Spiped is excellent, I use it in production for really critical stuff and it's rock solid. Seriously one of the best pieces of software ever written. I've never even once had to debug a problem with it, it just works.
There are several advantages to using spiped rather than tunneling via ssh:
* Reduced attack surface: The spiped protocol (and implementation) is orders of magnitude simpler than ssh.
* spiped opens a separate transport layer connection for each pipe, mitigating "noisy neighbour" effects where one busy connection tunneled over ssh can bottleneck other connections tunneled over the same ssh connection. (This is not perfect, since spiped is single-threaded: A connection which is busy enough will end up starving you for CPU time for the crypto. But you'll typically hit that limit with traffic orders of magnitude higher than you'd need to create a bottleneck if everything goes over the same TCP connection.)
* spiped has no persistent connection, so there's nothing to be interrupted if your network drops (or if you move between networks). Every connection is a new connection; spiped is effectively transparent.
iirc spiped uses TLS/OpenSSL for securing the connection, the symmetric key avoids the key-exchange and worrying about certificates, and therefore is better capable of efficiently using the connection than SSH by itself.
Because it's much simpler it's also a good way to expose a system to the internet, although Wireguard with a PSK is a very similar and possibly superior solution.
We would use stunnel rather than SSH for non-interactive usages. Having an active stunnel running all the time is safer than requiring a full SSH session being active.
stunnel predates spiped by quite some time; spiped is a reaction to stunnel --- specifically, a network hole punch for people who trust neither OpenSSL nor OpenSSH's attack surface.
Today, most people would just use WireGuard for this.
I no longer have SSH listening on the bare internet on my VPS nodes .. I either place spiped in front of the standard daemon or disable it entirely and utilize Tailscale SSH
Related. Others?
Spiped – symmetric, encrypted, authenticated pipes between sockets - https://news.ycombinator.com/item?id=7539499 - April 2014 (86 comments)
Spiped is excellent, I use it in production for really critical stuff and it's rock solid. Seriously one of the best pieces of software ever written. I've never even once had to debug a problem with it, it just works.
I posted this in response to the news that Kazakhstan is blocking Wireguard connections entirely:
https://news.ycombinator.com/item?id=45054598
Uzbekistan!
> This is similar to 'ssh -L' functionality, but does not use SSH and requires a pre-shared symmetric key.
I already have SSH set up and functional, what advantage does spiped offer?
There are several advantages to using spiped rather than tunneling via ssh:
* Reduced attack surface: The spiped protocol (and implementation) is orders of magnitude simpler than ssh.
* spiped opens a separate transport layer connection for each pipe, mitigating "noisy neighbour" effects where one busy connection tunneled over ssh can bottleneck other connections tunneled over the same ssh connection. (This is not perfect, since spiped is single-threaded: A connection which is busy enough will end up starving you for CPU time for the crypto. But you'll typically hit that limit with traffic orders of magnitude higher than you'd need to create a bottleneck if everything goes over the same TCP connection.)
* spiped has no persistent connection, so there's nothing to be interrupted if your network drops (or if you move between networks). Every connection is a new connection; spiped is effectively transparent.
iirc spiped uses TLS/OpenSSL for securing the connection, the symmetric key avoids the key-exchange and worrying about certificates, and therefore is better capable of efficiently using the connection than SSH by itself.
Because it's much simpler it's also a good way to expose a system to the internet, although Wireguard with a PSK is a very similar and possibly superior solution.
spiped does not in fact use TLS.
A subthread from 2014:
https://news.ycombinator.com/item?id=7540288
Ah okay, yea I wasn't sure if I remembered that correctly or not. I double checked it was using OpenSSL and assumed.
I'm presuming this is pretty similar to https://www.stunnel.org
We would use stunnel rather than SSH for non-interactive usages. Having an active stunnel running all the time is safer than requiring a full SSH session being active.
stunnel predates spiped by quite some time; spiped is a reaction to stunnel --- specifically, a network hole punch for people who trust neither OpenSSL nor OpenSSH's attack surface.
Today, most people would just use WireGuard for this.
I no longer have SSH listening on the bare internet on my VPS nodes .. I either place spiped in front of the standard daemon or disable it entirely and utilize Tailscale SSH