I think technologies like WireGuard are going to play an important role in reducing that complexity (once we get some higher abstractions). I started a list of useful software I've found in this space here[1].
Something I've yet come up with a good solution for that I feel should be much more common and simple, maybe you can point me to the right direction for (and maybe the answer is iptables, urgh):
(Containerized) P2P software that should be routed through some other endpoint before reaching/beaing reachable from the network.
Example: Bitcoin full node or Bittorrent node running in a Docker container on one of my home servers (where the host runs other software too). For all intents and purposes I want the nodes to route traffic through a VPS in some other DC (in this case bridged via wireguard). Incoming's easy enough with reverse proxies/load balancers, but with all the UDP traffic on random ports, outgoing TCP connections, etc, I haven't figured out a way to make it not leak my IP in some way.
Feels this should be dead easy but I'm stumped. Oh, and assume no support of SOCKS proxies in the software itself.
I'm aware of hidden onion services but talking clearnet here.
Failing that, you're probably stuck with iptables and maybe Linux namespaces.
If there is a certbot plugin [1] for your DNS provider's API then renewal of TLS certs is a matter of a single cronjob with some hooks for other services. I set it up 18 months ago and it has never failed to renew.
[1] https://certbot.eff.org/docs/using.html?highlight=dns#dns-pl...
Your GitHub list is super handy. :)
Wireguard is simple point-to-point, I have an iptables rule that masquarades the tunnel interface to the internal interface of the 'vpn server' but it's all so simple that don't feel bad at all that someone down the road will inherit this system and have to mange it. It's obvious, the stuff I wrote around it is simple enough to grok in an hour, and that's a world of difference from openvpn, where you can easily deploy it with some ansible-galaxy role, but actually maintaining it for 200+ devs requires you to actually undersand it which is a different thing.
I'm not really contributing anything here, apart from -- everywhere I've used wireguard I feel better for it. If you're weighing up options, I suggest you go wg. :}
The only issue I've had is adding a 3rd client. My windows desktop just will not connect. Another Windows laptop, and an Android work perfectly.
I may be completely wrong here since I’ve used Algo only a few times, and that was quite sometime ago. One difference I see with this is the creation of new user profiles every time it’s run. Algo, in my limited use, seems to be geared for one user profile (or creating user profiles on setup and not later?).
It would be great to see this integrated with Algo.
I'm been writing wg-access-server[1] which is an open source all-in-one solution for getting a wireguard based VPN server up and running.
There are a few others i've come across as well: streisand[2], wg-ui[3], subspace[4]
If you like, i'd be happy to hear about your use-cases and see if I can fit them into wg-access-server :D
[1] https://github.com/Place1/wg-access-server [2] https://github.com/StreisandEffect/streisand [3] https://github.com/EmbarkStudios/wg-ui [4] https://github.com/subspacecloud/subspace
There's a few rough edges if you wander off from the simplest use case and a few nice-to-have features that I'm sure will show up in due course, but the core product nails it IMO.
So basically, something to replace this (as an example): https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gatew...
But yeah, maybe the real answer is "iptables" and I just have to step up my game a bit to grok it.