
PeerVPN – Open-source peer-to-peer VPN - codexon
http://www.peervpn.net/
======
Uberphallus
I've tried a bunch of P2P VPN software, and while PeerVPN is quite OK, unless
you really need to tunnel ethernet frames, I'd recommend cjdns:
[https://github.com/cjdelisle/cjdns](https://github.com/cjdelisle/cjdns)

It's actively updated, and the software used for Project Meshnet. You can join
the Hyperboria network, or just connect all of your computers isolatedly. I
have it running on the computers I manage, from tiny OpenWRT routers to big
servers.

I did the switch from tinc because certificates are a pain to generate and
distribute, and because of security concerns: [http://www.tinc-
vpn.org/security/](http://www.tinc-vpn.org/security/)

~~~
codexon
cjdns looks interesting but it seems to be ipv6 only.

I submitted this story because peervpn looks like the easiest to setup by a
wide margin. No certs required and very easy to start on a new machine.

~~~
jMyles
Once running, cjdns creates a virtual ipv6 adapter.

To connect to other nodes, it uses either IP(v4 or v6) or Ethernet Frames.
See: [https://github.com/cjdelisle/cjdns#3-connect-your-node-to-
yo...](https://github.com/cjdelisle/cjdns#3-connect-your-node-to-your-friends-
node)

I'm working on a Django Rest Framework frontend for it, Cirque:
[https://github.com/jMyles/cirque](https://github.com/jMyles/cirque), which
will make this easier to visualize.

~~~
codexon
This isn't helpful for running software that only supports ipv4 though.

~~~
jMyles
Ahh, I misunderstood your requirement.

Fortunately, CJDNS works for this use case as well. It is possible to use a
"tunnel" to connect CJDNS nodes via an IPv4 virtual interface or to connect to
a gateway to IPv4. This way, IPv4 software can connect both to other nodes and
to the outside internet.

At the moment, I believe that this is only configurable through the UDP admin
interface, but this is most definitely a feature that we'll build into Cirque.

[https://github.com/cjdelisle/cjdns/blob/master/admin/README....](https://github.com/cjdelisle/cjdns/blob/master/admin/README.md#iptunnel-
functions)

~~~
codexon
My personal usage case is to secure a handful of servers across datacenters
for software that don't have encryption enabled.

If I use CJDNS to do this, it seems like I have a lot more steps to do. I have
to copy everyone's pub key and setup ipv4 tunneling on each server?

With PeerVPN all I have to do is pick a single password and copy and paste it
to each other server while only needing to change the static IP.

------
fulafel
Original IPSec works like this too (in addition to the gateway mode). It's not
called VPN, because it's just a feature you enabled in IP - you have the same
address etc.

It failed to reach popularity largely because it used X.509 for keys and there
was no PKI. And bad UI and NAT and some other nails in the coffin.

But there was point when there was a more or less credible bright future
everybody running IPSec, no NAT and IPv6, and you wouldn't need firewalls
because you could just configure who you want to talk to using IPSec security
policy and strong authentication...

------
huhtenberg
This looks like OpenVPN with a peer discovery overlay. Or perhaps a bit like
Hamachi, but without NAT traversal and automatic rendezvous/discovery service.

[Edit] Hmmm, the homepage says

> Automatically builds tunnels through firewalls and NATs

but I don't see anything in the code that would suggest that it can connect
two NAT'ed peers directly. There's a relaying support and (I think) there's a
connect-back like option for asking others to connect to you if you are NATed.

~~~
Galanwe
> but I don't see anything in the code that would suggest that it can connect
> two NAT'ed peers directly.

Which is not really a problem IMHO.

I mean, most of the time these peer-to-peer VPN solutions are useful when you
have boxes with a single public internet interface (this is what you get with
most "cheap" hosting offers), and you want a private network between them. In
this case no NAT is involved.

And of course, if you plan to connect your laptop to this network, then you
are probably behind your ISP router NAT, so 1 NAT'ed peer connect-back will be
useful here.

But 2 sides behind NAT configuration is a more unlikely use case. Either you
are dealing with two "users" behind their ISP router - but in this case what
are these guys trying to do? Some Hamachi-like usage? Considering it's linux
only that wouldn't be all that useful. Then they will anyway need some STUN
server so that's not really peer-to-peer anymore.

~~~
detaro
I'd argue to the contrary: a group of personal machines all behind NAT is the
perfect use case for this, because you have many nodes and none of them is in
a good position to act as a server. Exactly something like Hamachi, just more
stable/better integrated with Linux. (maybe that has changed, but my
experiences with Hamachi weren't great)

~~~
Galanwe
The point of my post was exactly to state that this case does _not_ exists...
Because 1) a layer 2 virtual network between "user-like" hosts serves no real
purpose, except for games (which is the main use of Hamachi). And since this
is linux only, i doubt there is a real use case of gaming here. 2) if you have
this setup, then you will need a STUN server anyway to bypass mutual NAT'd
users. This is why, IMHO, there is no real need for mutual NAT traversal in
these kinds of VPNs.

~~~
detaro
games, filesharing, access to streaming devices, cameras, ... VPNs for home
users is far from solved (many routers support VPNs, but are not always that
easy to set up, don't always work easily in both directions, ... Hamachi comes
close when it works properly, but is also missing a few bits) This project
might not be the best base (at last Mac support and some UI bits would be
helpful), but that doesn't mean the problem doesn't exist.

And even for more technical users, it would be nice to have something for a
quick connection that is real quick to set up.

------
emilburzo
Nice, I'm currently using tinc for a personal project and always wondered why
meshed VPNs aren't more popular, really glad alternatives are popping up.

------
101914
While this particular implementation of ethernet over UDP (true/false?) is not
my first choice for several reasons, I congratulate the author for (a) keeping
the code small and (b) thinking beyond Windows/Linux/OSX, i.e., enabling easy,
fast compilation on *BSD, an OS which had networking before any of the others.

Almost all of the other P2P alternatives I have seen over the years fail on
either (a) or (b).

------
rcarmo
Seems to work great. Just built a Dockerfile to build and run it (I use Docker
to build one-off binaries without littering my machines with junk libraries):

[https://github.com/rcarmo/docker-
templates/tree/master/peerv...](https://github.com/rcarmo/docker-
templates/tree/master/peervpn)

------
tokenizerrr
Just installed this on three of my servers to give it a try. So far it seems
to be working quite nicely and was a breeze to set up. Some more documentation
and public mailing list/issue tracker would be good, though.

------
mike-cardwell
I've been using tinc, but it's a pain to add new nodes to the network.
Definitely going to give PeerVPN a try.

------
Galanwe
How does this compare to something like Freelan?

~~~
AhmadMhd
Freelan is more complex and has more fetures and uses, I've never tried it but
I think it's not that simple nor lightweight unlike PeerVPN.

