I have a problem with people saying "VPN's suck" when all of the solutions to this are also VPNs. What you have a problem with is the management nightmare that simple vpn's become at scale. Twingate and friends build vpns between endpoints with centralized management, that's it. Obviously useful, especially if the management can be self hosted else you're adding an additional company to your sphere of trust. We don't say "nginx sucks" because manual configuration becomes a nightmare at scale.
@entelin Жыл бұрын
You also mention that "vpn's allow full access to the destination network". That has nothing to do with vpn's, that's firewall policy. Nor do vpn's require you to route all of your internet traffic over them.
@marcin_kulik Жыл бұрын
I worked for a bank and every environment had a different vpn, that with lots of environments that banks usually have is an nightmare
@athiqurrahman8147 Жыл бұрын
yes, VPN is still needed, this is a great tool, but covers a very narrow use case, using this doesn't not mean you can throw VPN away. VPN are outdated, and i am still waiting for a complete solution that will allow me to get rid of it
@EE12CSVT11 ай бұрын
Yes, Wireguard on my router, keys managed on my LAN, with no 3rd party access.
@milosbuncic9560 Жыл бұрын
This is indeed really great solution, but one drawback of this solution is once you register your device you cannot remove it from the UI or by sending API request, you need to open a support request in order for registered device to be permanently removed from their system. By observing this fact from privacy standpoint, I really dislike it.
@50flick Жыл бұрын
My company is with twingate over 2y now. Im having 1y experience with it. Its very good.. makes everything soo easier
@badr_mo Жыл бұрын
tailscale is usually the go to when using mesh vpn. Why are you going for Twingate specifically? Could you please highlight its advantages over tailscale?
@DevOpsToolkit Жыл бұрын
I will explore tailscale in one of the following videos and use that opportunity to compare them.
@badr_mo Жыл бұрын
@DevOpsToolkit I would appreciat it, thanks for your efforts
@pavelanni Жыл бұрын
Tailscale is great, I love it
@1879heikkisorsa Жыл бұрын
Three thing prevent me for using it: 1. SSL does not work on a service level (or here called resoucres) if you terminate it on the gateway as most distributed systems do. Thus when you access an internal web app the browser will show "insecure" and redirect urls will not comply with OAuth2 standards for production. 2. You would need to serve all applications on port 80 in order to have them available without the port addition. Adding the ports after a FQDN is not user friendly at all and should not be done if you're a serious business. 3. Missing K8s operator.
@Artazar77 Жыл бұрын
Teleport ( reviewed in kzbin.info/www/bejne/sIeok6CiZq50hbM ) also has a similar capability: if you dedicate a DNS zone to it with wildcard records, you can expose any k8s internal app with ClusterIP service and no ingress, use a DNS name inside this zone, and authenticate with Teleport to access it. Teleport is OSS and self-managed. Of course you must expose Teleport itself, which makes it a critical bastion point, but for the rest of the needs it fits well.
@user-qr4jf4tv2x5 ай бұрын
i like wiregaurd anything based on wiregaurd is going to be slower due to abstraction.. plus wiregaurd you can self host, while others paywall you and some are difficult to install, alternatively you have zerotier and zrok . if i just need to tunnel my home server to the web then rathole
@jetersen Жыл бұрын
@DevOpsToolkit the create UI for a resource has a section called ports, if you look to the right of address, perhaps that would fix your issue with the port? :D I believe you can also enter the Kubernetes service's fully qualified domain name instead of typing out the IP. The docs say it support CIDR ranges too so you could have typed the entire Kubernetes cluster CIDR range 😅 The port section will also restrict the ports that are accessible, otherwise by default Tailgate allows all TCP and UDP ports.
@DevOpsToolkit Жыл бұрын
You're right. It can be service name as well. The last time I used it, there we no ports. I know they were working on adding it though so you're probably looking at a newer version.
@Alexander-yu9uy Жыл бұрын
Looks similar to Teleport. Did you have a chance to try it? If yes - how do you compare Teleport to Twigate?
@DevOpsToolkit Жыл бұрын
Teleport is in a similar domain as twingate and i already have it on my to-do list to compare them.
@philipgriffiths5779 Жыл бұрын
Teleport operates at L7 and gives capabilities such as recording commands etc. Twingate, Tailscale, OpenZiti etc all operate at L3/4 on the wire.
@cheebadigga4092 Жыл бұрын
I'm not sure if I understand correctly. When you say "you need multiple VPNs for multiple networks", how are "networks defined exactly? The only situation I can think of right now are site to site VPNs which the end user mostly doesn't even have to know about. But they require administration of course.
@stefans.9981 Жыл бұрын
Thanks a lot for the interesting video. One question though: How does this compare to cloudflare zero trust solutions? I assume from a security perspective cloudflare is perhaps even more robust than twingate. Do these zero trust solutions also allow script access to a service or do they always need a human in front of it to pass the login?
@DevOpsToolkit Жыл бұрын
Anything allowed to access such services can access them. That can be humans or processes.
@DevOpsToolkit Жыл бұрын
I forgot to comment on your request for cloud flare. I'm putting it to my to-do list and explore it in more depth in one of the upcoming videos. I'll use that opportunity to compare it to twingate.
@stefans.9981 Жыл бұрын
@@DevOpsToolkitThanks a lot. Btw, inspired by your video I also found openziti which seems to be quite similar to twingate but fully open source and with Apache 2.0 license. So at first glance maybe a self hosted alternative
@siarheimakarevich4944 Жыл бұрын
@@DevOpsToolkit man rly??? you are deleting my comments about cloudflare zerotrust??
@DevOpsToolkit Жыл бұрын
@siarheimakarevich4944 I never deleted a single comment. However, KZbin itself sometimes deletes those it thinks are spam. Those are often comments with links. If your comments had a link that is likely the issue and you can repost it without the link. If link is important, feel free to dm me in Twitter or LinkedIn and I'll post it myself. I'd love to give you a better answer or to prevent comments deletion but, as far as I know, channel owners do not have a say in what KZbin chooses to remove.
@mcnairymichael Жыл бұрын
"They are an incarnation of evil" OMG I laughed so hard at that! Thank you, Victor. I needed that!
@crikxouba Жыл бұрын
What software do you use for your editing and graphics?
@DevOpsToolkit Жыл бұрын
I'm sending raw material to an agency that does editing and everything else so I'm not sure. Back when I was doing it myself, I used final cut pro.
@dirien Жыл бұрын
I felt your aversion against VPNs! In my former workplaces it was a pain too!
@christianibiri Жыл бұрын
Awesome! love the examples with "silly" word!
@GottaHache Жыл бұрын
Great video and overview of Twingate. Big fan of the tool❤
@FURIArts Жыл бұрын
Would you recommend twingate over zero tier? Have you tried zero tier yet? From my understanding both services are kind if similar, but zero tier allows more nodes on the free plan
@DevOpsToolkit Жыл бұрын
I have only superficial experience with zero tier so i cannot compare them 😔
@olivierfournier3120 Жыл бұрын
Thank you very much for this great overview of the tool. I'm so glad you brought the point about the lack of a self-hosted solution. Personally I would never take the risk of using SaaS solutions for such security centric functionalities, even for my personal infrastructure. Any self-hosted alternative already known to you?
@philipgriffiths5779 Жыл бұрын
@olivierfournier3120 OpenZiti. Its open source and self hosted. It can also be used for 'east-west' traffic where Twingate on does 'north-south'.
@DevOpsToolkit Жыл бұрын
Those that i used are all SaaS so I'm not sure what to recommend as a self-managed choice.
@olivierfournier3120 Жыл бұрын
@@DevOpsToolkit I did a short research, but didn't find any potential alternative. Hopefully Twingate will hear our voice, us security paranoid guys 😂
@robertfichtinger Жыл бұрын
Is OpenZiti a self-hosted alternative?
@philipgriffiths5779 Жыл бұрын
@@robertfichtinger Yes with differences. OpenZiti, like Twingate (TW), is a zero trust overlay network which cares abour connecting "services" with ZTN concepts, including least privilege, micro-segmentation, and attribute-based access etc, while being 'closed-by-default'. This is different to anything Wireguard which connects hosts and is 'open-by-default'. Differences between them incl. (1) OpenZiti is open source and can be self-hosted, (2) Ziti can do 'north-south', like TW, while also being able to apply ZTN to 'east-west' traffic in local LAN... in fact, Ziti has no concept of client or server (TW does), any endpoint can host or connect to any other service, (3) OpenZiti has richer endpoints incl. SDKs which can be compiled in apps, serverless, edge/IoT and even clientless endpoints, (4) under the hood, Ziti and TW may have some architectural changes (e.g., I am pretty sure TW is P2P whereas Ziti has a smart routing mesh network).
@marcin_kulik Жыл бұрын
And Now for Something Completely Different: Will there be any more "Ask Me Anything" or any other sessions for random questions etc?
@DevOpsToolkit Жыл бұрын
I haven't organized an AMA session in a long while. I had too many thing on my plate for months now and th rest of the year will be very packed so I'm not sure. Starting from 2024 I will lower the number of tasks I commit to so that might be the time to restart AMA.
@gal910 Жыл бұрын
How does it compare to Gravitational Teleport?
@DevOpsToolkit Жыл бұрын
They are similar. For me, the major difference is simplicity and speed.
@marcin_kulik Жыл бұрын
Thanks, great video as always, what is your opinion on the use of personal VPN like NordVPN to increase security etc? opinions seems to be divided on the subject
@DevOpsToolkit Жыл бұрын
I think personal VPNs are too risky. Many providers are in the business of sniffing and selling data. So, you might be more protected from outsiders but exposed to the VPN provider. I might be completely wrong though. I used one of them only briefly while I was in China since that's probably the only way to avoid their restrictions.
@marcin_kulik Жыл бұрын
Good point, this is probably the question of where is the higher risk, would that be the outsiders or the vpn provider:)
@SethCooper-g9c Жыл бұрын
How are you handling TLS termination so you don't get HTTPS errors with your aliases in this setup. I thought of using ingresses and certmanager to sign Lets Encrypt certs but to your point, this isn't entirely necessary.
@DevOpsToolkit Жыл бұрын
You can register TLS certs for aliases if they are based on company domains.
@DennisHaney Жыл бұрын
Can you make video for the opposite problem? We have internal cluster, but want webhook callable from the internet
@DevOpsToolkit Жыл бұрын
What do you mean by "webhook calleble from the Internet"? Do you mean access to that cluster or a resource inside that cluster from outside (from Internet)? If that's the case, that should work without a problem (that I'm aware of) with Twingate.
@DennisHaney Жыл бұрын
@@DevOpsToolkit For example that argocd can have a webhook that github calls on commits.
@marcin_kulik Жыл бұрын
Can Twingate be only controlled via UI? Or can we use GitOps too?
@DevOpsToolkit Жыл бұрын
It can also be used through their API. Since gitops tools are focused on managing kubernetes resources, you would need to wrap it into a controller with a CRD or use the API would kubernetes Jobs.
@typicalaimster Жыл бұрын
Looks like another Tailscale/WireGuard solution. Especially when you click the pricing tab!
@philipgriffiths5779 Жыл бұрын
Twingate and other zero trust solutions are focused on connecting services, rather than hosts while being 'open-by-default' rather than closed. They do not natively do least privilege, micro-segmentation, and attribute-based access etc. Tailscale does have ACLs but this is not quite the same and I hear does not scale well.
@impaque Жыл бұрын
@@philipgriffiths5779 can you tell us where did you hear/read that about Tailscale scaling?
@impaque Жыл бұрын
Tailscale price is way lower and it has much, much more features. There is also a 100% open source (server) version called Headscale.
@philipgriffiths5779 Жыл бұрын
@@impaque Tailscale is lower cost than Twingate? I don't understand atm what is cheaper/better featured than what. I am aware of Headscale, and I understand (please correct me if wrong) that it is not feature parity to Tailscale in many ways.
@shalomcohen122 Жыл бұрын
It’s absurd that VPN had to specify IP address of the service, if the connector lives in Kubernetes it has access to the service DNS name(IP address could change and should not be relied upon). Regardless, ports, URL’s and other better application are basic need for proper application access. The explanation of exchanging IP’s and than directly communicating is impossible(both client and service are with private IP’s nad they have to go through mediator(can only be the connector, which might do basic routing but still go through it).
@DevOpsToolkit Жыл бұрын
That's on me. I used the IP but service name works as well.
@BK-wi6cl Жыл бұрын
Good explanation of Victor. But I also doupting that the communication between my Laptop (private IP range) goes peer-to-peer to the SVC network (private IP range) of the cluster. The routing would be technically still not possible without the mediator-client on the Laptop and the Connector which lives in the cluster. I think that all traffic goes first to the mediator, to the public IP of Twingate and than reaches the SVC network of the cluster. Probably the Connector initiates an outgoing connection to the Twingate and the cluster has to allow Egress to Internet
@BK-wi6cl Жыл бұрын
Check the "How Twingate works" and you will see there is a TLS-Tunnel which goes via Twingate-Relay. So, no really a peer-to-peer communication here?
@DevOpsToolkit Жыл бұрын
@BK-wi6cl yeah. I should have explained it better.
@thiagoscodeler5152 Жыл бұрын
Thanks for the great content. Suggestion for a video: Terraform Business Source License, OpenTF and impacts
@DevOpsToolkit Жыл бұрын
It's hard for me to make such a video as my own choice. I am deeply involved with crossplane and some people might consider terraform a competitor (even though I do not think it is). As such, i might be branded as biased and intentionally going after competition. So, i am trying to avoid such subjects and except when someone asks me directly in a live stream, conference, a chat, etc.
@thiagoscodeler5152 Жыл бұрын
@@DevOpsToolkit got it. I totally agree with you. In your case dealing directly with crossplane is hard to talk about that subject. Anyway, thanks for being so transparent...I really enjoy your channel
@nyk077 Жыл бұрын
Man, you destroy years of VPNs in just some minutes 😂
@liman116 ай бұрын
Do I need to have public IP?
@DevOpsToolkit6 ай бұрын
With twingate you do.
@ahn_buguei9 ай бұрын
any self hosted alternative?
@DevOpsToolkit9 ай бұрын
I think they introduced a self hosted version in the mean time. I might be wrong so better double check it.
@ahn_buguei9 ай бұрын
@@DevOpsToolkit thanks! btw, your channel is very good
@Fayaz-Rehman Жыл бұрын
Thanks for the video.
@MichaelDodwell Жыл бұрын
what about access to non web services like dbs
@DevOpsToolkit Жыл бұрын
No problem.
@MichaelDodwell Жыл бұрын
the client for access is browser based tho, how does it work allowing say mysql cli access?
@DevOpsToolkit Жыл бұрын
@MichaelDodwell it will work if that CLI is running on the machine where the client is running.
@MichaelDodwell Жыл бұрын
currently using pomerium for zero trust, if this can do mongodb access and sql might be worth the switch
@microst99 Жыл бұрын
@8:13 Were ?! Ahem.. xD Many thanks for the video !
@julianomoraisbarbosa Жыл бұрын
# til
@natachinhas Жыл бұрын
Pidgeons > VPN 🤣🤣🤣
@schwerkopf Жыл бұрын
first^^
@impaque Жыл бұрын
Closed-source VPN with such limiting free tier? No and no, hard pass.