Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Does anyone here have any experience with other distributed VPNs?


ZeroTier: it connects my laptop, my VDS, and my behind-two-NATs home machine pretty efficiently. That is, e.g., when my laptop is connected to the home wi-fi, the zerotier interface seems to exchange packets directly with the home machine.

Presence of an Android client is important for me. Auto-reconfiguation in a new network (laptop on a public wi-fi, phone on mobile networks) is nice.

"Peer-to-peer discovery" is not important for me, that is, I'm OK with my nodes discovering the network via a control center. (You can self-host the control center.)


cjdns works for me and seems quite secure as a private, distributed VPN. It automatically assigns an unforgeable IPv6 address to each node:

https://github.com/cjdelisle/cjdns


Tinc (http://www.tinc-vpn.org) works well for me and can do meshing.


gvpe is similar to tinc, and I wrote up a small piece about using it on Debian here:

https://debian-administration.org/article/695/Joining_dispar...


Check out wireguard: https://www.wireguard.io/


Wireguard supports roaming but it's not distributed in a p2p global sense.


True. tinc: https://www.tinc-vpn.org/ is another option for distributed VPN

But if you're ok with discovery going through master/server and then connecting directly to peers for traffic, I'd stick with Wireguard.


PeerVPN – Open-source peer-to-peer VPN

https://news.ycombinator.com/item?id=9025792


I used to use n2n:

https://github.com/meyerd/n2n

Haven't found anything else quite like it.


Why did you stop using it?


Well, it seems to be stalled, for starters.

Running a VPN between only 4 machines wasn't that useful, and it needs a central server. I quite like Meshbird's idea of using DHT instead. If it ever evolves to improve its crypto and setup, I might take it up instead.


".. it needs a central server."

There is a PDF by the original author that explains the difference from "VPNs".

A reachable IP address and a TAP device are the only requirements.

For example, two edges can also be supernodes. A third party supernode would only be needed for the initial connection. Once connected, then each can use the supernode run by the other. The third party is no longer needed. No central server.

As for DHT, who runs the DHT bootstrap server?

Do DHT users run their own bootstrap servers?

Do users exercise any control over the DHT? Who does?


By central server I mean a referral hub, yes. But I just couldn't keep one up reliably (in the sense that I didn't want to, since the mesh had to be fairly dynamic in my case).


The IPsec stack that comes your OS probably supports host-to-host mesh when suitably configured.


I run Wormhole (hosted "distributed" VPN / Overlay Networking / You name it), which uses SoftEther behind the curtains: https://wormhole.network


Not a VPN and not distributed, but probably worth to mention anyway: Tor hidden service + SSH. Works very well.


I've used DMVPN extensively, but mostly on (Cisco) BFR's.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: