Moving on into the 2010s it gets more into commercial adoption So you have more private VPNs showing up people realize pretty much the same thing We want to keep our data safe as it moves from our devices to the internet stop hackers malicious actors all that sort of stuff and also, you know, maybe you want to visit a website in Some country and it's not allowed in that country so a good way to do that and then moving on into kind of the current era is we've Seem to move past VPNs at least in the corporate space in terms of what we want to implement in the personal space obviously still very very popular and Still pretty much used everywhere at every corporation. You're gonna have a VPN likely today, but When you get to the decision-making side of things it's moved on a bit and That pretty much I would say came from zero trust which obviously is extremely important today But as zero trust rose as a concept and a framework We moved on to say that VPNs are now legacy They're not dynamic. They're very difficult to configure. They're very static They slow you down because they encrypt your traffic depending on how much compute they take up You can get a lot of latency. So not good for high data transfer scenarios And they're not secure and that's really come out of the zero trust framework Which is you know perimeter security is not enough You can't just encrypt traffic on devices because if someone compromises that device, you're no longer secure If the CEO of corporation if their device gets hacked And their VPN has access to everything that person has access to everything. So That's kind of why we said okay VPNs are now old guard. We're moving on to more zero trust type products and frameworks And you see a lot of quotes like that all over which is basically VPNs are now obsolete As we move into the zero trust world VPNs will no longer exist So just a short bit on zero trust here So it's a framework for getting security down to very very fine level and making sure that every request is verified So you're moving far past device level security So you start from zero access and you build it up for every request and for every resource whether that's an app or a Server or a user whatever they are they all have an identity anytime they make a request It gets verified you check their access controls and only then do you move on to the resource? So that's basically the idea and I want to talk a little bit about Problems with zero trust and it's not a problem with the framework It's more about the implementation because it is a big change for a lot of organizations And it's a pretty difficult thing to implement Zero trust in a difference into being a framework is a mindset and a culture shift similar to like DevOps or agile You're not just putting zero trust into your organization You are changing the way your organization thinks about security entirely Beyond that you're Moving You're putting the security on every single device and it touches everything that your business does so to really do zero trust It's a lot of effort. So that's not a problem of zero trust itself It's more of a problem in how do we implement it because similar to DevOps if you hire a DevOps engineer That doesn't mean you're doing DevOps. You have to change your whole processes to implement it correctly So i'm going to get back to that a little bit, but I want to move on to wire guard what it is and what it enables So wire guard is a relatively new vpm protocol not super new at this point, but new relative to other vn protocols It's low level So it allows you to create virtual interfaces on the device, but it's not doing a lot a lot of higher level things It's very small very low level by design It's now linux native. It's built into the linux kernel. So if you're running any modern distribution Your wire guard enabled on that device by default also runs on windows You can put it on iot embedded devices. It can go pretty much anywhere And it's extremely small. It's extremely fast. So if you configure it correctly you can get Very similar latency that you could get to an unencrypted connection not exactly the same but very close, which is fantastic Um, and because it's low level and very simple. It's also extremely configurable You can do a lot with it, which we'll talk about shortly And it uses very very modern encryption, which is also great and particularly the asymmetric keys allow you to Make sure that you're not just passing out a key and it has access to something You have to trade keys between devices, which gives you a much higher level of security between any devices So, you know if I Steal a public key from somewhere. I'm not going to have access to the resource that resource must also have my public key in order to Allow that access So a brief history on wire guard jason donnenfeld created it in 2015 It was very quickly realized to be A great protocol something that could easily replace legacy vpns Linus torvalds called it a work of art compared to previous vpn protocol implementations So he worked very quickly to get it into the linux kernel Which happened in 2020 And from there it got into pretty much every device you can imagine so on free bsd mac windows It can run Across the board pretty easily and there's user space implementations Go laying written implementations. So it's great and it's very ubiquitous um Not really in 2021. I just had to put a date there, but um as wire guard Was found to be a very great protocol people started to use it to do very interesting new patterns So the mesh vpn people started using wire guard to do that It's also started to get built into some of these zero trust products as the way to secure the devices And getting to today it's gotten to a pretty ubiquitous point So, you know, if you're doing kubernetes c and i's can in trip crypt traffic over wire guard now and A lot of the major vpn providers in the personal space have also shifted to using wire guard So it's getting to be pretty much everywhere, but it's still Underneath, you know, I'd say the popular mindset it's not Risen to the level of let's say Containers so containers in the compute space You can think of how lxc kind of is where Most people don't really know what lxc is and how it enables all of these amazing things that we do Uh, so how does wire guard interact with this change in our mindset around VPNs so vpns are slow vpns are legacy vpns are very hard to configure and static And most importantly they grant too much access So with wire guard you get extremely high speeds. It's extremely configurable and embedded in a lot of devices by default now because of the mutual key exchange you do get a higher level of trust And it can complement zero trust, which is what i'm going to get to next. It's not an either or scenario It's something that can help with your implementations and or maybe be the first way that you go about it If you're starting out, um Yeah, so wire guard enables you to create very arbitrary networks if you've got iot devices in the field If you've got a multi cloud scenario If you've got site to site wire guard can be implemented in pretty much any of those And it allows you to build a much more secure perimeter at the device level than you could previously because of how Low level it is and because it's really about going device to device um So with that wire guard is a great base layer For building a secure network. It's not Going to be zero trust because it is at the device layer But by starting with wire guard, which is perhaps a lot simpler to implement Something you can implement on a case by case basis It's a great way to start That let's just do a real quick demo of what wire guard looks like. So i've just got Two devices here. Uh, i'll just log into those Okay So here i've got a server in new york and a server in sydney I want to securely access an api running on server b from server a i don't want to expose that api or i don't want to bind that api to the public interface I just want to have it be secure over the vpn and not worry about it so I have in here The wire guard config files already set up and i'm just going to show you what that looks like I shall I guess i'll cat that makes more sense and This is kind of the quick way to get wire guard up and running it wire guard is actually run with you know More linux native commands, but this is kind of there's a helper script to let you get it up going quicker But you'll see the commands it runs And this can visually show you what a wire guard setup looks like So on server a i have an address for it So it's going to create a virtual interface with a ip address of 10.100.0.2 um I have defined a private key for this device Which I shouldn't be showing you guys, but there it is And there is the listen port that is reachable over And then I have to also define the peer that it is going to access Because I need to know it's public key and it needs to know mine So I in order to reach another device. I need to know it's public key I need to know the address to reach I also over the private network. What is its private network address? I also need to know its public network endpoint So what's going to be the route over the internet to take in addition the port? Oh interesting, and I actually misconfigured that but it still works and I can explain that as well um, so same thing on the other one, so They basically traded public keys. You have to take public key from one put on the other vice versa and add all this information in So we'll do a quick wg quick up for those who are familiar with it On device a and device b I don't want to do it down And you can see the commands. It's actually running there So what it's doing is adding a new interface of type wire guard It is adding a IP address to that interface And it is adding a route for the other device So I should be able to ping that Let's find out. Okay, cool And actually so one of the good things with wire guard is even though I got that port misconfigured there as long as one device Is able to reach the other device then you can establish a connection and it can keep going from there So that endpoint could have been totally screwed up and they're still able to get to each other Um, so now I have that running. I'm just going to run a Docker container with a hello world rest endpoint on it So it's attached to that virtual interface And so this isn't going to be reachable over the public. So if I I think I have in there So if I try to ping it over this guy, that's not going to work ideally Not reachable and then we ping over that private endpoint and There you go So that's like the tiniest tiniest possible use case It goes back to that original definition of what is a vpn which at its smallest form You've got two devices private connection between the two with the private address on them So that's that And let me get back to here Okay, so moving on from there How can you go and take like something like this and put it into your organization or get started with it? Um, so the great thing about it is it's really easy to implement for small setups and easy to get going Um, and it works across a very good variety of use cases So site to site if you're looking to put this on routers, uh, you can set that up In a matter of like an hour just configuring it to put two routers together. You make a private tunnel like that And you're good to go remote access a little bit more work So you're gonna probably create a gateway, but it could be remote access to a particular device Um, and then overlay networks you can also do something like that where you have a bunch of point-to-point connections Obviously in that case it starts to get a lot more complex. So let's say you have 10 devices or 100 If you look at those config files I created Imagine you have to know the end points of 100 different devices the ports of them Imagine if any of those devices changes networks imagine if one of them is behind a cgnat It starts to get incredibly complicated when you go to scale So we'll talk about that a little bit But at least at the small level with the smaller setups you can get going on your own pretty easily So just looking in that a little bit as maybe an IT administrator. You've got a Corporate landscape that includes a lot of different scenarios traffic going between data centers offices clouds machines iot devices And you know, you're starting trying to figure out where to get started with that But you don't have to go with everything all at once you can say, okay This needs access to this this needs access to this and start setting up those tunnels So it starts to get a little bit more simple Especially when you start thinking about it as what it is which is a virtual network So you've now created this perimeter Where the devices have access to just what they should have access to which is great But there are limitations on wire guard because it is low level Wire guard is very small and simple by design, which is fantastic. It should be But because of that it hasn't built in a lot of the things that you are probably looking for if you're implementing network security You don't have a concept of identity. You don't have a concept of sessions So I created those tunnels. Those are going to be alive until I kill them You know, it's not at the service level. It's at the device level So if you're trying to secure just an api You know, you probably want some more firewall rules around that you want it to be about specific ports And there's no discovery or automation built into it. So like I showed with setting up those config files It's going to be a lot of work if you start going to scale And the most important part which is why zero trust is so important is it does not account for compromised devices So if you get access to one of these devices inside wire guard network, it's still going to be able to access the other devices Luckily there are solutions that allow you to start building on wire guard and To implement these more complex concepts. So some have already been built by various companies But there's also a lot of open source projects that let you get going So if you're looking to do this a organization, you can probably find some form of automation That lets you get going. I've talked to a lot of people who use terraform or ansible To generate these config files and push them out to devices and it works great for them And for a lot of people that's going to be the right solution. So that is fantastic as well So going forward into what you really want to get to is you have this very very secure perimeter Which you can build very easily with wire guard where devices have access to just the devices that they should have access to And on top of that you're adding on a layer of identity and of sessions where you're able to make sure that If something goes well, not if something goes wrong when something goes wrong that devices or that Identities only have access to the things that they should have access to that things get expired that things get kicked out So that's really what you're building towards but you can start with this very very simple implementation So, okay made very good time there. So wrapping up on q and a and takeaways Let's do a quick bit here. So Yeah, vpns used to be the thing With the rise of zero trust and other frameworks Vpns are now considered and at least the popular mindset to be legacy But there's still a very important thing as a form of device level security And the wire guard protocol is the way to do that going forward. It is the Embedded way of doing this on linux. It's extremely fast. It's efficient and it just makes sense So that's pretty much what I've got for you guys My name is alex visely Uh Yeah, I'm happy to answer any questions. I left probably too much time for questions, but that's totally fine Before we do I want to do one thing. That's really fun. So Netmaker is a project that's built on top of wire guard that Is currently On the sspl license, which is no good So today we're going to just go ahead and switch that over to apache So i'm going to go here and find that pull request Oh, look, there it is Hey, abhishek. Is it squash and merge or do I do the other one? Okay Cool. All right, there we go net makers open source now. Sounds pretty cool So thank you guys happy to answer any questions you might have So I I'm currently using tails. By the way, I'm not terribly network sophisticated. So if this is stupid makeup for it Um, I use tail scale currently. I'll be checking this out for sure, but tail scale has the So one thing I just noticed is like a lot of what I get out of tail scale is Automating all that stuff that you just showed in terms of the config and stuff and that's cool But so there's the idea of being able to configure an exit node. Um, is that About wire guard or is that some additional magic on the side? That's a little bit of additional magic. So in that case you're Exiting it's called an exit node because that's where the traffic exits So it is unencrypted at that point and then forward it on to the wherever you're going from there So that can be very simple forwarding rules. So for instance, if you're doing this with pure wire guard I could have set that up on Machine be like I did there. So for instance, it's in a vpc So I could have added an additional Address to that which is the vpc address and then put a firewall rule that just says once the traffic gets here Forward it to the vpc and then device a is now able to reach Device b's vpc using that as the exit node Great. Thank you Any other questions? If we have time could you Tell us more about the net maker Yeah, I don't yeah, I didn't want to be like a Corporate guy just pushing our own thing. But um, yeah, so we're really an automation Layer on top of wire guard meant to do the sort of things that I talked about so for instance Well, let's talk about the architecture a little bit So you think about kubernetes. You have a control plane and you have nodes and on the control plane You have an api and you're declaratively saying this is what My Cluster should look like. Um, this should be created here. This should be created here. This should be changed like this So we do something very similar where we have a control plane, which is the server that also has a nice little ui so you can log in But you can all do it over api as well and you create networks on side inside of That platform so for instance You create various subnets and then you create keys for joining the network our agent then Registers with the network it generates a private key on the device sends the public key to the server So you're never exposing the public key And then once the agent's running it's able to handle this sort of discovery aspect So for instance, it reaches out to a stun endpoint to determine its public endpoint and tells the server Hey, this is where I live. This is where I'm reachable And then the server pushes out that to all the other devices in the network So they know where to reach it in addition to the public key So by default it's creating a mesh vpn So it's basically a subnet Of all of your devices which could be in multiple clouds data centers iot devices You have one private subnet or they can all reach each other But on top of that it adds in things like access controls where if you think of you know that thing with the um Tunnels there Where is that? Right, so this is what it's building by network by default, but then you can also say I don't want that tunnel anymore. Let's click that one off or that one So you're able to define which devices have access to which other devices directly And then you can also do things like you mentioned with an exit node You declare one machine as an exit node. It then sets up the firewall rules to say All right, this machine down here is in aws I want the other machines in the network to be able to access the vpc So for the traffic into there that was all very technical in terms of like practical use cases. I think for the 90 percent of people today their use cases tend to be remote access So it makes setting up a remote access situation very easily So you put point a point b Make it exit into that network. Boom. You've got remote access using wire guard So that's just a simple use case, but it allows you to create I guess infinitely complex topologies for your networks I have a question on the scalability of wire guards. Let's say I have 64 hosts and I want a full mesh So more the hosts can talk with each other. Yeah, would that Work by default or are there some tweaks I have to do? No, it's super efficient on the routing side. So 64 is not even slightly a problem I think when you start getting into the tens of thousands of devices You might have to think about it a little bit, but Yeah, until that point there's not really any concern with scalability sure What is your feedback regarding Issues that you could have since because it's built within the kernel Whenever you have an issue, it's a bit difficult to identify Comparing to two other tools which produce classical logs In in in my case it is Deployed it works well But sometimes for strange reasons It fades and I can only solve the problems with a simple restart. Yeah. Yeah, that's very fair and So it's worth mentioning while wire guard is built into the linux kernel And actually they also have a kernel version for windows, which is really cool They also have a user space version So actually that's a decision point that you as the administrator have to make because the kernel version is more efficient But the user space version is more secure. So for instance tail scale they I believe by default use a user space implementation of wire guard So by doing that you're able to lock down. I'm not really talking about issues with connectivity here I'm just talking about security. I'd say that's really the main consideration with running kernel wire guard is You do need to run it in the kernel, which gives you a lot more permissions than maybe you might want But you can run it in user space as well Yeah, I maybe that didn't answer your question, but just addressing some of the things about kernel versus non-kernel Sure Yeah, um, yeah, and I don't want to you know get in too much of a corporate matchup or anything like that, but a In general that maker is a self-hosted platform We do also have a sass version if you don't like to set up infrastructure But the real value there is all of the data is on your infrastructure That's that's primarily the value So I know some people just for compliance reasons. They don't want to have a sass Running their VPN. So I'd say that's the main thing. The one other thing is I'd say We are Built for more technical people. I'd say it's much more about Configuring exactly how you want your network to be defined, you know, you set ports you set endpoints if you want And lots of other little configurations Whereas I think maybe I'm not going to speak for tail scale or anything, but you know, they definitely have a much Nicer more hideaway those aspects User experience where you don't really have to know what wire guard is to run it. You're just running a VPN. So Yeah, there's definitely and there's other products Because I don't want to you know put us out there. So like Zero tier is not Built on wire guard. They have their own protocol, but it is still very efficient. I believe it's built on noise, which is similar So they're also a very good one for building these kind of modern VPN type networks and there's a few others in the space so You know there I think each one has maybe a little bit of a specialty on what you're focused on any other questions Well, if not, I hope everyone Enjoys the rest of the conference, which I think is about done at this point But I hope you have a good trip home and thanks for listening to my talk Thank you