I was reading a blog post ~6 months ago, details are sparse in my head but it was some sort of cloud compute company that used userspace wireguard for users to be able to ssh into the virtual infrastructure. Keys were managed so users didn't have to manage a system wireguard.
This reminded me of my bitbucket CI/CD which didn't have any way to connect into our internal infrastructure to drop of built artifacts. Bitbucket runs their docker containers in a way that blocks you from being able to run wireguard or zerotier.
One weekend I played around with the Python bindings to ZeroTier, and their "public" networks, to create a proxy client that SSH could use, given an SSH private key and ZeroTier network ID, to (in userspace) SSH to a remote server behind our firewall via ZeroTier.
I haven't used it in production yet, but it seemed to work in my tests. Now they have Bitbucket build clients you can run on your own infrastructure, so maybe that would allow us to do those builds from inside our network, so we could push things to our deploy servers.
We do more now. Our CLI uses the stack to talk to remote Docker daemons for builds, nats for log streaming, a private DNS service, etc. It's very handy.
Ooh, thanks for the pointer! Fellow HNers: Check out that blog post. It kind of blew my mind, very clever use of user-mode VPN! Got my mind racing a bit coming up with ways I could do something similar.
This reminded me of my bitbucket CI/CD which didn't have any way to connect into our internal infrastructure to drop of built artifacts. Bitbucket runs their docker containers in a way that blocks you from being able to run wireguard or zerotier.
One weekend I played around with the Python bindings to ZeroTier, and their "public" networks, to create a proxy client that SSH could use, given an SSH private key and ZeroTier network ID, to (in userspace) SSH to a remote server behind our firewall via ZeroTier.
I haven't used it in production yet, but it seemed to work in my tests. Now they have Bitbucket build clients you can run on your own infrastructure, so maybe that would allow us to do those builds from inside our network, so we could push things to our deploy servers.