Tinc is a mature, open-source mesh VPN daemon, packaged and stable in Debian, and available on multiple platforms (Linux, BSD, macOS, Windows). It allows secure, encrypted connections between nodes without requiring port forwarding or centralized servers.
Key benefits:
Peer-to-peer mesh VPN: nodes connect directly or via NAT traversal.
No need for port forwarding: works behind most NATs thanks to UDP hole punching.
Strong encryption and authentication built-in.
Lightweight and flexible for various setups and devices.
Including Tinc in FreedomBox would enhance secure, decentralized networking with minimal user setup, empowering users to build resilient private networks.
The peer-to-peer nature of Tinc is very interesting. I have recently seen setups where WireGuard was connect two nodes that are both behind separate NATs. However, they have used a centralized service to coordinate UDP hole punching using STUN similar to WebRTC with the help of a centralized server.
If you have experience with Tinc, please post about typical use cases, best practices, and any sample configuration you have.
Yes, tinc has the same underlying issue as WireGuard. However, while WireGuard only supports UDP, tinc supports TCP, making it possible to run it over Tor without the need for port forwarding (I believe the same applies to n2n as well). In fact, there is a project that has already done this:
For FreedomBox, this might be even easier to implement since it already includes Tor services.
Moreover—and this is a bit speculative, as I don’t have the technical knowledge to be certain—I think it would be great to use Tor as a rendezvous point to avoid relying on a VPS. The idea is that peers connect via a Tor hidden service acting as a rendezvous server, avoiding the need for public IPs or port forwarding, and then drop Tor once connected until a new rendezvous is required.
I would love to see any VPN configuration that doesn’t require port forwarding, since my router is behind what I believe to be a CGNAT, and I cannot access it directly from outside.
@sunil I’ve been digging a bit more and found Yggdrasil. It’s not exactly a VPN per se, as it’s described as
“a new experimental compact routing scheme designed as a future-proof, decentralized alternative to the structured routing protocols used on the Internet today, and as an enabling technology for future large-scale mesh networks.”
However, it can be used like a VPN for peer-to-peer connectivity. What sets it apart from something like Tinc is that it requires no coordination server at all. This means two Yggdrasil nodes can connect directly without either needing a public IP, as long as they are connected to a public peer: GitHub - yggdrasil-network/public-peers: Public peers in the Yggdrasil network
I haven’t had the chance to try it on my FreedomBox yet, but it seems to work fine on Android devices (which is what I have with me at the moment). It’s also stated to be supported on macOS and Windows.