Hacker News new | past | comments | ask | show | jobs | submit login
PeerVPN – Open-source peer-to-peer VPN (peervpn.net)
114 points by codexon on Feb 10, 2015 | hide | past | web | favorite | 20 comments

I've tried a bunch of P2P VPN software, and while PeerVPN is quite OK, unless you really need to tunnel ethernet frames, I'd recommend cjdns: https://github.com/cjdelisle/cjdns

It's actively updated, and the software used for Project Meshnet. You can join the Hyperboria network, or just connect all of your computers isolatedly. I have it running on the computers I manage, from tiny OpenWRT routers to big servers.

I did the switch from tinc because certificates are a pain to generate and distribute, and because of security concerns: http://www.tinc-vpn.org/security/

You might also want to have a look at fastd, which is quite small... https://projects.universe-factory.net/projects/fastd/wiki

cjdns looks interesting but it seems to be ipv6 only.

I submitted this story because peervpn looks like the easiest to setup by a wide margin. No certs required and very easy to start on a new machine.

Once running, cjdns creates a virtual ipv6 adapter.

To connect to other nodes, it uses either IP(v4 or v6) or Ethernet Frames. See: https://github.com/cjdelisle/cjdns#3-connect-your-node-to-yo...

I'm working on a Django Rest Framework frontend for it, Cirque: https://github.com/jMyles/cirque, which will make this easier to visualize.

This isn't helpful for running software that only supports ipv4 though.

Ahh, I misunderstood your requirement.

Fortunately, CJDNS works for this use case as well. It is possible to use a "tunnel" to connect CJDNS nodes via an IPv4 virtual interface or to connect to a gateway to IPv4. This way, IPv4 software can connect both to other nodes and to the outside internet.

At the moment, I believe that this is only configurable through the UDP admin interface, but this is most definitely a feature that we'll build into Cirque.


My personal usage case is to secure a handful of servers across datacenters for software that don't have encryption enabled.

If I use CJDNS to do this, it seems like I have a lot more steps to do. I have to copy everyone's pub key and setup ipv4 tunneling on each server?

With PeerVPN all I have to do is pick a single password and copy and paste it to each other server while only needing to change the static IP.

Original IPSec works like this too (in addition to the gateway mode). It's not called VPN, because it's just a feature you enabled in IP - you have the same address etc.

It failed to reach popularity largely because it used X.509 for keys and there was no PKI. And bad UI and NAT and some other nails in the coffin.

But there was point when there was a more or less credible bright future everybody running IPSec, no NAT and IPv6, and you wouldn't need firewalls because you could just configure who you want to talk to using IPSec security policy and strong authentication...

This looks like OpenVPN with a peer discovery overlay. Or perhaps a bit like Hamachi, but without NAT traversal and automatic rendezvous/discovery service.

[Edit] Hmmm, the homepage says

> Automatically builds tunnels through firewalls and NATs

but I don't see anything in the code that would suggest that it can connect two NAT'ed peers directly. There's a relaying support and (I think) there's a connect-back like option for asking others to connect to you if you are NATed.

> but I don't see anything in the code that would suggest that it can connect two NAT'ed peers directly.

Which is not really a problem IMHO.

I mean, most of the time these peer-to-peer VPN solutions are useful when you have boxes with a single public internet interface (this is what you get with most "cheap" hosting offers), and you want a private network between them. In this case no NAT is involved.

And of course, if you plan to connect your laptop to this network, then you are probably behind your ISP router NAT, so 1 NAT'ed peer connect-back will be useful here.

But 2 sides behind NAT configuration is a more unlikely use case. Either you are dealing with two "users" behind their ISP router - but in this case what are these guys trying to do? Some Hamachi-like usage? Considering it's linux only that wouldn't be all that useful. Then they will anyway need some STUN server so that's not really peer-to-peer anymore.

I'd argue to the contrary: a group of personal machines all behind NAT is the perfect use case for this, because you have many nodes and none of them is in a good position to act as a server. Exactly something like Hamachi, just more stable/better integrated with Linux. (maybe that has changed, but my experiences with Hamachi weren't great)

The point of my post was exactly to state that this case does _not_ exists... Because 1) a layer 2 virtual network between "user-like" hosts serves no real purpose, except for games (which is the main use of Hamachi). And since this is linux only, i doubt there is a real use case of gaming here. 2) if you have this setup, then you will need a STUN server anyway to bypass mutual NAT'd users. This is why, IMHO, there is no real need for mutual NAT traversal in these kinds of VPNs.

games, filesharing, access to streaming devices, cameras, ... VPNs for home users is far from solved (many routers support VPNs, but are not always that easy to set up, don't always work easily in both directions, ... Hamachi comes close when it works properly, but is also missing a few bits) This project might not be the best base (at last Mac support and some UI bits would be helpful), but that doesn't mean the problem doesn't exist.

And even for more technical users, it would be nice to have something for a quick connection that is real quick to set up.

Nice, I'm currently using tinc for a personal project and always wondered why meshed VPNs aren't more popular, really glad alternatives are popping up.

While this particular implementation of ethernet over UDP (true/false?) is not my first choice for several reasons, I congratulate the author for (a) keeping the code small and (b) thinking beyond Windows/Linux/OSX, i.e., enabling easy, fast compilation on *BSD, an OS which had networking before any of the others.

Almost all of the other P2P alternatives I have seen over the years fail on either (a) or (b).

Seems to work great. Just built a Dockerfile to build and run it (I use Docker to build one-off binaries without littering my machines with junk libraries):


Just installed this on three of my servers to give it a try. So far it seems to be working quite nicely and was a breeze to set up. Some more documentation and public mailing list/issue tracker would be good, though.

I've been using tinc, but it's a pain to add new nodes to the network. Definitely going to give PeerVPN a try.

How does this compare to something like Freelan?

Freelan is more complex and has more fetures and uses, I've never tried it but I think it's not that simple nor lightweight unlike PeerVPN.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact