I have a problem with people saying "VPN's suck" when all of the solutions to this are also VPNs. What you have a problem with is the management nightmare that simple vpn's become at scale. Twingate and friends build vpns between endpoints with centralized management, that's it. Obviously useful, especially if the management can be self hosted else you're adding an additional company to your sphere of trust. We don't say "nginx sucks" because manual configuration becomes a nightmare at scale.
You also mention that "vpn's allow full access to the destination network". That has nothing to do with vpn's, that's firewall policy. Nor do vpn's require you to route all of your internet traffic over them.
yes, VPN is still needed, this is a great tool, but covers a very narrow use case, using this doesn't not mean you can throw VPN away. VPN are outdated, and i am still waiting for a complete solution that will allow me to get rid of it
This is indeed really great solution, but one drawback of this solution is once you register your device you cannot remove it from the UI or by sending API request, you need to open a support request in order for registered device to be permanently removed from their system. By observing this fact from privacy standpoint, I really dislike it.
tailscale is usually the go to when using mesh vpn. Why are you going for Twingate specifically? Could you please highlight its advantages over tailscale?
Three thing prevent me for using it: 1. SSL does not work on a service level (or here called resoucres) if you terminate it on the gateway as most distributed systems do. Thus when you access an internal web app the browser will show "insecure" and redirect urls will not comply with OAuth2 standards for production. 2. You would need to serve all applications on port 80 in order to have them available without the port addition. Adding the ports after a FQDN is not user friendly at all and should not be done if you're a serious business. 3. Missing K8s operator.
I'm not sure if I understand correctly. When you say "you need multiple VPNs for multiple networks", how are "networks defined exactly? The only situation I can think of right now are site to site VPNs which the end user mostly doesn't even have to know about. But they require administration of course.
i like wiregaurd anything based on wiregaurd is going to be slower due to abstraction.. plus wiregaurd you can self host, while others paywall you and some are difficult to install, alternatively you have zerotier and zrok . if i just need to tunnel my home server to the web then rathole
It’s absurd that VPN had to specify IP address of the service, if the connector lives in Kubernetes it has access to the service DNS name(IP address could change and should not be relied upon). Regardless, ports, URL’s and other better application are basic need for proper application access. The explanation of exchanging IP’s and than directly communicating is impossible(both client and service are with private IP’s nad they have to go through mediator(can only be the connector, which might do basic routing but still go through it).
Good explanation of Victor. But I also doupting that the communication between my Laptop (private IP range) goes peer-to-peer to the SVC network (private IP range) of the cluster. The routing would be technically still not possible without the mediator-client on the Laptop and the Connector which lives in the cluster. I think that all traffic goes first to the mediator, to the public IP of Twingate and than reaches the SVC network of the cluster. Probably the Connector initiates an outgoing connection to the Twingate and the cluster has to allow Egress to Internet
Teleport ( reviewed in ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-zVEbml1IAOQ.html ) also has a similar capability: if you dedicate a DNS zone to it with wildcard records, you can expose any k8s internal app with ClusterIP service and no ingress, use a DNS name inside this zone, and authenticate with Teleport to access it. Teleport is OSS and self-managed. Of course you must expose Teleport itself, which makes it a critical bastion point, but for the rest of the needs it fits well.
Thanks a lot for the interesting video. One question though: How does this compare to cloudflare zero trust solutions? I assume from a security perspective cloudflare is perhaps even more robust than twingate. Do these zero trust solutions also allow script access to a service or do they always need a human in front of it to pass the login?
I forgot to comment on your request for cloud flare. I'm putting it to my to-do list and explore it in more depth in one of the upcoming videos. I'll use that opportunity to compare it to twingate.
@@DevOpsToolkitThanks a lot. Btw, inspired by your video I also found openziti which seems to be quite similar to twingate but fully open source and with Apache 2.0 license. So at first glance maybe a self hosted alternative
@siarheimakarevich4944 I never deleted a single comment. However, RU-vid itself sometimes deletes those it thinks are spam. Those are often comments with links. If your comments had a link that is likely the issue and you can repost it without the link. If link is important, feel free to dm me in Twitter or LinkedIn and I'll post it myself. I'd love to give you a better answer or to prevent comments deletion but, as far as I know, channel owners do not have a say in what RU-vid chooses to remove.
Thank you very much for this great overview of the tool. I'm so glad you brought the point about the lack of a self-hosted solution. Personally I would never take the risk of using SaaS solutions for such security centric functionalities, even for my personal infrastructure. Any self-hosted alternative already known to you?
@@robertfichtinger Yes with differences. OpenZiti, like Twingate (TW), is a zero trust overlay network which cares abour connecting "services" with ZTN concepts, including least privilege, micro-segmentation, and attribute-based access etc, while being 'closed-by-default'. This is different to anything Wireguard which connects hosts and is 'open-by-default'. Differences between them incl. (1) OpenZiti is open source and can be self-hosted, (2) Ziti can do 'north-south', like TW, while also being able to apply ZTN to 'east-west' traffic in local LAN... in fact, Ziti has no concept of client or server (TW does), any endpoint can host or connect to any other service, (3) OpenZiti has richer endpoints incl. SDKs which can be compiled in apps, serverless, edge/IoT and even clientless endpoints, (4) under the hood, Ziti and TW may have some architectural changes (e.g., I am pretty sure TW is P2P whereas Ziti has a smart routing mesh network).
@DevOpsToolkit the create UI for a resource has a section called ports, if you look to the right of address, perhaps that would fix your issue with the port? :D I believe you can also enter the Kubernetes service's fully qualified domain name instead of typing out the IP. The docs say it support CIDR ranges too so you could have typed the entire Kubernetes cluster CIDR range 😅 The port section will also restrict the ports that are accessible, otherwise by default Tailgate allows all TCP and UDP ports.
You're right. It can be service name as well. The last time I used it, there we no ports. I know they were working on adding it though so you're probably looking at a newer version.
How are you handling TLS termination so you don't get HTTPS errors with your aliases in this setup. I thought of using ingresses and certmanager to sign Lets Encrypt certs but to your point, this isn't entirely necessary.
Thanks, great video as always, what is your opinion on the use of personal VPN like NordVPN to increase security etc? opinions seems to be divided on the subject
I think personal VPNs are too risky. Many providers are in the business of sniffing and selling data. So, you might be more protected from outsiders but exposed to the VPN provider. I might be completely wrong though. I used one of them only briefly while I was in China since that's probably the only way to avoid their restrictions.
I haven't organized an AMA session in a long while. I had too many thing on my plate for months now and th rest of the year will be very packed so I'm not sure. Starting from 2024 I will lower the number of tasks I commit to so that might be the time to restart AMA.
Would you recommend twingate over zero tier? Have you tried zero tier yet? From my understanding both services are kind if similar, but zero tier allows more nodes on the free plan
It's hard for me to make such a video as my own choice. I am deeply involved with crossplane and some people might consider terraform a competitor (even though I do not think it is). As such, i might be branded as biased and intentionally going after competition. So, i am trying to avoid such subjects and except when someone asks me directly in a live stream, conference, a chat, etc.
@@DevOpsToolkit got it. I totally agree with you. In your case dealing directly with crossplane is hard to talk about that subject. Anyway, thanks for being so transparent...I really enjoy your channel
What do you mean by "webhook calleble from the Internet"? Do you mean access to that cluster or a resource inside that cluster from outside (from Internet)? If that's the case, that should work without a problem (that I'm aware of) with Twingate.
Twingate and other zero trust solutions are focused on connecting services, rather than hosts while being 'open-by-default' rather than closed. They do not natively do least privilege, micro-segmentation, and attribute-based access etc. Tailscale does have ACLs but this is not quite the same and I hear does not scale well.
@@impaque Tailscale is lower cost than Twingate? I don't understand atm what is cheaper/better featured than what. I am aware of Headscale, and I understand (please correct me if wrong) that it is not feature parity to Tailscale in many ways.
It can also be used through their API. Since gitops tools are focused on managing kubernetes resources, you would need to wrap it into a controller with a CRD or use the API would kubernetes Jobs.
