Tinc is a mature, open-source mesh VPN daemon, packaged and stable in Debian, and available on multiple platforms (Linux, BSD, macOS, Windows). It allows secure, encrypted connections between nodes without requiring port forwarding or centralized servers.
Key benefits:
Peer-to-peer mesh VPN: nodes connect directly or via NAT traversal.
No need for port forwarding: works behind most NATs thanks to UDP hole punching.
Strong encryption and authentication built-in.
Lightweight and flexible for various setups and devices.
Including Tinc in FreedomBox would enhance secure, decentralized networking with minimal user setup, empowering users to build resilient private networks.
The peer-to-peer nature of Tinc is very interesting. I have recently seen setups where WireGuard was connect two nodes that are both behind separate NATs. However, they have used a centralized service to coordinate UDP hole punching using STUN similar to WebRTC with the help of a centralized server.
If you have experience with Tinc, please post about typical use cases, best practices, and any sample configuration you have.
Yes, tinc has the same underlying issue as WireGuard. However, while WireGuard only supports UDP, tinc supports TCP, making it possible to run it over Tor without the need for port forwarding (I believe the same applies to n2n as well). In fact, there is a project that has already done this:
For FreedomBox, this might be even easier to implement since it already includes Tor services.
Moreover—and this is a bit speculative, as I don’t have the technical knowledge to be certain—I think it would be great to use Tor as a rendezvous point to avoid relying on a VPS. The idea is that peers connect via a Tor hidden service acting as a rendezvous server, avoiding the need for public IPs or port forwarding, and then drop Tor once connected until a new rendezvous is required.
I would love to see any VPN configuration that doesn’t require port forwarding, since my router is behind what I believe to be a CGNAT, and I cannot access it directly from outside.