✨ Update about Cosmos: Constellation incoming! (VPN integrated into the reverse proxy)

Hello hello!

In today’s episode of: What has Azukaar been doing, I present you to you: Constellation!

In a nutshell: Constellation is a mesh VPN fully integrated into Cosmos, that requires no setup whatsoever and allow you to connect to your server in one click from anywhere without exposing your ports. You can use it for:

- Securing your servapp as if you were using Wireguard/Tailscale/Tunnel to connect to them (port is not exposed, only accessible from within your constellation)

- Access your home server / desktop (RDP/VNC) / NAS / IOT stuff from anywhere securely via the VPN

- Play LAN games within your Constellation seamlessly

- Hide your IP and circumvent CGNAT (This will come later! I’ll explain why)

- Add auth to servapps you want to use via an app (ex. plex) without breaking them (HTML apps are not compatible with mobile apps of course)

Differences between Constellation and other VPN-like technologies are:

- It’s fully open-source, self-hosted and in your control (no Cloudflare snooping into your traffic, no Tailscale cloud proprietary control server)

- It’s naturally split-tunneling (aka. you can stay connected and it will only affect your Cosmos traffic and everything else stays normal traffic so you won’t get banned from Netflix)

- It’s a mesh VPN, and do peer to peer connection, so you can continue to use Constellation within your local network without having to relay your connection through a server outside of your network like a traditional VPN

- Like everything else in Cosmos, it is designed to be simple to use for debutant but also highly customizable for more experts users. It does not require any manual CLI intervention or manual config file edition.

So, How does it work? Current version uses Nebula under the hood (but this might change in the future as I have been in contact with the team working on Open Ziti), which is an Open Source Mesh VPN technology developed at Slack. Cosmos instruments the binary from the Container (so no need for a second container) and open the VPN on the 4242 port.

Here are a few screenshots of the current version (but it will change a lot before release!)

You manage your devices from the UI

Right now I haven’t started working on the app, but you can manually add any Nebula device yourself from the UI

Once added, Cosmos let you download all the certifcates you need alongside the pre-configured config file for your Cosmos or Nebula client

Download them, and you are ready to go!

And finally, restrict your URLs to be Constellation only, and boom!

Restrict the URL to the network

So!! What’s next? There is still work to do, but I am planning on releasing a “preview” version of Constellation in 2-3 weeks. Some of the work needed is:

- Hardened and add customization to your network

- Implement Desktop and Mobile application to one click connect to your network without Nebula

- Implement a Beacon docker container that help relay traffic in your network, to use to circumvent CGNAT among other things

This is all early stage work! But I wanted to give an update for visibility, but also because I am eager to hear some early feedback with the work done!

Hope you are excited as I am for Constellation, I’ll make sure to update again when the early preview will be available!

Thanks for reading, and as always, happy hosting!

Just wanted to say, been following this project for quite some time and your work is excellent! I look forward to the update.

Dude, you are on fire.

Great!
Technically do you need a VPN client on your devices?

This looks great! The main thing I’d like is to host Cosmos on my home server but have my domain point to a vps which relays requests (to not expose IP or ports). Would Constellations be able to do this, or would this be a separate feature?

This seems like a really cool project! Thanks u/azukaar

So this is a kind of management tool for Nebula?

Will this be available outside of the cosmos server

Thats really awesome! i can’t wait to get it going, installed Cosmos yesterday on a VM in my homelab just to get my self around ab it more. im also figuring i might transition from my current Casaos to Cosmos. I just need to figure out how i export my current data to import it to Cosmos.

Super excited about Constellation. I would also like to know more about how i route certain traffic trough Constellation as i manage a few websites from my IP that is trusted, that way i wouldn’t need to have a traditional VPN like WireGuard.

So let’s say i manage https://website.abc i would like to route all traffic towards that website trough Constellation if possible. :slightly_smiling_face: maybe a odd use case?

Once constellation is released, will it be the recommended method for accessing Cosmos services remotely?

Also, will it be more resource intensive for the server? I’m new to Cosmos, and hope to deploy it on some old hardware soon. If constellation will run well on my old hardware, and will be the recommended setup, I may just wait for the next release before I install.

yes, right now the Nebula client but I am planning on having a Cosmos client. Althought this client will only transfer your Cosmos traffic not everything to your server

Yes it will, the VPS would be the “beacon” I mention in the description

It goes beyond a simple management ui like WG-Easy, since it also have channels for automatic device onboarding and integration into the reverse proxy

Well Constellation no, but Nebula is a standalone tech too

It’s just harder to use without Cosmos

Eventually yes, but not in the beta of constellation
Edit: well you’ll be able to do it in the beta, but you will have to manage cosmos instances one by one at least

Do you mean all HTTP traffic from the browser, via the domain, through Constellation? Without installing the constellation app?

Well it will be the “recommended” method for maximum security yes

Constellation (and Nebula) are very lightweight, so while there will be a slight cost due to encryption, it is not severe.

If you want to test things out in the meantime you can try running the current version of Cosmos + any VPN (ex. Wireguard) and see how it’s doing performance wise. The result will be similar

Cool!
Hopefully your client will be available on f-droid.org

I know that is why I am asking

With the Constellation app i suppose, if im remotely working for example.