Self-Hosted Mesh VPN Controllers

Firezone is a zero trust network access platform that uses WireGuard to provide identity-based connectivity to internal network resources. It functions as a virtual private network that synchronizes authentication and user groups via OpenID Connect providers. The system implements a group-based access control engine to enforce least privilege by restricting network resources to specific user groups. It utilizes holepunching and relay protocols for NAT traversal to establish encrypted tunnels through firewalls without requiring inbound ports. The platform includes a control plane for managing

Headscale is a self-hosted control plane for private mesh networking that enables the creation of secure, encrypted peer-to-peer networks. By acting as a centralized coordination server, it manages device authentication, cryptographic key exchange, and network topology, allowing distributed infrastructure to communicate without relying on third-party services. It implements a zero-trust security architecture, verifying device and user identity before granting access to internal resources. The project distinguishes itself by providing a fully independent, self-hosted alternative for managing n

NetBird is a zero-trust networking platform that builds secure, encrypted peer-to-peer overlay networks using the WireGuard protocol. It functions as a software-defined perimeter, connecting distributed infrastructure across cloud environments and physical locations while hiding network resources from the public internet. By integrating with external identity providers, the platform enforces granular access control and identity-based segmentation for every user and device. The platform distinguishes itself through extensive automation and programmatic management capabilities. It provides a ce

n2n is a peer-to-peer VPN that creates an encrypted mesh network by establishing layer 2 overlay networks. It uses UDP tunneling to connect remote computers into a shared virtual local area network, allowing devices to communicate as if they were on the same physical Ethernet switch. The system utilizes a centralized signaling registry and federated coordination nodes to facilitate peer discovery and node registration. It implements NAT traversal through UDP hole punching and UPnP port mapping, while using supernode relay routing to ensure connectivity when symmetric NATs prevent direct peer-

Nebula is a scalable, decentralized overlay networking tool designed to create secure, encrypted peer-to-peer connections between distributed hosts. By utilizing a certificate-based identity authority, it enables the construction of private communication fabrics across disparate physical infrastructures, such as multiple cloud providers or on-premises data centers, without requiring central authentication servers. The project distinguishes itself through a zero-trust architecture that enforces granular, policy-driven firewall filtering based on certificate-derived group memberships. It facili

Netmaker is a platform for automating and managing virtual mesh networks built on WireGuard. It functions as a centralized control plane that orchestrates encrypted, peer-to-peer tunnels across distributed infrastructure, including cloud environments, on-premise data centers, and containerized clusters. By automating the configuration of routing tables and access policies, the system enables secure, private connectivity between diverse devices and services without requiring manual network administration. The platform distinguishes itself through its focus on zero-trust network access and soft

Pangolin is a zero-trust remote access platform designed to provide secure, identity-aware connectivity to private network resources. It functions as a cloud-native network controller that orchestrates encrypted tunnels, traffic routing, and access policies across distributed environments. By leveraging WireGuard for secure data transport, the platform enables authenticated access to internal web applications, terminal sessions, and remote desktops without exposing services to the public internet. The platform distinguishes itself through a declarative infrastructure model that synchronizes n

EasyTier is a decentralized peer-to-peer virtual private network and mesh networking tool. It functions as a layer 3 network overlay that establishes secure tunnels between devices without requiring a centralized server or coordinator. It also serves as a WireGuard-compatible VPN, capable of acting as a server for standard WireGuard clients. The project distinguishes itself through multipath latency-based routing and the use of KCP or QUIC proxies to mitigate packet loss and stabilize connections in high-loss environments. It provides a virtual networking manager featuring a web management co

alt-sendme is an accountless peer-to-peer file transfer tool designed for sending files and folders directly between devices. It operates as a decentralized sharing service that utilizes portable access tickets for identity exchange instead of centralized user accounts. The project distinguishes itself through NAT and firewall traversal capabilities, using UDP hole punching and relay-based fallback routing to establish direct connections between remote devices. It supports multi-device data broadcasting, allowing a single file or folder to be shared with multiple recipients simultaneously thr

wireguard-go is a Go implementation of the WireGuard protocol that operates as a userspace tunneling engine. It functions as a cross-platform network interface designed to establish encrypted tunnels between peers without requiring modifications to the system kernel. By implementing the protocol in userspace, this project provides a consistent network stack that enables secure peer-to-peer communication across different operating systems. It allows for the creation and management of encrypted network interfaces and tunnels to route private traffic over public networks.

This project is a peer-to-peer networking tool and communication client designed for exchanging messages and sharing screen control between computers without a central server. It functions as a decentralized system for exchanging data and control signals directly between nodes. The application uses WebRTC for peer-to-peer messaging and remote desktop administration. It incorporates STUN-based NAT traversal and rendezvous servers to establish direct connections between peers hidden behind restrictive firewalls or routers. The software provides capabilities for remote desktop control, includin

Boringtun is a Rust-based library and userspace implementation of the WireGuard protocol. It provides the necessary logic to establish encrypted network tunnels and route secure traffic across different operating systems without requiring kernel-level administrative privileges. The project is designed for embedding VPN logic into other applications. It achieves this through a C-compatible binary interface and cross-platform native bindings, allowing other programming languages to incorporate tunnel operations and peer management into their own software.

Iroh is a peer-to-peer networking stack and distributed system designed for secure direct connections, content-addressed storage, and synchronized data sharing. It provides a foundation for decentralized applications by combining a QUIC-based networking layer with primitives for distributed state and data transfer. The project distinguishes itself through a comprehensive suite of decentralized capabilities, including a distributed data store using conflict-free replicated data types for collaborative synchronization and a content-addressed storage system for verifiable, resumable transfers of

GameNetworkingSockets is a UDP networking library providing secure transport, peer discovery, and traffic control systems. It implements a networking layer for reliable and unreliable messaging over UDP, including tools for message fragmentation and reassembly. The project features a peer-to-peer NAT traversal tool for establishing direct host-to-host connections by punching through firewalls and network address translation layers. It secures network traffic through encrypted transport and secure key exchange. The library includes a traffic manager to organize data into prioritized lanes to