Dumb Pipe

(dumbpipe.dev)

776 points | by udev4096 20 hours ago

42 comments

  • remram 18 hours ago
    You can do this with ssh (and socat or mkfifo):

      # receiver
      socat UNIX-RECV:/tmp/foobar - | my-command
    
      # sender
      my-command | ssh host socat - UNIX-SENDTO:/tmp/foobar
    
    You can relay through any other SSH server if your target is behind a firewall or subject to NAT (for example the public service ssh-j.com). This is end-to-end encrypted (SSH inside SSH):

      # receiver
      ssh [email protected] -N -R ssh:22:localhost:22
      socat UNIX-RECV:/tmp/foobar - | my command
    
      # sender
      my-command | ssh -J [email protected] ssh socat - UNIX-SENDTO:/tmp/foobar
    
    (originally posted on the thread for "beam": https://news.ycombinator.com/item?id=42593135)
    • kragen 16 hours ago
      This doesn't do most of what dumbpipe claims to do: it doesn't use QUIC, doesn't avoid using relays when possible, doesn't pick a relay for you, and doesn't keep your devices connected as network connections change. It also depends on you doing the ssh key management out-of-band, while dumbpipe appears to put the keys into random ASCII strings.

      WireGuard is more similar.

      • nightfly 16 hours ago
        Wireguard doesn't do most of those either
        • kragen 16 hours ago
          That's true, just some.
    • michaelmcmillan 2 hours ago
      This comment reminds me of HN's reaction to Drew Houston announcing Dropbox on Hacker News in 2007: https://news.ycombinator.com/item?id=9224
      • latexr 2 minutes ago
        I really wish the people who feel like bringing up that comment would do a modicum of research instead of perpetuating unhelpful and wrong information.

        For one, that wasn’t “HN’s reaction”. Read the thread, it’s full of praise. You’re talking about one specific comment.

        For another, the commenter was incredibly respectful and even conceded some of the points after they got a reply. Again, read it, it’s right there in your link.

        That is an excellent example of how to communicate, and we would be lucky if all interactions followed that example. We should be praising it, not deriding it.

      • remram 1 hour ago
        I didn't say this project is useless, I offered a different way to do it with the tools you already have installed. Calm down. Iroh *is* cool.
    • cakealert 14 hours ago
      First sentence after following the link this topic is about:

        Dumb pipe punches through NATs, using on-the-fly node identifiers. It even keeps your machines connected as network conditions change.
    • actinium226 17 hours ago
      Never knew about ssh-j.com. Neat.
    • rfl890 13 hours ago
      You could also set up a wg server, have both clients connect to it and then pass data between the two IPs. There's still a central relay passing data around, NAT or no NAT.
      • bb88 8 hours ago
        After getting burnt on wireguard a few times now, I'm not keen on using it anymore.

        I want less magic, not more impenetrable ip table rulesets (in linux at least).

        • tetha 1 hour ago
          Having run servers on OpenVPN, IPSec and Wireguard.. Wireguard is very mundane software.

          I still get the chills at the deep and arcane configuration litanies you have to dictate over calls to get a tunnel configured. And sometimes, if you had to integrate different implementations of IPSec with each other, it just wouldn't work and eventually you'd figure out that one or two parameters on one side are just wrong.

          And if you don't want to manage IPTables/nftables manually to firewall the traffic from the VPN (which is ugly, I agree), ufw or firewalld introduced forwarding rule management (route, and policies) recently.

        • BLKNSLVR 3 hours ago
          Interested to know how you've been burnt by wireguard; what did it not do that you were expecting? What failures have you experienced with it that were the fault of wireguard?

          I've been using it (fairly simply, mind you) and it's been pretty solid for a number of years, and was as administrative relief in comparison to OpenVPN which I'd been using before wireguard existed. Single UDP port usage makes me query your comment about impenetrable IP table rulesets.

          (OpenVPN was great for it's time too, the sales reps at the company where I introduced it loved the ability to work from the road, way back early 2000's)

    • nine_k 10 hours ago
      You can simplify things even more by running https://www.tarsnap.com/spiped.html

      It doesn't even assume ssh.

    • defraudbah 2 hours ago
      you need an ssh server and an open port, different protocol etc
  • 44za12 4 hours ago
    Every time someone calls a product “dumb,” I get a little excited, because it usually means it’s actually smart. The internet is drowning in “smart” stuff that mostly just spies on you and tries to sell you socks. Sometimes, I just want a pipe that does what it says on the tin; move my bits, shut up, and don’t ask for my mother’s maiden name.
    • thuridas 7 minutes ago
      But what about the enterprise ready AI features so that they can train on your data?
    • josephg 4 hours ago
      > and tries to sell you socks

      I've been writing raw POSIX net\ code today. A lot of variables shorten "socket" to "sock". And my brain was like.. um, bad news! This is trying to sell us on their special sock(et)s!

      • lozf 11 minutes ago
        I thought it was quite a fun pun for the same reason.
    • Sateeshm 4 hours ago
      Dumb is now 'we don't steal your data'
  • Aardwolf 15 hours ago
    I wonder why it's not standard that you can simply connect two PC's to each other with a USB cable and have them communicate/transfer files. With same protocol in all OSes, of course. Seems like it should have been one of the first features USB could have had since the beginning, imho

    I know there's something about USB A to USB A cables not existing in theory, but this would have been a good reason to have it exist, and USB C of course can do this

    Also, Android to PC can sort of do it, and is arguably two computers in some form (but this was easier when Android still acted like a mass storage device). But e.g. two laptops can't do it with each other.

    • felurx 13 hours ago
      You actually can connect two machines via USB-C (USB4 / Thunderbolt) and you get a network connection.

      You only get Link-Local addresses by default, which I recall as somewhat annoying if you want to use SSH or whatever, but if you have something that does network discovery it should probably work pretty seamlessly.

      See https://christian.kellner.me/2018/05/24/thunderbolt-networki... or https://superuser.com/a/1784608

      • userbinator 11 hours ago
        You only get Link-Local addresses by default

        The same thing happens with two machines connected via an Ethernet cable, which appears to be what this USB4 network feature does - an Ethernet NIC to software, but with different lower layer protocols.

      • grishka 8 hours ago
        Non-USB-shaped older Thunderbolt, down to version 1, can do this too, iirc. But you do need the expensive and somewhat rare cable.
    • clearleaf 14 hours ago
      The incredible technology you're describing was possible on the Nintendo DS without wires and no need for a LAN either. It's a problem that's been solved in hundreds of different ways over the last 40 years but certain people don't want that problem to ever be solved without cloud services involved.

      This dumb pipe thing is certainly interesting but it will run into the same problem as the myriad other solutions that already exist. If you're trying to give a 50MB file to a Windows user they have no way to receive it via any method a Linux user would have to send it unless the Windows user has gone out of their way to install something most people have never heard of.

      • deathanatos 7 hours ago
        > It's a problem that's been solved in hundreds of different ways over the last 40 years

        If we put the requirements of,

          1. E2EE
          2. Does not rely on Google. (Or ideally, any other for profit corporation.)
        
        That eliminates like 90% of the recent trend of WebRTC P2P file transfer things that have graced HN over the last decade, as all WebRTC code seems to just copy Google's STUN/TURN servers between each other.

        But as you say,

        > but certain people don't want that problem to ever be solved without cloud services involved.

        ISPs seem to be that in set. IPv6 would obsolete NAT, but my ISP was kind enough to ship an IPv6 firewall that by default drops incoming packets. It has four modes: drop everything, drop all inbound, a weird intermediate mode that is useless¹, and allow everything.

        (¹this is Verizon fios; they claim, "This feature enables "outside-to-inside" access for IPv6 services so that an "outside" Internet service (gaming, video, etc.) can access a specific "inside" home client device & port in your local area network."; but the feature, AFAICT, requires the external peer's address. I.e., I need to know what my roaming IP will be before I leave the house, somehow, and that's obviously impossible. It seems utterly clearly slapped on to say "it comes with a firewall" but was never used by anyone at Verizon in the real world prior to shipping…)

        • genewitch 2 hours ago
          starlink doesn't even give you publicly routable ipv6 unless you bypass the starlink router.

          My starlink is such that i cannot install/set up things like pfsense/opnsense because the connection drops sometimes, and when either of those installers fail, they fail all the way back to "format the drive y/n?" Also, things like ipcop and monowall et al don't seem to support ipv6.

          I looked in to managing ipv6 from a "i am making my own router" and no OS makes this simple. i tried with debian, and could not get it to route any packets. I literally wrote the guide for using a VM for ipcop and one of the "wall" distros; but something about ipv6 just evades me.

      • elliotec 11 hours ago
        I mean, windows users install things they’ve never heard of all the time.

        If this was a real thing you needed to do, and it is too much work to get them to install WSL, you could probably just send them the link to install Git and use git bash to run that curl install sh script for dumbpipe.

        And if this seemed like a very useful thing, it couldn’t be too hard to package this all up into a little utility that gets windows to do it.

        But alas, it remains “easier” to do this with email or a cloud service or a usb stick/sd card.

      • loloquwowndueo 11 hours ago
        Pairdrop.net - no need to install anything, transfers go over the local network if both devices are in a LAN.
      • kovek 10 hours ago
        > It's a problem that's been solved in hundreds of different ways over the last 40 years

        I guess now you can find the solution that you need by telling the requirements to LLMs who have now indexed a lot of the tradeoffs

    • userbinator 13 hours ago
      USB is asymmetric - there's a host and a device, and the latter acts as a polled slave.

      The use-case of a wired connection between two PCs was already solved years before USB --- with Ethernet.

      • genewitch 2 hours ago
        there are USB 2.0 (and probably 1.x) devices with usb-A on both sides and a small box in the middle that acts as a network crossover between two machines, i've seen them in stores. I've never used one because i know how to set CIDR. And, as others have mentioned, this does just work with usb-c.
    • 1vuio0pswjnm7 12 hours ago
      "I wonder why it's not standard that you can simply connect two PC's to each other with a USB cable and them communicate/transfer files."

      After TCP/IP became standard on personal computers, I used Ethernet crossover cable to transfer large files between compuers. I always have some non-networked computers. USB sticks were not yet available.

      Today the Ethernet port is removed from many personal computers perhaps in hopes computer owners will send ("sync") their files to third party computers on the internet (renamed "the cloud") as a means of transferring files between the owner's computers.

      Much has changed over the years. Expect replies about those changes. There are many, many different ways to transfer files today. Expect comments advocating those other methods. But the crossover cable method still works. With a USB-to-Ethernet adapter it can work even on computers with no Ethernet port. No special software is needed. No router is needed. No internet is needed. Certainly no third party is needed. Just TCP/IP which is still a standard.

      • loloquwowndueo 11 hours ago
        > Today the Ethernet port is removed from many personal computers

        Pretty sure one can set up an ad hoc wifi network for this.

        • deathanatos 7 hours ago
          One … can. I have a script for this myself, but I only set that up after wanting to do ad hoc and then realizing that it was basically impossible to do from scratch. Ad hoc requires an Internet connection to download the knowledge necessary to do ad hoc, and that utterly defeats the point of it all. (Except in how I've now cached that into a script.)

          Ad hoc requires the machines be in "WiFi shouting range".

          • hoherd 6 hours ago
            I was about to talk about how online help files are forgotten these days, and should guide you to the right information to set up an ad-hoc network, but I was disappointed three times over by macOS.

            macOS does not have any offline documentation like pretty much every OS used to. When I turn off my WiFi and then open "Mac User Guide" or "Tips for your Mac", they both tell me they require an internet connection.

            When I re-enable my internet connection, neither of those apps have information about how to set up an ad-hoc wifi network.

            When I looked up how to create an ad-hoc network in other sources, I discovered that the ability to create an ad-hoc network was apparently removed from the GUI in macOS 11, and now requires CLI commands.

            I hate how modern tech companies assume that everybody always has access to a high speed internet connection.

            • userbinator 5 hours ago
              I hate how modern tech companies assume that everybody always has access to a high speed internet connection.

              I suspect it's deliberate, especially when said company also sells cloud services.

          • cozzyd 3 hours ago
            This is super easy in Linux with NetworkManager. I assume other OS's have simple hotspot functionality?
      • vineyardmike 2 hours ago
        > Today the Ethernet port is removed from many personal computers perhaps in hopes computer owners will send ("sync") their files to third party computers on the internet (renamed "the cloud") as a means of transferring files between the owner's computers.

        Oh come on, this isn't a conspiracy. For the last decade, every single laptop computer I've used has been thinner than an ethernet port, and every desktop has shipped with an ethernet port. I think the last few generations of MacBook Pros (which were famously thicker than prior generations) are roughly as thick as an ethernet port, but I'm not sure it'd practically fit.

        And I know hacker news hates thin laptops, but most people prefer thin laptops over laptops with ethernet. My MacBook Air is thin and powerful and portable and can be charged with a USB-C phone charger. It's totally worth it for 99% of people to not have an ethernet port.

    • rtpg 5 hours ago
      You can plug an ethernet cable in between machines and send files over it! So that period where this would be useful already had a pretty good solution (I vividly remember doing this like 3 times in the same day with some family members for some reason (probably nobody having a USB drive at the moment!))
    • dotancohen 4 hours ago
      I actually have a USB-A to USB-A cable. It came with priority Windows software on an 80mm CD-ROM. It wasn't long enough to connect two desktops in the same room if not on the same table, and I just never tried with a laptop because all my laptops have run Debian or some variant thereof since 2005 or so.
    • Bluecobra 7 hours ago
      You used to be able to connect two PC’s together via the parallel port. I had to do this once to re-install Windows 95 on a laptop with a hard drive and floppy. It was painfully slow but it worked.
    • viraptor 14 hours ago
      On Linux you can do it by creating an MTP endpoint, like mobile devices do https://github.com/viveris/uMTP-Responder

      It looks like MS also had one, but only on Windows CE for some reason https://www.microsoft.com/en-us/download/details.aspx?id=933...

      • cozzyd 3 hours ago
        Or an rndis gadget
    • thebruce87m 15 hours ago
      FireWire did the IIRC. When buying a new Mac you would connect them via a single cable to do the data transfer.
      • ericwood 14 hours ago
        Macs still have target disk mode but it requires rebooting. Highly recommend using thunderbolt to transfer over to a new computer!
    • incanus77 10 hours ago
      I realize you are asking for cross-OS, but Mac OS X was doing this in 2002 (and probably earlier) for PowerBook models with an ethernet cable between them. As I recall, iBooks didn't do this even if they had the port, but PowerBooks would do the auto-crossover, then Finder/AFP would support the machines showing up for each other.
    • defraudbah 2 hours ago
      ethernet works out of the box, i used local lans long time before i knew how to program

      usb probably works too if you google a bit

    • 0_____0 14 hours ago
      IIRC Apple computers can be put into Target Disk Mode, which lets a host computer rifle through its contents as if it is a dumb disk drive
      • pletnes 12 hours ago
        This requires shutting down one computer (the mac) first, though.
    • tripdout 14 hours ago
      The USB 3.0 spec does actually support A to A cables, but I'm not sure if any software makes use of it.
    • xandrius 14 hours ago
      You mean a cross ethernet cable?

      Or using Bluetooth? Or using local WiFi (direct or not).

      • deathanatos 7 hours ago
        > You mean a cross ethernet cable?

        If both machines have an Ethernet port.

        > Or using Bluetooth?

        Half the time I need a dumb pipe, it's from personal to work. Regrettably, work forces me to use macOS, and macOS's bluetooth implementation is just an utter tire fire, and doesn't work 90% of the time. I usually fall back to networks, for that reason.

        Of course, MBPs also have the "no port" problem above.

        > Or using local WiFi (direct or not)

        If I'm home, yeah. But TFA is advertising the ability to hole-punch, and if I'm traveling, that'd be an advantage.

    • meindnoch 14 hours ago
      But then nobody could analyze your files... :/
  • smusamashah 17 hours ago
    Somewhat relevant, I have a list of (mostly browser based + few no-setup cli) tools [1] to send files from A to B. I keep sharing this list here to fish more tools whenever something like this comes up.

    [1]: https://gist.github.com/SMUsamaShah/fd6e275e44009b72f64d0570...

    • Liquix 13 hours ago
      I love LocalSend for quick transfers between your own devices, just werks on every OS.

      https://github.com/localsend/localsend

      • voidmain0001 10 hours ago
        One limitation of iOS is the inability to use Bluetooth to transfer an image/video file to a Bluetooth receiver such as Windows. The Apple documentation requires a wired connection. https://support.apple.com/en-ca/120267

        If LocalSend is running on iOS and Windows does LocalSend have the ability to send photos?

        • sampullman 9 hours ago
          It should work, though I haven't actually tried it. That's not a limitation of iOS, just Apple's own syncing app/protocol. LocalSend is basically an http client/server with network device discovery, as far as I know.
    • mrheosuper 4 hours ago
      Recently there is this project that caught my attention. The project claim to support multi different protocol, on various web browser(even IE6), and extremely easy to setup(single python file). I have not given it a try, just want to share.

      https://github.com/9001/copyparty

    • b_fiive 15 hours ago
      same team behind dumbpipe makes sendme, which is much closer to this use case! https://github.com/n0-computer/sendme
  • kiitos 8 hours ago
    > In the iroh world, you dial another node by its NodeId, a 32-byte ed25519 public key. Unlike IP addresses, this ID is globally unique, and instead of being assigned,

    ok but my network stack doesn't speak nodeID, it speaks tcp/ip -- so something has to resolve your public keys to a host and port that I can actually connect to.

    this is roughly the same use case that DNS solves, except that domain names are generally human-compatible, and DNS servers are maintained by an enormous number of globally-distributed network engineers

    it seems like this system rolls its own public key string to actual IP address and port mapping/discovery system, and offers a default implementation based on dns which the authors own and operate, which is fine. but the authors kind of hand-wave that part of the system away, saying hey you don't need to use this infra, you can use your own, or do whatever you want!

    but like, for systems like this, discovery is basically the entire ball game and the only difficult problem that needs to be solved! if you ignore the details of node discovery and name mapping/resolution like this, then of course you can build any kind p2p network with content-addressable identifiers or whatever. it's so easy a cave man can do it, just look at ipfs

    • rklaehn 3 hours ago
      We do use DNS, but we also have an option for node discovery that uses pkarr.org, which is using the bittorrent mainline DHT and therefore is fully decentralised.

      And, as somebody else remarked, the ticket contains the direct IP addresses for the case where the two nodes are either in the same private subnet or publicly reachable. It also contains the relay URL of the listener, so as long as the listener remains in the same geographic region, dumbpipe won't have to use node discovery at all even if the listener ip changes or is behind a NAT.

    • makeworld 8 hours ago
      In practice, the "ticket" provided by dumbpipe contains your machine's IP and port information. So I believe two machines could connect without any need for discovery infra, in situations that use tickets. (And have UPnP enabled or something.)

      See also https://www.iroh.computer/docs/concepts/discovery

      • kiitos 4 hours ago
        OK so given

            $ ./dumbpipe listen
            ...
            To connect use: ./dumbpipe connect nodeecsxraxj...
        
        that `nodeecsxraxj...` is a serialized form of some data type that includes the IP address(es) that the client needs to connect to?

        forgive me for what is maybe a dumb question, but if this is the case, then what is the value proposition here? is it just the smushing together of some IPs with a public key in a single identifier?

        • rklaehn 6 minutes ago
          The value proposition of the ticket is that it is just a single string that is easy to copy and paste into chats and the like, and that it has a stable text encoding which we aim to stay compatible with for some time.

          We have a tool https://ticket.iroh.computer/ that allows you to see exactly what's in a ticket.

  • Thorrez 37 minutes ago
    >These dumb pipes use QUIC over a magic socket. It may be dumb, but it still has all the features of a full QUIC connection: UDP-based, stream-multiplexing and encrypted.

    How is multiplexing used here? On the surface it looks like a single stream. Is the file broken into chunks and the chunks streamed separately?

  • Liftyee 20 hours ago
    I wonder how much reimplementation there is between this and Tailscale, as it seems like there are many needs in common. One would think that there are already low level libraries out there to handle going through NATs, etc. (but maybe this is just the first of said libraries!)
    • homebrewer 18 hours ago
      Who cares at this point, Tailscale itself is the 600th reimplementation of the same idea, with predecessors like nebula and tinc. They came at the right time, with WireGuard being on the rise, and poured millions into advertisements that their community "competitors" didn't have since most of them isn't riding on VC money.
      • benreesman 13 hours ago
        TailScale sells certificate escrow, painless SSO, high-quality integrations/co-sell with e.g. Mullvad, full-take netlogging, and "Enterprise Look and Feel" wrapped around the real technology. You can run WireGuard yourself, and sometimes I do, but certificate management is tricky to get right, the rest is a pain in the ass, and TailScale is cheap. The hackers behind it (bfitz et all) are world-class, and you can get it past most "Enterprise" gatekeeping.

        It doesn't solve problems on my personal infrastructure that I couldnt solve myself, but it solves my work problem of getting real networking accepted by a diverse audience with competing priorities. And its like 20 bucks a seat with all the trimmings. Idk, maybe its 50, I don't really check because its the cheapest thing on my list of cloud stuff by an order of magnitude or so.

        Its getting more enterprise and less hackerish with time, big surprise, and I'm glad there's younger stuff in the pipe like TFA to keep it honest, but of all the necessary evils in The Cloud? I feel rather fondly towards tailscale rather than with cold rage like most everything else on the Mercury card.

      • senko 17 hours ago
        I've managed a Wireguard-based VPN before Tailscale. It's pretty straightforward[0].

        Tailscale makes it even more convenient and adds some goodies on top. I'm a happy (free tier) user.

        [0] I also managed an OpenVPN setup with a few hundred nodes a few decades back. Boy do we have it easy now...

      • api 18 hours ago
        I've met a lot of people who think Tailscale invented what it does.

        Prior to Tailscale there were companies -- ZeroTier and before it Hamachi -- and as you say many FOSS projects and academic efforts. Overlay networks aren't new. VPNs aren't new. Automated P2P with relay fallback isn't new. Cryptographic addressing isn't new. They just put a good UX in front of it, somewhat easier to onboard than their competitors, and as you say had a really big marketing budget due to raising a lot when money was cheap.

        Very few things are totally new. In the past ten years LLMs are the only actually new thing I've seen.

        Shill disclosure: I'm the founder of ZeroTier, and we've pivoted a bit more into the industrial space, but we still exist as a free thing you can use to build overlays. Still growing too. Don't have any ill will toward Tailscale. As I said nobody "owns" P2P and they're doing something a bit different from us in terms of UX and target market.

        These "dumb pipe" tools -- CLI tooling for P2P pipes -- are cool and useful and IMHO aren't exactly the same thing as ZT or TS etc. They're for a different set of use cases.

        The worst thing about the Internet is that it evolved into a client-server architecture. I remain very cautiously optimistic that we might fix this eventually, or at least enable the other paradigm to a much greater extent.

        • flub 1 hour ago
          As one of the iroh developers I must say thank you for creating ZeroTier! It absolutely was part of the inspiration and it's seamless functioning continues to amaze me daily. Something that continues to drive me to strive for as seamless an experience in iroh.

          I love the fact we can make different tools learning from each other and approaching making p2p usable in different ways.

        • dandellion 17 hours ago
          > put a good UX in front of it

          It's good as long as everything works out of the box, but it's a nightmare when something doesn't work. Or at least that has been my experience. I'm used to always troubleshoot first when I have any issue, but with Tailscale I decided I'm done trying to fight it, next time something doesn't work I'll just open a ticket and make it the ops team problem.

          • api 17 hours ago
            This is true for all systems that hide a lot of complexity. Apple is great until something doesn't work and you get things like "Error: try again later." A car is great until it doesn't start, and there are numerous reasons that can happen.
        • rollcat 18 hours ago
          I know it wasn't a "new" idea, but still, ZT was a paradigm shift for me. I was suddenly on the same LAN with people I cared about. Thank you for making it happen.
        • gavinray 18 hours ago
          I remember running Hamachi and NoIP DUC's (Dynamic Update Client) as a kid in late 2000's to expose private server addresses for games or for multiplayer through direct network addresses

          NoIP was also the recommended "easy" option for configuring RAT (Trojan) host addresses at the time IIRC.

        • opello 9 hours ago
          As others have said Hamachi was very popular in some gaming communities. I don't know quite how it fits technologically, but a similar user experience seems to come from playit.gg[1].

          [1] https://playit.gg/

          • physicles 9 hours ago
            My friends and I used Hamachi in the early 2000s to play StarCraft and other games over the internet without involving online services. Worked great. I’ve got a soft spot for it.
        • sergiotapia 17 hours ago
          Hamachi was BIG in the gaming scene. I used to host a Tibia server and use it to make the server accessible to friends.
        • udev4096 18 hours ago
          As much as hyped tailscale is, at least there is an option to fully self-host coordination server. Do you have something like that?
          • api 17 hours ago
            ZeroTier controllers can be self-hosted.
    • conradev 18 hours ago
      Iroh is much better suited for the application layer. You can multiplex multiple QUIC streams over the same connection, each for a specific purpose. All you need is access to QUIC, no virtual network interface.

      It’s a bit like gRPC except you control each byte stream and can use one for, say, a voice call while you use another for file transfer and yet another for simple RPC. It’s probably most similar to WebRTC but you have more options than SCTP and RTMP(?).

    • mpalmer 20 hours ago
      This is made using iroh, which aims to be a low level framework for distributed software. Involves networking but also various data structures that enable replication and consistency between networked nodes.
      • danenania 18 hours ago
        Does it include reconnection logic? I presume that's not considered "low level", but it does always annoyingly have to be reimplemented every time you deal with long-lived socket connections in production.
        • b_fiive 15 hours ago
          yes, to an extent. It will time out if the connection completely dies for more than the timeout interval, but all connections are designed to survive changes to network changes like IP address or network interface (eg: switching from WiFi to ethernet, or cellular)
    • rklaehn 3 hours ago
      Iroh is one of these low level libraries. It is basically p2p QUIC, where p2p means 1. addressing by node id and 2. hole punching.

      Dumbpipe is meant to be an useful standalone tool, but also a very simple showcase for what you can do with iroh.

    • TechDebtDevin 19 hours ago
      Connecting phones on mobile/cignat with Tailscale is really one of the few software "Aha" moments I've had.
    • cr125rider 19 hours ago
      Isn’t tailscale a wrapper around WireGuard? With some other hole-punch sprinkles?
      • odo1242 19 hours ago
        Well, WireGuard and WebRTC, but yes.

        The real feature of Tailscale is being able to connect to devices without worrying about where they are.

        • homebrewer 18 hours ago
          You might be confusing it with netbird, which is the 601st implementation of a mesh network that does use both WebRTC and WireGuard.
        • bradfitz 19 hours ago
          There's no WebRTC in Tailscale.
          • snapplebobapple 18 hours ago
            Isnt a derp server juat webrtc with minor changes?
            • rollcat 18 hours ago
              You don't need the whole of WebRTC for NAT traversal, TURN/STUN will do the job.
      • scosman 9 hours ago
        Nat punch is a big part of it, but so is key management/sync, and configuration management.
      • nine_k 19 hours ago
        ...and DNS, and host provisioning, and SSO, and RBAC, and other stuff you need to sell to enterprises.
      • kiitos 9 hours ago
        tailscale is a wrapper around wireguard in the same way that dropbox is a wrapper around rsync
    • benreesman 19 hours ago
      Theres overlap but i can see complementary uses as well. It uses some of the same STUN-family of tecniques. I have no plans to stop using TailScale (or socat) but i think i use this every day now too.
    • max-privatevoid 20 hours ago
      iroh is meant to be this library, but there is also libp2p, which existed before iroh.
      • binary132 19 hours ago
        Part of the problem with libp2p is that the canonical implementations are in Go which isn’t really well-suited to use from C++, JS, or Rust. The diversity of implementations in other languages makes for varying levels of quality and features. They really should have just picked one implementation that would be well-suited to use via C FFI and provided ergonomic wrappers for it.
  • trklausss 52 minutes ago
    Question: What is the security level behind this? I guess if it is "dumb" _anyone_ can input your identifier for the pipe and connect to it?? Or even listen on it?
  • ilovefood 19 hours ago
    iroh is fantastic tech.

    I attended Rüdiger's (N0) workshop 2 weeks ago at the web3 summit in Berlin and was left super inspired. The code for building something like this is available here https://github.com/rklaehn/iroh-workshop-web3summit2025 and I highly recommend checking out the slides too :)

    • rklaehn 3 hours ago
      Thank you for the praise! It is nice to hear that people enjoy these workshops.

      I would love to see what people would build if they had a little bit more time with help from the n0 team. A one hour or even three hour workshop is too short.

  • qudat 19 hours ago
    At pico.sh we built something similar but using SSH: https://pipe.pico.sh
    • geek_at 18 hours ago
      in a direct benchmark against dumbpipe. What do you think the results would be like?
      • tionis 14 hours ago
        Well pipe.pico.sh always uses a proxy server so throughput and latency are worse, but you have your own namespace for the pipes and thus don't have to synchronize random connection strings
  • behrlich 18 hours ago
    https://github.com/anderspitman/awesome-tunneling - for anyone interested in the landscape of tunneling tools like this.
  • bob1029 19 hours ago
    I've always found this path to be more compelling:

    https://github.com/samyk/pwnat

    It has more edges and doesn't handle all cases, but it also avoids the need for any kind of intermediary.

  • chrisallick 19 hours ago
    About once or twice a year a solution comes out that does this. Here is a great one for orchestrating connections: https://docs.spacebrew.cc/
    • x2tyfi 19 hours ago
      While that may be true, the branding of this particular project seems unbeatable. A literal dumb pipe man with wacky arms. It just works.
      • alt227 19 hours ago
        I feel it was the same for IFTTT over a decade ago. People always move on to the next shiny thing.
    • latchkey 19 hours ago
      "In 2023 it's..."
  • CGamesPlay 11 hours ago
    If you are in the mood for a slightly less dumb pipe, I’ve been building a tunnel manager CLI built on Iroh. Supports forwarding ports over TCP, UDP, and UNIX sockets. https://gitlab.com/CGamesPlay/qtm
  • nine_k 19 hours ago
    I wonder how much different it is from Wireguard + netcat. Both run encrypted channels over UDP, but somehow differently. What does QUIC offer that Wireguard does not?
    • TheDong 19 hours ago
      QUIC includes a standard for peer address discovery: https://www.ietf.org/archive/id/draft-ietf-quic-address-disc...

      Wireguard doesn't, which is why tailscale took off so much, since it offers basically that at its core (with a bunch of auxiliary features on top).

      Show me some wireguard discovery/relay servers if I'm wrong.

      Also, QUIC is more language-agnostic. The canonical user-space implementation of wireguard is in Go, which can't really do C FFI bindings, and the abstractions are about dealing with "wireguard devices", not "a single dump pipe", so wireguards userspace library also makes it surprisingly difficult to implement this simple thing without also bringing a ton of baggage (like tun devices, gateways, ip address management, etc) along for the ride.

      If you already have a robust wireguard setup, then of course you don't need this and can just use socat or whatever.

    • sethev 17 hours ago
      They both run over UDP and always encrypt data. Beyond that superficial similarity they are completely different.

      QUIC is a transport protocol that provides a stream abstraction (like TCP), with some improvements over TCP (like built-in support for multiplexing streams on the same connection, without head-of-line blocking issues).

      Wireguard provides a network interface abstraction that acts as NIC. You can run TCP on top of a wireguard NIC (or QUIC for that matter).

    • bastawhiz 19 hours ago
      Wireguard is a tunneling protocol. Netcat lets you write things over a socket. But netcat doesn't implement mechanisms for guaranteeing that all your packets arrive over UDP mode, so you're forced to tunnel TCP over UDP for reliability.

      QUIC is all UDP, handling the encryption, resending lost packets, and reordering packets if they arrive out of order. The whole point of QUIC is to make it so you can get files transferred quickly.

      WireGuard doesn't know the data you're sending, and netcat+TCP is stuck with the limitations of every packet needing to be sent and acknowledged sequentially.

    • kevindamm 19 hours ago
      Wireguard is opaque about the independent streams in its connection. So, while they both can encapsulate multiple concurrent streams in one connection, QUIC can do things like mitigate Head-of-Line Blocking and manage encryption at the transport layer. It also uses a connection ID on these substreams which helps make transitioning across network changes seamless.
      • themk 7 hours ago
        If you set up multiple TCP connections over Wireguard, there is no head-of-line blocking either. And Wireguard also transitions across network changes.

        In fact, it's one of the main reasons I use Wireguard. I can transition between mobile network and wifi without any of the applications noticing.

  • punnerud 16 hours ago
    Good article from Tailscale on how direct connections is established, even when both nodes is behind NAT: https://tailscale.com/blog/how-nat-traversal-works
  • darzu 14 hours ago
    Does anyone know if this tech (or Iroh) is suitable for real-time networking for games? Basically, once connection is established, what's the overhead on top of UDP in terms of latency and bandwidth?

    Edit: after digging a little, Iroh uses QUIC which looks like a reliable, ordered protocol as opposed to the unreliable, unordered nature of UDP which is what many games need.

    Now what I'd love to figure out is if there's a way to use their relay hopping and connection management but send/receive data through a dumb UDP pipe.

    • CGamesPlay 11 hours ago
      > QUIC which looks like a reliable, ordered protocol as opposed to the unreliable, unordered nature of UDP which is what many games need.

      This isn't right, as a sibling comment mentions. QUIC is a UDP-based protocol that handles stream multiplexing and encryption, but you can send individual, unordered, unreliable datagrams over the QUIC connection, which effectively boils down to UDP with a bit of overhead for the QUIC header. The relevant method in Iroh is send_datagram: https://docs.rs/iroh-net/latest/iroh_net/endpoint/struct.Con...

    • b_fiive 12 hours ago
      Yep! It's totally usable for games, and used in a few! One of my favs is the godot engine plugin: https://github.com/tipragot/godot-iroh

      QUIC can do both reliable & unreliable streams, as can iroh

  • csteubs 19 hours ago
    Just a head's up, I'm getting a 404 on the link to the relay docs (https://www.iroh.computer/docs/layers/connections) when attempting to click through.
  • dignifiedquire 1 hour ago
    thanks everyone for all the love <3

    [maintainer of iroh here]

  • zx8080 4 hours ago
    Every time I see `curl ..| sh` I feel bad. It shouldn't be a norm to run a downloaded script in shell.
    • zekica 3 hours ago
      And especially not run the script while it's downloading. The remote server can detect timing difference (let's say the script has "sleep 30" and the buffer fills) and send a different response (really easy if using chunked encoding or HTTP2 data frames).
  • jaimex2 11 hours ago
    Who is paying for the relays and why?
    • rklaehn 3 hours ago
      We (n0) are running one set of relays. They are rate limited, so they basically only help with the hole punching process.

      Projects or companies that use iroh can either run their own relays or use our service https://n0des.iroh.computer/ , which among many other things allows spinning up a set of dedicated relays.

  • bravesoul2 2 hours ago
    Dumb question: can I port forward using this?
  • qgin 16 hours ago
    This is really good marketing presentation for a command line tool
  • dangoodmanUT 19 hours ago
    iroh is awesome, and this is such a good demo of how stupid simple it is to use
  • 100pctremote 17 hours ago
    Very handy. We've developed an industrialized variant of this in RelayKit designed for fleets of fielded devices at scale with Anycast, mTLS, multiplexing of services through a single tunnel, Bring Your Own PKI and some other fleet management features that together become a somewhat smarter pipe: https://farlight.io
  • jauntywundrkind 17 hours ago
    The surface being http is super nice to have. It's a streams-over-http general utility, quic powered.

    I'm struggling to remember what but there's a simple http service called like patchbay or some such that's a store and forward pattern. This idea of very simple very generic http powered services has a high appeal to me.

    Looking forward to a future version that can do WebTransport

  • oc1 1 hour ago
    > In 2023 it's hard to connect two devices directly

    It's not. Use tailscale.

  • mrighele 16 hours ago
    I remember doing something like this with Skype many years ago (at least 15, I guess).

    The old Skype, the one that was a real p2p app and before it got bought by Microsoft, was very good slicing through firewalls and NATs and it offered a plugin api, so it was easy to implement a TCP tunnel with it.

  • scirob 18 hours ago
    Oh they use Iroh notice!
  • amdivia 17 hours ago
  • binarymax 19 hours ago
    Does this require a 3rd party host, or is it peer-to-peer?
    • b_fiive 17 hours ago
      it's p2p. dumbpipe is hardcoded to use a public set of relays that we run for free (we being number 0, the team that make iroh & dumbpipe).

      we can definitely add a config argument to skip the hardcoded relays & provide custom ones!

      • binarymax 17 hours ago
        Thanks for the response. This statement confuses me a bit. What is a relay? Does traffic go through it at all, or is it for connection negotiation, or some of both?
        • b_fiive 15 hours ago
          sibling comment with links to docs is the more accurate, but to summarize, it's some of both:

          * all connections are always e2ee (even when traffic flows through a relay)

          * relays are both for connection negotiation, and as a fallback when a direct connection isn't possible

          * initial packet is always sent through the relay to keep a fast time-to-first-byte, while a direct connection is negotiated in parallel. typical connections send a few hundred bytes over the relay & the rest of the connection lifetime is direct

        • 4gotunameagain 15 hours ago
          Your questions are answered in TFA, including multiple links to documentation about the process.

          https://www.iroh.computer/docs/concepts/relay \

          https://crates.io/crates/iroh

        • kiitos 1 hour ago
          tl;dr: resolving ids to destinations requires a third party relay
          • dignifiedquire 25 minutes ago
            relays _can_ be used to resolve IDs, but so can mDNS, an email or any other form of third party channel
    • nine_k 19 hours ago
      Peer to peer, unless both ends are behind NAT, then you need to run a relay.
      • justusthane 19 hours ago
        They provide a default relay. It’s not clear to me whether you can manually specify a different relay.
        • rklaehn 3 hours ago
          Dumbpipe is using our set of relays. It is meant as a standalone tool as well as a showcase for what you can do with iroh.

          If you use iroh as a library, you can specify your own relays.

          It is important to mention that relays are interoperable, so you don't have isolated bubbles of nodes using certain relay networks. I can have the n0 relays specified and still talk to another node that is using a different set of relays.

        • avtar 18 hours ago
          They have docs for using self-hosted relays:

          https://github.com/n0-computer/iroh/blob/main/iroh/docs/loca...

  • zb3 12 hours ago
    You mean using "curl | sh" is a dumb pipe? Well, couldn't agree more :)
  • kwakubiney 16 hours ago
    Is there a way I can use this to run remote commands on another host? Something similar to what ssh does?
    • makeworld 15 hours ago
      You could pipe to bash?
      • kwakubiney 15 hours ago
        Ah right, but this does not support bidirectional streaming so I won't be able to get the remote stdout on the client, I guess.
        • scottmf 13 hours ago
          Couldn’t you just pipe the stdout to another dumbpipe
          • kwakubiney 13 hours ago
            Not a very friendly API
            • scottmf 12 hours ago
              This works:

              Remote:

                $ socat TCP-LISTEN:4321,reuseaddr,fork EXEC:"bash -li",pty,stderr,setsid,sigint,rawer&
                $ dumbpipe listen-tcp --host 127.0.0.1:4321
                using secret key fe82...7efd
                Forwarding incoming requests to '127.0.0.1:4321'.
                To connect, use e.g.:
                dumbpipe connect-tcp nodeabj...wkqay
              
              
              Local:

                $ dumbpipe connect-tcp --addr 127.0.0.1:4321 nodeabj...wkqay&
                using secret key fe82...7efd
                $ nc 127.0.0.1 4321
                root@localhost:~#
  • kocial 14 hours ago
    You can also do this via "netcat", running the commands below in a terminal.

    Receiver (listening to port 31337):

    `nc -l -p 31337`

    Sender (connecting to receiver IP):

    `nc <receiver_ip> 31337`

    Want to send a message to the receiver:

    `echo "Hello from Kocial" | nc <receiver_ip> 31337`

    == if you want to send a file ==

    Receiver:

    `nc -l -p 31337 > hackernews.pdf`

    Sender:

    `nc <receiver_ip> 313337 < hackernews.pdf`

    • miniBill 13 hours ago
      This doesn't punch through NATs at all, which is the point of Dumb Pipe
  • benreesman 19 hours ago
    The marketing is brilliant. The name of the company (number0) is mad hackerish man, right up my alley in the words of Charlie Murphy. I'm going to try this in my GCE on bare metal "unvirtualizer" today (number0 is what a Linux kernel would call the first tuntap with number as its prefix if you had such a patch).

    These are my kind of people!

  • rs_rs_rs_rs_rs 18 hours ago
    I've been using this for some years now https://magic-wormhole.readthedocs.io/en/latest/index.html
  • gosub100 11 hours ago
    10 years ago I made an "encrypted voice channel" by chaining the following 3 commands together (I dont remember exactly how it looked, this is just a sketch):

        arecord - | openssl aes-128-cbc -pass:'secretstring' - | nc <dest ip> <dest port>
    
    on the receiving end

        nc -l <dest port> | openssl aes-128-cbc -pass:'secretstring' | aplay -
    
    I don't remember exactly which audio device I used back then. It worked okay-ish, but there was definitely lag from somewhere. Just kind of neat that you can build something so useful without a bloated app, just chaining a few commands together.
  • Surac 4 hours ago
    Perfect for malware
  • gnarlouse 15 hours ago
    Neato
  • AtlasBarfed 16 hours ago
    Kinda related to this, but is there something that runs a daemon on your local machine, where if a "file request document" is uploaded to mega or Google drive or something similar the (,polling) daemon recognizes the request and pushed the document/file to the file store service?
    • bravesoul2 2 hours ago
      Dropbox :)

      Or whatever ftp thing they mentioned on the Dropbox show HN ;)

  • amelius 18 hours ago
    "Dumb pipe" sounds like they forgot about security.
    • klysm 17 hours ago
      I don't understand this perspective. Dumb primitives that are secure is _exactly_ how you build secure system!
      • remram 16 hours ago
        You could describe this same project as "a smart pipe that punches through NATs & stays connected (...)" and it wouldn't be any more surprising or inaccurate than the current description. So maybe it is not that descriptive.
      • amelius 17 hours ago
        > ... that are secure ...

        That's a huge assumption I wouldn't make after reading "dumb".

        And from the article:

        > Easy, direct connections that punch through NATs & stay connected as network conditions change.

        This sounds more like a pipe that is trying to be smart. According to your principle, not something to build a secure system with.