Testing “exotic” P2P VPN
Posted3 months agoActive3 months ago
blog.nommy.moeTechstory
calmmixed
Debate
60/100
P2P VPNMesh NetworkingWireguard
Key topics
P2P VPN
Mesh Networking
Wireguard
The post discusses various 'exotic' P2P VPN solutions, sparking a discussion on their merits, alternatives, and use cases among HN commenters.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
1h
Peak period
22
0-12h
Avg / period
9
Comment distribution36 data points
Loading chart...
Based on 36 loaded comments
Key moments
- 01Story posted
Sep 28, 2025 at 12:47 PM EDT
3 months ago
Step 01 - 02First comment
Sep 28, 2025 at 1:54 PM EDT
1h after posting
Step 02 - 03Peak activity
22 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 3, 2025 at 12:08 AM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45405815Type: storyLast synced: 11/20/2025, 5:23:56 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
I keep telling myself I should switch it to a wireguard mesh, but the configuration of tinc + the "right defaults" make it pretty neat. It's fun to watch as you roll out a configuration to one node in the mesh, and ping times drop suddenly once it can make a direct connection with the optimal route.
I keep my provisioning script + the public keys in git; so deploying it to a new machine is a git pull, generate key, push public key, and pull on the other nodes. I have about 17+ hosts on it; not using it for very high bandwidth, but I couldn't do what I do without it.
[1]: https://github.com/gsliepen/tinc/issues/443#issuecomment-184...
But the key has to be -- the configuration has to be just as simple as tinc to be effective. Like, almost just parse the configuration files and build it up with WG tunnels.
https://github.com/m13253/VxWireguard-Generator <-- this is what I use with a more serious "internal business" use case, so I know wireguard is in the sensitive security/encryption loop. It uses wireguard tunnels to make a broadcast/mesh Layer2 network with vxlan connections, and you then run OSPF/babel/your-favorite-routing-protocol over that.
Social VPN, Remobo, NeoRouter, GBridge, Wippien, PeerVPN. Remember any of these?
Just checked — none of the domains are working.
I'll need to add EasyTier - https://github.com/EasyTier/EasyTier
The "obfuscation" in Amnezia's fork does not shrink the available MTU (important for QUIC as it requires a minimum MTU of 1280 while WireGuard itself needs +80 bytes or so for route encapsulation). Amnezia's fork modifies the 4 WireGuard header values (which must be pre-agreed between peers) & occassionally appends (to handshake packets) or sends randomly generated "junk" data.
It would be like complaining Vaultwarden is bad because the Bitwarden project is not fully open source even though Vaultwarden is fully open source and has most of the features implemented.
And Headscale kind of ticks all the other boxes mentioned, except "not headscale", because:
* p2p mesh network - it is a mesh network. And even when mesh is blocked, you can use multiple relay servers (derp) which will relay to the mesh from closest location. And you can host your own derp servers.
* Open source and selfhosted - check
* Not Wireguard (Signature-based blocking) - in cases where wireguard is blocked, the derp relay servers run over https and are usually not blocked based on signatures. For example, I use it with Traefik proxy in TCP mode so I could run derp and other http services on the same 443 port and it works great. So - check?
Packaged in nixpkgs - checkOn top of that, if you add Headplane admin UI you get nice graphical management, very similar to the one of Tailscale.
I guess it doesn't really matter, but it would have been nice to give some transparency to the reader that it was not due to actual technical limitations.
It should be the same exact copy, or situation turns into "try demo version, buy the full product". At least from my point of view.
I think it makes no sense for them to put much focus on developing a separate small open source version of their server. So it is good that they actually support its development.
“ The DERP protocol does a protocol switch inside TLS from HTTP to a custom bidirectional binary protocol. It is thus incompatible with many HTTP proxies. Do not put derper behind another HTTP proxy.”
https://github.com/Janhouse/tailscaled-derper/blob/main/dock...
Since we use TLS passthrough and Traefik just proxies TCP, you have to pass certificates to derper, so you either use the Traefik certificate extractor or some other tool to get them.
And initially I though that I would have to integrate libproxyproto into derper in order to handle client IP addresses correctly behind Traefik but it looks like it doesn't really need it.
I thought the Headscale dev had been hired by Tailscale, didn’t he?
Can’t find references right now but I have a distinct memory of reading about it.
So, looks like Tailscale is paying one of the developers to develop for headscale, as par of his job.
This is one of the best ways a company can support an open source project though.
- [0] https://www.complete.org/using-yggdrasil-as-an-automatic-mes...
I want to access homeservers and LAN videogames.
I was testing zrok [1] until they went paid, then I went to ongoing experiments with Lanemu [2] (a bittorrent-based P2P VPN) and Anywhere Lan (AWL) [3].
So far, the best is AWL - it actually works, peer discovery is fast, and it gives you mDNS-style domains for connected machines; using it is very similar to Syncthing. I wish the peer discovery in Lanemu worked better, as it works all the way back to WinXP. I made a custom build of AWL that works on Win7 (https://github.com/anywherelan/awl/issues/174)
[1]: https://zrok.io/ [2]: https://gitlab.com/Monsterovich/lanemu [3]: https://github.com/anywherelan/awl
This is totally fine, because you must set the interface MTU in the first place. WireGuard is already running at 1420 and there is no problem with SMB over it despite all network participants having the default 1500. I'm get the whole 100Mbps SMB transfers over my connection over WireGuard and that's because I have only the two pairs in my UTP.
(said the lazy guy that checks if he only needs TCP and, in that case, uses sshuttle via SSH)
https://github.com/nwtgck/piping-server
I really think of ways on how I can use this which seems an amazing almost uncensorable-ish tech on how to connect two pc's. Like sometimes my brain just thinks "pipes (piping server) just for email". Its a bit of an obsession...
Something like a VPN could theoretically be created where the piping server well "pipes" it in an encrypted manner through internet.
I would love to create something like this just for the funzies but what I am more interested about is the transport layer.
Like I want something which can be independent of udp or whatever and the only thing I am worried about is how I will transport them to the other pc and then I can then lets say send them over piping server, send them over matrix or signal if need be too idk.
Is there any foss projects that can help me just hook up into things in a similar manner as to what I am asking?
I want a implementation independent-ish transport layer so that I can experiment with things which I can just pipe if I can be really really honest.
I also want more people to look into it as I use sometimes piping-server as a way to transporting files between podman containers even though its a bit slow just to try it out and honestly, just having the fun of installing curl and then being ready to go makes it so much more easier to transport files out of the box... and I want to experiment more with it, its been an obsession for almost an year on and off thinking about piping servers and how elegant they are. I used them of sorts to break an intel nat once, but since then we got some better options if somebody wants to know how to break any nats without any root without any emulation but maybe I want to create a blog post about it someday but I am lazy.
- Make all participants keep a connection with each other, each connection equivalent to an ethernet cable, and each participant a network switch.
- Just like real switches, use spanning-tree to decide which connection is used for data and which is kept as redundancy.
- Bring your own router/dhcp/etc
I think that would be quite robust.
A somewhat nice solution for that is Iroh (QUIC P2P w/ hole punching): https://www.iroh.computer
They also provide a solution to discoverability: https://www.iroh.computer/docs/concepts/discovery
Which boils down to storing ECC signed arbitrary data on the mainline DHT.
Two showcase Iroh utilities that are actually useful in practice:
https://github.com/n0-computer/dumbpipe
https://github.com/n0-computer/sendme
This seems to be a strong misunderstanding? The ssh interface is for debugging only. You can disable it and configuration is solely handled by the daemon configuration file.
I operate a small (few dozen hosts) network on Nebula with mostly NixOS hosts, so I have some applicable experience. Nebula was primarily chosen because it allows me to, among other things, assign fixed prefixes to hosts and have a full declarative config.
You don't configure a host via a CLI, instead you provide it a signed cert for the privkey + CA cert + private key + lighthouses and that's it. The daemon listens on the IPs from the cert and the lighthouses offer a public exchange where peers advertise their IPs (and associated endpoints for p2p).
The CA approach is also an important part here as all your peers effectively have the CA cert in their config file and use it to verify other peers. The CA signs a cert for each host that contains the IP prefixes that a peer may handle packets for. The only CLI you actually regularly use is here, for creating keys and signing certs.