Spiped is excellent, I use it in production for really critical stuff and it's rock solid. Seriously one of the best pieces of software ever written. I've never even once had to debug a problem with it, it just works.
iirc spiped uses TLS/OpenSSL for securing the connection, the symmetric key avoids the key-exchange and worrying about certificates, and therefore is better capable of efficiently using the connection than SSH by itself.
Because it's much simpler it's also a good way to expose a system to the internet, although Wireguard with a PSK is a very similar and possibly superior solution.
We would use stunnel rather than SSH for non-interactive usages. Having an active stunnel running all the time is safer than requiring a full SSH session being active.
stunnel predates spiped by quite some time; spiped is a reaction to stunnel --- specifically, a network hole punch for people who trust neither OpenSSL nor OpenSSH's attack surface.
Today, most people would just use WireGuard for this.
I no longer have SSH listening on the bare internet on my VPS nodes .. I either place spiped in front of the standard daemon or disable it entirely and utilize Tailscale SSH
Related. Others?
Spiped – symmetric, encrypted, authenticated pipes between sockets - https://news.ycombinator.com/item?id=7539499 - April 2014 (86 comments)
Spiped is excellent, I use it in production for really critical stuff and it's rock solid. Seriously one of the best pieces of software ever written. I've never even once had to debug a problem with it, it just works.
> This is similar to 'ssh -L' functionality, but does not use SSH and requires a pre-shared symmetric key.
I already have SSH set up and functional, what advantage does spiped offer?
iirc spiped uses TLS/OpenSSL for securing the connection, the symmetric key avoids the key-exchange and worrying about certificates, and therefore is better capable of efficiently using the connection than SSH by itself.
Because it's much simpler it's also a good way to expose a system to the internet, although Wireguard with a PSK is a very similar and possibly superior solution.
spiped does not in fact use TLS.
A subthread from 2014:
https://news.ycombinator.com/item?id=7540288
I'm presuming this is pretty similar to https://www.stunnel.org
We would use stunnel rather than SSH for non-interactive usages. Having an active stunnel running all the time is safer than requiring a full SSH session being active.
stunnel predates spiped by quite some time; spiped is a reaction to stunnel --- specifically, a network hole punch for people who trust neither OpenSSL nor OpenSSH's attack surface.
Today, most people would just use WireGuard for this.
I posted this in response to the news that Kazakhstan is blocking Wireguard connections entirely:
https://news.ycombinator.com/item?id=45054598
Uzbekistan!
I no longer have SSH listening on the bare internet on my VPS nodes .. I either place spiped in front of the standard daemon or disable it entirely and utilize Tailscale SSH