Virtual private mesh networks

Pretending your phone is on your LAN

April 15, 2017 — July 30, 2022

computers are awful together
confidentiality
cryptography
diy
Figure 1

VPN stands for Virtual Private Network. There are two main goals we might have with such a thing:

  1. Connect a bunch of our devices together in a distributed network which is also a private intranet (secure access)
  2. Connect our devices together with some total strangers’ devices so that when some stranger monitors our internet traffic it is hard to work out what traffic is ours and what is the total strangers’. (anonymous access)

The priorities for both are different. This notebook is about (1) but for (2) see VPNs.

I do not fully understand the security implications of these. Clearly, even if they do what they claim and do not inspect your virtual meshnet traffic, the provider who brokers all your secure meshnet tunnels will know a lot about which devices are finding each other and where.

1 Tailscale

Figure 2

This is an unusual one, and not really designed for anonymity so much as secure access to your private stuff. Tailscale is a kind of mesh VPN provider, in that they do not actually provide an anonymising internet browsing VPN proxy but instead concentrate on purpose number 1 for VPNs: connecting distributed devices securely together. They automatically plug in phones, laptops, and servers, which looks really useful. Their method depends on you authenticating with some kind of faceless corporate identity provider like Microsoft or Google. I am not qualified to comment on how vulnerable this technology leaves you to these extra trusted parties.

Apenwarr’s introductory blog post is extremely interesting for the context of the actual problem they would like to solve here, IMO. IPv4, IPv6, and a sudden change in attitude

For a single user it looks nice and is free. For multiple users it gets more expensive (USD60-USD180/person/year).

2 Zerotier

ZeroTier – Global Area Networking looks similar to Tailscale from the user’s POV but probably has a different technology stack. Adam Ierymenko’s blog post about early design decisions here sets the scene: Decentralization: I Want To Believe.

The design I settled on is ultimately rather boring. I built a peer-to-peer protocol with a central hub architecture comprised of multiple redundant shared-nothing anchor nodes at geographically diverse points on the global Internet.

I designed the protocol to be capable of evolving toward a more decentralized design in the future without disrupting existing users, but that’s where it stands today.

Source seems to be open? Pricing reasonably cheap. Pragmatic tradeoffs seem reasonable to me.

3 Nordvpn Meshnet

VPN provider NordVPN also has a meshnet service.

4 devtunnels

A new Microsoft product Dev tunnels attempts to do some useful stuff here. I do not know much about its technology or licensing.