Businesses typically use a VPN to give remote employees access to internal applications and data, or to create a single shared network between multiple office locations. But as a software shop we do not really have an interest in learning about the intricacies of BGP peering, tweaking MTUs, managing Juniper switches, and so forth. We see networking mostly as an inconvenience.

One of the promises of cloud platforms is to reduce server/software maintenance for customers. Tailscale is an example of outsourcing internal networking needs. But while certainly useful, adopting a cloud service also has a few downsides which are often ignored: vendor lock-in, increased costs, and being at the mercy of custom tooling and/or an opinionated workflow.

Wireguard

So, we decided to host our own Wireguard server for internal networking. It is contradictory to first claim managing your own infrastructure is a chore and then proceed to do so anyway, but it largely depends on the technology in question.

First and foremost, we prefer running bare-metal in favor of avoiding cloud platforms, so that we have outright authority over our stack.

Secondly, Wireguard is trivial technology. It takes under a minute to install. From experience, OpenVPN is more difficult to configure and slower in performance. We would not want to manage an OpenVPN instance, but Wireguard is more compact and easy to understand. So we feel confident in hosting our own.

Thirdly, because Wireguard is easy to understand, it is also easy to build software around it. We spent a day or two working on a web management portal that allows folk to generate wireguard client configs, at will, for their own devices. A Tailscale replica of sorts.

KroketNet

The nice thing about this application is that it works with our IdP; keycloak which means that anyone with a user account (and the right authorization) can generate client configs.

KroketDNS

We also created a DNS server so that peers can find each other easily using internal domain names. For example, when someone creates a wireguard client with the name sander-thinkpad its internal domain would result in sander-thinkpad.wg.kroket.io.

We use CoreDNS for this and point it to a config file containing all the peers. The web-application writes to this file and CoreDNS reloads it periodically.

Example CoreDNS config

. {
    whoami
    log
    bind 10.1.0.1
    reload 10s
    hosts {
        10.1.0.2 sander-thinkpad.wg.kroket.io
        10.1.0.3 fastbox.wg.kroket.io
        10.1.0.4 prod.web.wg.kroket.io
    }
}

Conclusion

To conclude, we were able to get an internal network going in just a few minutes. We then made a web interface to manage Wireguard, that leverages our SSO.

In the process we saved some money, as the Wireguard gateway runs on a low-cost 500mbit unmetered VPS, while cloud services typically charge anywhere from $6 to $18 per user.

Of course, our setup does not support all the features that cloud services offer like: ACLs, extensive network logging, admin device moderation, subnet routers, etc.

Eventually we'll have different networking requirements as business needs change. This may lead to migrating to a cloud service.

For now, we enjoy the flexibility of our "cheap" internal network.