netbirdio
dark API endpoint / two layer vpn
We're looking into contributing the following feature:
Currently the API endpoint to bootstrap the VPN is on the public Internet. Wireguard has the huge advantage that it's invisible until you know the key. With net bird we're loosing that.
Letsencrypt is easily tricked into breaking tls for any mitm, so we use mtls or pinning for security related things. https://notes.valdikss.org.ru/jabber.ru-mitm/
Ideally we'd have the ability to hide the entire API behind wireguard itself, which avoids a whole category of issues. But would involve a two-stage login where some services (like login) need to be available to a user before oauth.
There's some solutions we can come up with if there's a general willingness to accept a PR for it.
@aep we would love to discuss your concerns and feature proposal. Would you join our slack workspace and reach out?
