Virtual private mesh networks

Pretending your phone is on your LAN

2017-04-15 — 2026-03-26

Wherein secure private meshes are surveyed for use in secure access rather than anonymity, and it is noted that tunnel brokering is performed by providers who observe which devices interconnect, authentication being routed via corporate identity providers.

computers are awful together
confidentiality
cryptography
diy
Figure 1

VPN stands for Virtual Private Network. There are two main goals we might have with such a thing:

  1. Connect a bunch of our devices together in a distributed network which is also a private intranet (secure access)
  2. Connect our devices together with some total strangers’ devices so that when some stranger monitors our internet traffic it is hard to work out what traffic is ours and what is the total strangers’. (anonymous access)

The priorities are different for each. This notebook is about (1), but for (2) see VPNs.

I do not fully understand the security implications of these. Clearly, even if they do what they claim and do not inspect our virtual meshnet traffic, the provider who brokers all our secure meshnet tunnels will still know a lot about which devices are connecting to each other, and where.

1 Tailscale

Figure 2

This is an unusual one, and it’s not really designed for anonymity so much as secure access to our private stuff. Tailscale is a kind of mesh VPN provider, in that they do not actually provide an anonymising internet-browsing VPN proxy. Instead, they focus on purpose number one for VPNs: securely connecting distributed devices together. They automatically hook up phones, laptops, and servers, which looks really useful. Their method depends on us authenticating with some kind of faceless corporate identity provider like Microsoft or Google. I am not qualified to comment on how vulnerable this technology leaves us to these extra trusted parties.

Apenwarr’s introductory post is extremely interesting for the context around the actual problem Tailscale wants to solve here, IMO. IPv4, IPv6, and a sudden change in attitude

For a single user it looks nice and is free. For multiple users it gets more expensive (USD60–USD180 per person per year).

2 Zerotier

ZeroTier – Global Area Networking looks similar to Tailscale from our POV, but probably has a different technology stack. Adam Ierymenko’s post about early design decisions here sets the scene: Decentralization: I Want To Believe.

The design I settled on is ultimately rather boring. I built a peer-to-peer protocol with a central hub architecture comprised of multiple redundant shared-nothing anchor nodes at geographically diverse points on the global Internet.

I designed the protocol to be capable of evolving toward a more decentralized design in the future without disrupting existing users, but that’s where it stands today.

Source seems to be open source? Pricing seems reasonably cheap. Pragmatic trade-offs seem reasonable to me.

3 Pangolin

I think Pangolin almost fits in this category, but it’s more of a secure access VPN than a meshnet, and it’s designed for remote access to devices rather than connecting devices to each other. Cool bonus features like native browser consoles.

4 Nordvpn Meshnet

The VPN provider NordVPN also has a meshnet service.

5 devtunnels

A new Microsoft product. Dev tunnels tries to do some useful stuff here. I do not know much about its technology or licensing.