Show HN: Weron – A Peer-to-Peer VPN Based on WebRTC Written in Go

Is what makes this a &quot;P2P&quot; VPN--as opposed to merely VPN software that you might choose to use between peers (such as Wireguard)--that it supports the group&#x2F;&quot;community&quot; network behavior? When you do that, are you building a fully-connected overlay network--where everyone has a separate WebRTC link to each of the other participants--or are you building some kind of organized P2P network topology out of the participants?<p>(Note: I work on Orchid, a decentralized market for bandwidth built on Ethereum and WebRTC, which has a multi-hop-capable VPN client for various platforms available.)

This looks pretty slick, and the WebRTC seems like it might offer some choices of traversal that would work where others don&#x27;t. The inbuilt tools for &quot;chat&quot; (seems a useful test), throughput and latency also seem nice. I&#x27;ve been running into some weirdnesses at times with Nebula and Zero Tier where it&#x27;s unclear where my latency or throughput limits are coming from.<p>I&#x27;m looking forward to doing a lot more with overlay networks in the short term, I&#x27;ve been playing with a variety of them over the last 18 months or so and just need to pick something and start deploying it.

Why wouldn&#x27;t you just tunnel WireGuard over WebRTC? There&#x27;s already a very, very good implementation of WireGuard --- one of the two major production implementations --- in Go. We tunnel it over WebSockets, and it took like an hour to write that code.

No one is raising the question of how to handle community name&#x2F;key management for persistent communities. With n2n, which long predates Zerotier, Wireguard and Tailscale, one of the authors thought there needed to be automatic key rotation and also communication between &quot;signal&quot; servers. Original n2n allowed tunneling over HTTP as a fallback. It should be noted that n2n was never meant to be used for large communities, say, over 100 peers. Sure enough, the author of weron is issuing that same warning here.<p>Many years ago I had each peer run their own smtpd listening on the n2n TAP interface. It was peer-to-peer, encrypted email. This can be done for many other protocols, too. With Layer 2 overlay, there are no middlemen. Direct connectivity to friends and family with no need for Google&#x2F;Facebook.<p>Layer 2 overlay networks with n2n can be significantly faster if automatic encryption is turned off. In that case, the user can encrypt and sign sensitive files with a separate program before sending them through the TAP interface. It works quite well.

Hey, I have been using Wireguard and Nebula to connect to my home network for a while now, but theyre blocked by my uni. I bypass the blocking using shadowsocks but its still a hassle.<p>I&#x27;ll test out Weron and hopefully I dont need to tunnel it through shadowsocks.

This is so cool! I love the embedded aspect of it, that was a big goal of Pion. Really exciting for users to not have to setup&#x2F;configure a service to get connectivity going.<p>re: concerns about STUN I would love to experiment with adding NAT-PMP&#x2F;PCP support to pion&#x2F;ice. STUN server usage seems to be a major sticking point for people. Talked about it a bit here [0]. I am all for doing it, just would like to know the code is actually wanted before writing it :)<p>[0] <a href="https:&#x2F;&#x2F;mobile.twitter.com&#x2F;_pion&#x2F;status&#x2F;1522365018855165952" rel="nofollow">https:&#x2F;&#x2F;mobile.twitter.com&#x2F;_pion&#x2F;status&#x2F;1522365018855165952</a>

Wow, some awesome work here. I would be interested to know your thoughts on OpenZiti (<a href="https:&#x2F;&#x2F;openziti.github.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;openziti.github.io&#x2F;</a>). Its an open source project that allows you to embed private connectivity into your app using one of the many SDKs together with strong identity allowing outbound only connections. It is a mesh overlay similar to TURN but uses a concept of smart routing to normally reduce latency through circumvention of BGP. Various superpowers can be seen here - <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;playlist?list=PLMUj_5fklasKF1oisSSuLwSzLVxuL9JbC" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;playlist?list=PLMUj_5fklasKF1oisSSuL...</a>

very cool! was recently musing about how the next frontier in vpns is steganography, and here we are.<p>are the webrtc streams running at a constant bitrate or can the streams be detected by doing traffic timing analysis?<p>(i once looked at adding constant bitrate support to wireguard but ultimately abandoned it as it was looking to be excessively complicated)

Here is some initial feedback: Nice selection of static binaries!<p>However the choice to hardcode Google as a default STUN server is off-putting. IMHO, 2008&#x27;s n2n would never set a third party server as a default. <a href="https:&#x2F;&#x2F;luca.ntop.org&#x2F;n2n.pdf" rel="nofollow">https:&#x2F;&#x2F;luca.ntop.org&#x2F;n2n.pdf</a>

Can this be used as a library like libp2p, or does it require me to run binaries?

This looks nice. Do you have Android&#x2F;iOS mobile apps on the roadmap?

Well done!<p>Disclaimer: I&#x27;m author of netbirdio - a similar project.<p>Using WebRTC makes it possible to have a tunnel from the browser directly. Combined with a virtual terminal it just makes it even cooler!<p>@pojntfx what do you think about that? Feasible with your implementation?<p>I&#x27;ve been playing with such functionality in Netbird but since it depends on Wireguard it is a bit tricky :)<p>Would love to have your feedback as well on our project<p><a href="https:&#x2F;&#x2F;github.com&#x2F;netbirdio&#x2F;netbird" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;netbirdio&#x2F;netbird</a>

Having a docker image that sets up a VPN server with ideally zero config, plus short instructions for setting up the clients in popular OSes would go a long way to help adoption.

I somehow can&#x27;t understand how to use it :) Sorry! But nice work.

&gt; Compared to for example Tailscale, WireGuard and ZeroTier, its much harder to block on a network level<p>Tailscale at least bundles in an HTTPS fallback for those situations. I’m not sure that claim holds up.