I've run into a few odd instances of headscale not working where I'd expect it to and I don't understand how it's failing.
- Connected to my phone hotspot in the car outside my son's therapist, it worked for months, but then for 2-3 weeks tailscale wouldn't connect. Browsing worked fine. In the 6 weeks since then, it's worked fine.
- A couple nights ago I was in a Holiday Inn Express. I could successfully connect to tailscale, and ssh to machines at the office (which has tailscale on a public IP, but couldn't pass traffic to my machine at home (behind NAT, we have a DERP next to the machine at the office and also another one on the headscale node at AWS). Maybe they blocked the DERP port?
Not allowing random VPN connections on a LAN is pretty standard. I've been surprised at how many people here are able to use tailscale and the like. Guessing it's just because there are likely smaller teams here that don't have any kind of managed network.
About that, we actually tried (with support from the network team) to open a small VPN Fron our office for some mobile devices as part of an event installation. Just plain wireguard on a public IP.
After two weeks of back and forth the wireguard packets were still being discarded somewhere by a firewall/router thanks to "deny VPNs by default". Tailscale got through those immediately though by using their relays + one of the workarounds for standard wireguard ports being blocked. Point being, the service provided by a mature solution like Tailscale for punching through networks is surprisingly effective even for corporate-level networks.
Smaller teams, yes, but also it seems as though the SaaS explosion has led to many enterprises significantly relaxing the "hardness" of their network boundaries, at least when it comes to integration with companies whose services they depend on. I've seen Tailscale and tools like ngrok being approved to get into large enterprises who you might think wouldn't allow it. Some of these enterprises will set up a bastion in a DMZ to control that, but I've been surprised by how many don't do that.
That relaxation tends to have ripple effects - once you allow tunneling tools in for one purpose - like SaaS integration - then it becomes more normalized and people start using it for other purposes.
Someone is making your IT team do extra work without a good understanding of their systems if they're banning tailscale or granting special network level access thinking that ip or mac address based profiling is secure.
Your network should be zero trust. That means you want to treat every host that connects as if it's on the public internet; the corollary to that is you should give your hosts access to the public internet, unrestricted, and treat your users like adults who don't need micromanaging or constant surveillance (do sane logging, ofc.)
If you need a host that's subject to continuous surveillance, design it as such and require remote access with MFA, and so on.
Give your end users as much freedom as possible, and only constrict it where necessary, or you're going to incentivize shadow IT, unintended consequences, and a whole lot of unnecessary make-work that doesn't contribute to security.
Unrestricted access forces change management, design choices, and policy to confront each user and device for the attack vector they are, and to behave accordingly.
And then a few of those users who you treated like adults who don't need surveillance make a private network among themselves and other nodes in Russia and China to exfiltrate the corporation's most sensitive intellectual property, serve as a bridge for state-sponsored bad actors to bypass your firewall, and tunnel command-and-control traffic through your "unrestricted" egress, and now your zero-trust philosophy has created a zero-accountability blind spot that your IR team discovers eighteen months later during a breach investigation.
If your threat is state sponsored bad actors you've already failed. OK, great you blocked VPNs. Now they tunneled their vpn through as HTTPS. You successfully annoyed all your legit users and completely failed to stop the real problem.
Https is also inspected in our place and has been for a decade.
Also there's different classes of state sponsored APT groups. You won't stand a chance against the NSA but there's a lot of state sponsored groups in Russia that are just looking for low hanging fruit to get some foreign money for their regime.
You know, that makes sense for a corporate network. They have an extremely aggressive firewall on the academic campus, which is how it should be.
However, they have failed to provide isolated networks for the research labs which just need it for even downloading LLMs (they have banned huggingface!).
Moreover, a hostel is residential. They should provide either the option of getting an external connection (which I would happily do!) or provide a means of non-stupid internet which they aren't.
Then you've failed in security infrastructure, policy, and enforcement, and you've infantilized your users and wasted a bunch of IT time on checking boxes. The real power move in that case would be ensuring some third party vendor checked the boxes for you, so that your ass gets sufficiently covered and you have a narrative that goes something like "well, we did everything you're supposed to, those pesky superhackers are just soooo devious and skilled that they can get anywhere!"
The actual fix for things like that is to ensure that your sensitive data is properly protected, and things that you don't want exfiltrated aren't put into scenarios where exfiltration is possible. If you need to compromise on security for practicality, then make those exceptions highly monitored with multiple people involved in custody and verification. Zero trust means you don't give any of your users or host devices any trust at all, and modern security software can require multiple party approvals and MFA.
You can use a phone to scan documents as you scroll through them, or mitm hardware devices that appear to be part of a cable, or all sorts of sneaky shenanigans, and it's a never-ending arms race, so you have to decide what level of convenience is worth what level of risk and make policies enforceable and auditable. In some cases that might mean SCIF level security with metal detectors and armed guards, in other cases it might mean ensuring a good password policy for zip files shared via email.
Inconveniencing users by limiting web access and doing the TSA style performative security thing is counterproductive. This doesn't mean you give them install rights, or you don't log web activity, or run endpoint malware scanning, or have advanced unusual activity monitoring on the network and so forth. It just means if Sally from accounting wants to go shopping for ugly christmas sweaters for staff on Etsy, she doesn't have to fill out forms in triplicate and wait 3 months while the IT department gets approvals and management has meetings and the third party security vendor does a policy review and assessment before signing off on it, or telling her no.
I'm from a cybersec and devops background, and the IT admin here is just an ancient family-appointed person with no idea of how stuff works and with a lot to gain from under the table corporate dealings.
This is a man who believes that 15 megabit is sufficient bandwidth for CompSci students in their hostels (not the college, mind you, the hostel specifically) and decided that banning games was a "hero move".
Vendor locked into Sophos and a custom third party provider, these people have zero idea about what they're doing. I've met them various times and had various discussions up and down the org chart - this is a man who thinks he should have full access to every student's browsing history in their own time and that all VPNs are the same (he doesn't know how VPNs work btw) and allow for evasion from their network policies.
It's all a bit cursed because he fear-mongers the upper echelons of the college administration by showing them made up logs saying "students are hacking the network" to justify this.
Well, I wish you the best with this - but I really don't understand the target market.
The obvious competitor here is Tailscale. But let's say, reasons, and Tailscale isn't an option. Then you go down the path... TwinGate, Teleport, Netbird, Pomerium, Netmaker, ZeroTier, etc...
Even the initial pricing and free tier are you're up against are going to mostly be a deal breaker compared to what's out there.
Trusting a VPN provider is a lot. If you're running the control plane - why should I trust Netrinos?
"Well, I wish you the best with this - but I really don't understand the target market."
"After years of SSH tunnels, IPsec headaches, and the ssh log horror movie, I wanted something simpler: install, sign in, get work done."
"Target market" could be the author
There's no good reason to discourage people from writing overlays, unless one is doing so for commercial (i.e., anti-competitive) reasons
A more interesting question might be, "In your opinion, what is unsatisfactory about XYZ that does essentially the same thing"
For example, one might be a Layer 2 overlay whilst the other is Layer 3
Maybe we'll never have web browser diversity (or meaningful competition) as the web browser has become an instrument of surveillance and advertising controlled by "Big Tech", but overlay diversity (and competition) is still a possibility
If everyone thought IPsec and OpenVPN was "good enough" then Wireguard and Tailscale would not exist
I still use an unpopular non-commercial L2 overlay from before Wireguard existed that is smaller and faster than anything else I have ever seen
> There's no good reason to discourage people from writing overlays, unless one is doing so for commercial (i.e., anti-competitive) reasons
Where did I discourage them? I have no vested interest in any competition. And what I said can be publicly validated: their pricing isn't exactly competitive.
> "After years of SSH tunnels, IPsec headaches, and the ssh log horror movie, I wanted something simpler: install, sign in, get work done."
OK, again - they all solve for this. What's different?
> For example, one might be a Layer 2 overlay whilst the other is Layer 3
OK, I've been doing VPNs a long time. What does this have to do with anything?
> If everyone thought IPsec and OpenVPN was "good enough" then Wireguard and Tailscale would not exist
OK. Thanks? This isn't a protocol discussion. This is a product discussion built on existing protocols. Netrinos has brought zero new to the plate comparatively at the underlying level.
> I still use an unpopular non-commercial L2 overlay from before Wireguard existed that is smaller and faster than anything else I have ever seen
A lot of tools like that exist. If it's "unpopular" there's, generally, a reason why. It could be: niche use case, it could be: doesn't solve a majority of people's problem. But since this is such a super secret L2 overlay I guess we'll never know.
> IMHO, the more overlays that exist, the better
This isn't an overlay. This is a VPN as a service - and my question was intentional: why should I even trust Netrinos. This is a VPN.
Yeah not owning the control plane is why I don't use tailscale. I might use headscale at some point but for now I'm covered anyway :) and I don't like my control plane exposed to the internet even if it's self hosted. So I went for something else.
Kind of confusing to expect zero competition for a valid opportunity, then you're a category founder with an uphill battle to educate the customer for free, fail, and let the next co swoop in.
I never said there shouldn't be competition. What I implied is that Netrinos looks to be deficient in features and also has no market trust. My question was sincere: why should I trust them? This is a VPN.
That's a very weird comparison...as the market for a search engine is basically every internet user. A networking overlay for technical users is a much smaller market.
The "No IT Department" part of your marketing immediately turns me off because that's actively encouraging "shadow IT".
We all get that sometimes companies have IT policies which are outdated and get in the way, but that's a problem for someone up the chain to solve. A team or department deciding to just start doing their own thing with something like this which isn't managed by or even known about by the official company IT is at best a path to future problems if not an immediate compliance problem.
Compliance, "up the chain", "department", "the official company IT", etc...
These are all things that the target audience either doesn't have, or doesn't want. If the above words are important to you, then you're probably not in the target market.
Or it’s a small enough company without an IT department.
Think of an SMB where you might know you need to do something (like connect a new store location to the server in your main location’s closet), but don’t know how or can’t afford to hire an IT person full time. This is probably the main market for this. Then once you get more buy in, experience, and reputation, this VPN could stay to see larger clients. That’s at least how I’d expect to see this grow.
Yep. Stating Github and providing a non existent Github link is a serious redflag which brings trust issues.
Either provide the Github (for whatever reasons) or remove the link from your website. I am assuming it is closed source.
Personally I don't trust new VPN solutions without published source code!
Alternatives: Tailscale with Headscale or better Self-hosted Netbird if one is a itty-bitty IT savvy.
Netbird (self-hosted) offers a lot lot more with the self-hosted solution.
- SSO
- Independent networks
- Superb policies / ACLs
- Keybased onboarding
- auto-expiration and a lot more like integrations and what not!
Tough to beat the Netbird Open source offering if one tends to spent a little time and effort (though not everyone's cup of coffee!)
Such can look at tailscale's offering since the free version of Tailscale offers more than what is offered here and all the client applications are open source and constantly updated.
If pricing is going to the only difference, (at a high level, everything under the hood looks similar - wireguard based, zero config, p2p mesh, port forwarding etc etc.,) bring a lot more trust by offering an open source version like others.
I only use Tailscale for two features - one is having every machine on the network use a logical name of the pattern {projectname}-{environment} ie: `ssh me@hn-prd` and the other is exit nodes. I couldn't work out from your site if either of these two things is doable here.
Well, given you can set your vpn server to also relay dns requests, and have that same server resolve any *.myspecialtld requests makes that a breeze. I run a whole invite only "internet" of sorts doing this with a plain wireguard server (video streaming, webmail, chatbot, personal websites, forums etc) finding a short domain is easy as pie.
Is there something like tailgate (or this) with only cli (I much dislike tailgate gui stuff on mac/win, on mobile its kind of needed) and you own small connection gateway on your own vps? I know tailgate has an open source implementation but I could not get that working while bored at the airport so that's not simple enough (the thing is enormous as well while it should just 'handshake' and that's it right?).
On a trip to Europe last year, I tried it from the Air Canada in-flight WiFi somewhere over Iceland. I was able to RDP to my desktop at home, then RDP right back to my laptop on the plane. Performance wasn't great. And it's not a terribly useful use case. But it did work.
Wireguard deserves a lot of credit there. No ports were opened on my home end. And who knows what the plane has for NAT.
Can anyone explain to me (someone not so network security savvy) if there are any privacy or security concerns using a wire guard provider like this?
As I understand it, with traditional VPNs, you basically have to trust third-party audits to verify the VPN isn't logging all traffic and selling it. Does the WireGuard protocol address theses issues? Or is there still the same risk as a more traditional VPN provider?
This is not providing the same functionality as a "traditional VPN," in the sense that it does not do anything to your traffic going to the wider internet. With popular VPN services, they are an encrypted tunnel for all your internet traffic (some use the same protocol, WireGuard), but at the end of the tunnel they decrypt the message and send it to whatever website you requested, which is exactly what can cause those privacy issues you describe.
In this case, though, it creates an encrypted tunnel _only between your own devices_. This allows you to connect to all your devices, home desktop, phone, laptop, as if they were on the same network, allowing you to do fairly sensitive things like remote desktop without having to expose your machine to the public internet or deal with firewall rules in the same way.
Assuming this project is legitimate, then the only traffic this service would even touch would be those between your own devices, nothing related to public internet requests. And, on top of that, the requests should be encrypted the entire way, inaccessible to any devices other than the ones sending and receiving the requests.
There are many caveats and asterisks I could add, but I think that's a fairly straightforward summary.
To clarify, one of the big advantages of a Mesh VPN is that the traffic does not flow through the VPN provider at all. WireGuard encrypts the traffic from device interface to device interface. The connections are point-to-point and not hub-and-spoke. This is both faster and more secure.
If a direct connection cannot be established due to a very restrictive firewall or a messed-up ISP modem, it will fall back to a relay server. But in that case, the relay relays the traffic, but it does not have the keys to read it.
TL;DR WireGuard itself is a relatively small project at roughly 4,000 lines of code. It has been thoroughly audited and is even built into the Linux kernel.
WireGuard itself can be configured to work either way.
Our target market is smaller teams and people with limited IT skills. So, we chose not to send all traffic through the vpn. The only traffic going through the VPN is traffic to and from your other devices (in your account). Internet access is still through your default network.
In the Pro version, you can route specific destinations through other peers, also belonging to you. An example use case here would be accessing your web banking while on vacation in a distant country. You would route your bank website through your home connection.
Similarly, our access control is only restricting traffic that comes from your devices on the wireguard network. We do not interfere with the settings of your own personal firewall.
For WireGuard in general, you provide it an AllowedIPs config which is a list of CIDR ranges that should be routed across the link. That could be `0.0.0.0/0` (aka everything), a single subnet, a union of several, or even individual IPs. This config is technically symmetric between the endpoints, though a prototypical implementation of "individual clients enable the VPN to access the internal network" may limit the "client" AllowedIPs to an individual address.
I use Twingate both for personal use (my home) and to access AWS EC2 servers (no public ips) and really love it. Very polished, easy setup. How does Netrinos compare?
We implement STUN and TURN functionality natively in WireGuard rather than using separate protocols.
Netrinos uses a central rendezvous server that participates in WireGuard handshakes solely to collect your devices' public endpoints and share that information with your other devices. When a device roams to a new location, the server learns the new endpoint and updates the other devices in your account.
When direct P2P fails, Netrinos connections fall back to a relay server. The relay is a WireGuard peer, but it can only relay traffic between peers in your account. All customer accounts are strictly firewalled from each other.
If you want more control, you can enable a device in your account as a relay server with a checkbox in the app. This could be a home PC with a stable connection or a low-cost cloud server.
Not really related to the product itself, but your landing page design looks close to the official Microsoft style which I dont have the best memories of..
It might be intentional to show the "seamless integration" to Windows users but my penguin loving soul got scared!
Thanks for that feedback. I share your feelings about Linux. It never occurred to us that it would be reminiscent of old MS days. We were going for "clean and uncluttered".
If it makes you feel better, all core development for Netrinos is done on Linux. Then, the code is adapted to work on macOS and Windows. Almost all of the code is cross-platform, including the UI. Only the implementation details are platform specific.
e.g. Linux uses nftables. MacOS uses pfctl. Windows, we had to write our own packet filter to avoid touching the often misconfigured Windows Firewall.
What's the main differentiator between Tailscale and Netrinos?
Edit: Just found this post https://netrinos.com/blog/tailscale-alternatives-2025, so it looks like main differentiator is pricing right now.
One's banned in my hostel because of a stupid sysadmin.
One isn't.
I've run into a few odd instances of headscale not working where I'd expect it to and I don't understand how it's failing.
- Connected to my phone hotspot in the car outside my son's therapist, it worked for months, but then for 2-3 weeks tailscale wouldn't connect. Browsing worked fine. In the 6 weeks since then, it's worked fine.
- A couple nights ago I was in a Holiday Inn Express. I could successfully connect to tailscale, and ssh to machines at the office (which has tailscale on a public IP, but couldn't pass traffic to my machine at home (behind NAT, we have a DERP next to the machine at the office and also another one on the headscale node at AWS). Maybe they blocked the DERP port?
I have found that residential ISP routers are notoriously flaky. It doesn't take much to confuse them. A lot of edge cases could be just this.
Would you mind revealing which one is banned? I wonder what they are using to make that determination.
They are most likely referring to tailscale in my opinion.
Yes.
Not allowing random VPN connections on a LAN is pretty standard. I've been surprised at how many people here are able to use tailscale and the like. Guessing it's just because there are likely smaller teams here that don't have any kind of managed network.
About that, we actually tried (with support from the network team) to open a small VPN Fron our office for some mobile devices as part of an event installation. Just plain wireguard on a public IP.
After two weeks of back and forth the wireguard packets were still being discarded somewhere by a firewall/router thanks to "deny VPNs by default". Tailscale got through those immediately though by using their relays + one of the workarounds for standard wireguard ports being blocked. Point being, the service provided by a mature solution like Tailscale for punching through networks is surprisingly effective even for corporate-level networks.
Smaller teams, yes, but also it seems as though the SaaS explosion has led to many enterprises significantly relaxing the "hardness" of their network boundaries, at least when it comes to integration with companies whose services they depend on. I've seen Tailscale and tools like ngrok being approved to get into large enterprises who you might think wouldn't allow it. Some of these enterprises will set up a bastion in a DMZ to control that, but I've been surprised by how many don't do that.
That relaxation tends to have ripple effects - once you allow tunneling tools in for one purpose - like SaaS integration - then it becomes more normalized and people start using it for other purposes.
Someone is making your IT team do extra work without a good understanding of their systems if they're banning tailscale or granting special network level access thinking that ip or mac address based profiling is secure.
Your network should be zero trust. That means you want to treat every host that connects as if it's on the public internet; the corollary to that is you should give your hosts access to the public internet, unrestricted, and treat your users like adults who don't need micromanaging or constant surveillance (do sane logging, ofc.)
If you need a host that's subject to continuous surveillance, design it as such and require remote access with MFA, and so on.
Give your end users as much freedom as possible, and only constrict it where necessary, or you're going to incentivize shadow IT, unintended consequences, and a whole lot of unnecessary make-work that doesn't contribute to security.
Unrestricted access forces change management, design choices, and policy to confront each user and device for the attack vector they are, and to behave accordingly.
And then a few of those users who you treated like adults who don't need surveillance make a private network among themselves and other nodes in Russia and China to exfiltrate the corporation's most sensitive intellectual property, serve as a bridge for state-sponsored bad actors to bypass your firewall, and tunnel command-and-control traffic through your "unrestricted" egress, and now your zero-trust philosophy has created a zero-accountability blind spot that your IR team discovers eighteen months later during a breach investigation.
If your threat is state sponsored bad actors you've already failed. OK, great you blocked VPNs. Now they tunneled their vpn through as HTTPS. You successfully annoyed all your legit users and completely failed to stop the real problem.
Https is also inspected in our place and has been for a decade.
Also there's different classes of state sponsored APT groups. You won't stand a chance against the NSA but there's a lot of state sponsored groups in Russia that are just looking for low hanging fruit to get some foreign money for their regime.
What’s the alternative—locking down all legitimate users and still losing the data anyway?
Network controls alone don’t stop exfiltration. HDMI/DP can move data faster than most consumer NICs. Does the system account for that scenario?
It's a matter of layers. Banning VPNs isn't a perfect measure. But it makes it a lot easier than when you let everyone cowboy around.
Same with RBAC. It's not perfect because some people need legit access to stuff and it can be abused. But it makes it much harder for bad actors.
> Network controls alone don’t stop exfiltration.
Stop signs alone don't stop all traffic accidents.
You know, that makes sense for a corporate network. They have an extremely aggressive firewall on the academic campus, which is how it should be.
However, they have failed to provide isolated networks for the research labs which just need it for even downloading LLMs (they have banned huggingface!).
Moreover, a hostel is residential. They should provide either the option of getting an external connection (which I would happily do!) or provide a means of non-stupid internet which they aren't.
Then you've failed in security infrastructure, policy, and enforcement, and you've infantilized your users and wasted a bunch of IT time on checking boxes. The real power move in that case would be ensuring some third party vendor checked the boxes for you, so that your ass gets sufficiently covered and you have a narrative that goes something like "well, we did everything you're supposed to, those pesky superhackers are just soooo devious and skilled that they can get anywhere!"
The actual fix for things like that is to ensure that your sensitive data is properly protected, and things that you don't want exfiltrated aren't put into scenarios where exfiltration is possible. If you need to compromise on security for practicality, then make those exceptions highly monitored with multiple people involved in custody and verification. Zero trust means you don't give any of your users or host devices any trust at all, and modern security software can require multiple party approvals and MFA.
You can use a phone to scan documents as you scroll through them, or mitm hardware devices that appear to be part of a cable, or all sorts of sneaky shenanigans, and it's a never-ending arms race, so you have to decide what level of convenience is worth what level of risk and make policies enforceable and auditable. In some cases that might mean SCIF level security with metal detectors and armed guards, in other cases it might mean ensuring a good password policy for zip files shared via email.
Inconveniencing users by limiting web access and doing the TSA style performative security thing is counterproductive. This doesn't mean you give them install rights, or you don't log web activity, or run endpoint malware scanning, or have advanced unusual activity monitoring on the network and so forth. It just means if Sally from accounting wants to go shopping for ugly christmas sweaters for staff on Etsy, she doesn't have to fill out forms in triplicate and wait 3 months while the IT department gets approvals and management has meetings and the third party security vendor does a policy review and assessment before signing off on it, or telling her no.
Exactly.
I'm from a cybersec and devops background, and the IT admin here is just an ancient family-appointed person with no idea of how stuff works and with a lot to gain from under the table corporate dealings.
This is a man who believes that 15 megabit is sufficient bandwidth for CompSci students in their hostels (not the college, mind you, the hostel specifically) and decided that banning games was a "hero move".
Vendor locked into Sophos and a custom third party provider, these people have zero idea about what they're doing. I've met them various times and had various discussions up and down the org chart - this is a man who thinks he should have full access to every student's browsing history in their own time and that all VPNs are the same (he doesn't know how VPNs work btw) and allow for evasion from their network policies.
It's all a bit cursed because he fear-mongers the upper echelons of the college administration by showing them made up logs saying "students are hacking the network" to justify this.
You again under the posts that tickle my fancy…
Well, I wish you the best with this - but I really don't understand the target market.
The obvious competitor here is Tailscale. But let's say, reasons, and Tailscale isn't an option. Then you go down the path... TwinGate, Teleport, Netbird, Pomerium, Netmaker, ZeroTier, etc...
Even the initial pricing and free tier are you're up against are going to mostly be a deal breaker compared to what's out there.
Trusting a VPN provider is a lot. If you're running the control plane - why should I trust Netrinos?
"Well, I wish you the best with this - but I really don't understand the target market."
"After years of SSH tunnels, IPsec headaches, and the ssh log horror movie, I wanted something simpler: install, sign in, get work done."
"Target market" could be the author
There's no good reason to discourage people from writing overlays, unless one is doing so for commercial (i.e., anti-competitive) reasons
A more interesting question might be, "In your opinion, what is unsatisfactory about XYZ that does essentially the same thing"
For example, one might be a Layer 2 overlay whilst the other is Layer 3
Maybe we'll never have web browser diversity (or meaningful competition) as the web browser has become an instrument of surveillance and advertising controlled by "Big Tech", but overlay diversity (and competition) is still a possibility
If everyone thought IPsec and OpenVPN was "good enough" then Wireguard and Tailscale would not exist
I still use an unpopular non-commercial L2 overlay from before Wireguard existed that is smaller and faster than anything else I have ever seen
IMHO, the more overlays that exist, the better
> There's no good reason to discourage people from writing overlays, unless one is doing so for commercial (i.e., anti-competitive) reasons
Where did I discourage them? I have no vested interest in any competition. And what I said can be publicly validated: their pricing isn't exactly competitive.
> "After years of SSH tunnels, IPsec headaches, and the ssh log horror movie, I wanted something simpler: install, sign in, get work done."
OK, again - they all solve for this. What's different?
> For example, one might be a Layer 2 overlay whilst the other is Layer 3
OK, I've been doing VPNs a long time. What does this have to do with anything?
> If everyone thought IPsec and OpenVPN was "good enough" then Wireguard and Tailscale would not exist
OK. Thanks? This isn't a protocol discussion. This is a product discussion built on existing protocols. Netrinos has brought zero new to the plate comparatively at the underlying level.
> I still use an unpopular non-commercial L2 overlay from before Wireguard existed that is smaller and faster than anything else I have ever seen
A lot of tools like that exist. If it's "unpopular" there's, generally, a reason why. It could be: niche use case, it could be: doesn't solve a majority of people's problem. But since this is such a super secret L2 overlay I guess we'll never know.
> IMHO, the more overlays that exist, the better
This isn't an overlay. This is a VPN as a service - and my question was intentional: why should I even trust Netrinos. This is a VPN.
Yeah not owning the control plane is why I don't use tailscale. I might use headscale at some point but for now I'm covered anyway :) and I don't like my control plane exposed to the internet even if it's self hosted. So I went for something else.
Kind of confusing to expect zero competition for a valid opportunity, then you're a category founder with an uphill battle to educate the customer for free, fail, and let the next co swoop in.
I never said there shouldn't be competition. What I implied is that Netrinos looks to be deficient in features and also has no market trust. My question was sincere: why should I trust them? This is a VPN.
I have been down that path and found Twingate, Netbird, Netmaker and Zerotier lacking in one way or another, not tried those other two yet though.
Could you please elaborate on what you found lacking? Always looking to improve.
Isn’t that true for any new service out there? What’s the market for a search engine? And yet kagi.com is a thing.
That's a very weird comparison...as the market for a search engine is basically every internet user. A networking overlay for technical users is a much smaller market.
You mean that going against Google is easier than going against a small company like Tailscale? I doubt it.
The "No IT Department" part of your marketing immediately turns me off because that's actively encouraging "shadow IT".
We all get that sometimes companies have IT policies which are outdated and get in the way, but that's a problem for someone up the chain to solve. A team or department deciding to just start doing their own thing with something like this which isn't managed by or even known about by the official company IT is at best a path to future problems if not an immediate compliance problem.
Compliance, "up the chain", "department", "the official company IT", etc...
These are all things that the target audience either doesn't have, or doesn't want. If the above words are important to you, then you're probably not in the target market.
Or it’s a small enough company without an IT department.
Think of an SMB where you might know you need to do something (like connect a new store location to the server in your main location’s closet), but don’t know how or can’t afford to hire an IT person full time. This is probably the main market for this. Then once you get more buy in, experience, and reputation, this VPN could stay to see larger clients. That’s at least how I’d expect to see this grow.
IT is sometimes dysfunctional and management doesn't care.
I really like your fair differentiation and feature comparison vs Tailscale, netbird etc.
Love to see the ecosystem of wireguard based services growing into different business segments, i.e. you targeting SMBs/small teams.
Not for me, but legitimate use case and product :)
Exactly, same sentiment here.
The GitHub link on your website is 404 (https://github.com/netrinosnetwork)
Yep. Stating Github and providing a non existent Github link is a serious redflag which brings trust issues.
Either provide the Github (for whatever reasons) or remove the link from your website. I am assuming it is closed source.
Personally I don't trust new VPN solutions without published source code!
Alternatives: Tailscale with Headscale or better Self-hosted Netbird if one is a itty-bitty IT savvy.
Netbird (self-hosted) offers a lot lot more with the self-hosted solution. - SSO - Independent networks - Superb policies / ACLs - Keybased onboarding - auto-expiration and a lot more like integrations and what not!
Tough to beat the Netbird Open source offering if one tends to spent a little time and effort (though not everyone's cup of coffee!)
Such can look at tailscale's offering since the free version of Tailscale offers more than what is offered here and all the client applications are open source and constantly updated.
If pricing is going to the only difference, (at a high level, everything under the hood looks similar - wireguard based, zero config, p2p mesh, port forwarding etc etc.,) bring a lot more trust by offering an open source version like others.
https://headscale.net/stable/
I only use Tailscale for two features - one is having every machine on the network use a logical name of the pattern {projectname}-{environment} ie: `ssh me@hn-prd` and the other is exit nodes. I couldn't work out from your site if either of these two things is doable here.
Each device on your account gets a private static IP address in the network 100.x.x.x. The name is static as long as the device lives on your account.
Each also gets a friendly DNS name in the form device.account.2ho.ca (try finding a short domain these days).
So yes, you can...
$ ssh user@server.myaccount.2ho.ca
C:\ net use S: \\server.myaccount.2ho.ca\Home
etc.
Well, given you can set your vpn server to also relay dns requests, and have that same server resolve any *.myspecialtld requests makes that a breeze. I run a whole invite only "internet" of sorts doing this with a plain wireguard server (video streaming, webmail, chatbot, personal websites, forums etc) finding a short domain is easy as pie.
Ah, that's a shame - my OCD loves the short, domainless names we get on Tailscale.
Maybe I should look into that... there are a few different ways to do it, and none of them are all that hard.
- i just put it in the roadmap
Amazing. Is there somewhere we can view / follow the roadmap?
Is there something like tailgate (or this) with only cli (I much dislike tailgate gui stuff on mac/win, on mobile its kind of needed) and you own small connection gateway on your own vps? I know tailgate has an open source implementation but I could not get that working while bored at the airport so that's not simple enough (the thing is enormous as well while it should just 'handshake' and that's it right?).
Netrinos can be entirely cli on all 3 platforms.
If you install the OpenSSH server on Windows, you can manage Netrinos in a terminal, just like on Linux or Mac. e.g.
https://netrinos.com/cdn/images/screens/windows-terminal.png
https://netrinos.com/cdn/images/screens/linux-terminal.png
On a trip to Europe last year, I tried it from the Air Canada in-flight WiFi somewhere over Iceland. I was able to RDP to my desktop at home, then RDP right back to my laptop on the plane. Performance wasn't great. And it's not a terribly useful use case. But it did work.
Wireguard deserves a lot of credit there. No ports were opened on my home end. And who knows what the plane has for NAT.
Can anyone explain to me (someone not so network security savvy) if there are any privacy or security concerns using a wire guard provider like this?
As I understand it, with traditional VPNs, you basically have to trust third-party audits to verify the VPN isn't logging all traffic and selling it. Does the WireGuard protocol address theses issues? Or is there still the same risk as a more traditional VPN provider?
This is not providing the same functionality as a "traditional VPN," in the sense that it does not do anything to your traffic going to the wider internet. With popular VPN services, they are an encrypted tunnel for all your internet traffic (some use the same protocol, WireGuard), but at the end of the tunnel they decrypt the message and send it to whatever website you requested, which is exactly what can cause those privacy issues you describe.
In this case, though, it creates an encrypted tunnel _only between your own devices_. This allows you to connect to all your devices, home desktop, phone, laptop, as if they were on the same network, allowing you to do fairly sensitive things like remote desktop without having to expose your machine to the public internet or deal with firewall rules in the same way.
Assuming this project is legitimate, then the only traffic this service would even touch would be those between your own devices, nothing related to public internet requests. And, on top of that, the requests should be encrypted the entire way, inaccessible to any devices other than the ones sending and receiving the requests.
There are many caveats and asterisks I could add, but I think that's a fairly straightforward summary.
To clarify, one of the big advantages of a Mesh VPN is that the traffic does not flow through the VPN provider at all. WireGuard encrypts the traffic from device interface to device interface. The connections are point-to-point and not hub-and-spoke. This is both faster and more secure.
If a direct connection cannot be established due to a very restrictive firewall or a messed-up ISP modem, it will fall back to a relay server. But in that case, the relay relays the traffic, but it does not have the keys to read it.
You can learn more here: https://www.wireguard.com/
TL;DR WireGuard itself is a relatively small project at roughly 4,000 lines of code. It has been thoroughly audited and is even built into the Linux kernel.
Naive question here: with WireGuard VPN, does all traffic route through the VPN or only those packets bound for the other devices in the mesh?
WireGuard itself can be configured to work either way.
Our target market is smaller teams and people with limited IT skills. So, we chose not to send all traffic through the vpn. The only traffic going through the VPN is traffic to and from your other devices (in your account). Internet access is still through your default network.
In the Pro version, you can route specific destinations through other peers, also belonging to you. An example use case here would be accessing your web banking while on vacation in a distant country. You would route your bank website through your home connection.
Similarly, our access control is only restricting traffic that comes from your devices on the wireguard network. We do not interfere with the settings of your own personal firewall.
Thanks for taking the time to answer! I think I'll be giving this a shot for some upcoming projects.
For WireGuard in general, you provide it an AllowedIPs config which is a list of CIDR ranges that should be routed across the link. That could be `0.0.0.0/0` (aka everything), a single subnet, a union of several, or even individual IPs. This config is technically symmetric between the endpoints, though a prototypical implementation of "individual clients enable the VPN to access the internal network" may limit the "client" AllowedIPs to an individual address.
Seems similar in purpose to https://vpncloud.ddswd.de/
(above is very easy to use and works very well w/ my experience)
Only downsides are no mobile support & seems to be somewhat abandoned
Thanks to everybody who participated. This has been an excellent discussion and has resulted in some interesting ideas to pursue.
Any plans for Exit Node capability (traditional egress VPN)?
Pro has that. We call it a Gateway. See:
https://netrinos.com/help/gateways-routing
You can also have multiple gateways and send traffic through different locations. e.g. You can access a NAS on one site and a website through another.
I use Twingate both for personal use (my home) and to access AWS EC2 servers (no public ips) and really love it. Very polished, easy setup. How does Netrinos compare?
We do have some comparisons on our site...
https://netrinos.com/compare
Thanks
>We use STUN-style discovery and relay fallback
How does your relay compare to Tailscale's (DERP)?
We implement STUN and TURN functionality natively in WireGuard rather than using separate protocols.
Netrinos uses a central rendezvous server that participates in WireGuard handshakes solely to collect your devices' public endpoints and share that information with your other devices. When a device roams to a new location, the server learns the new endpoint and updates the other devices in your account.
When direct P2P fails, Netrinos connections fall back to a relay server. The relay is a WireGuard peer, but it can only relay traffic between peers in your account. All customer accounts are strictly firewalled from each other.
If you want more control, you can enable a device in your account as a relay server with a checkbox in the app. This could be a home PC with a stable connection or a low-cost cloud server.
Full disclaimer: huge Linux fanboy here.
Not really related to the product itself, but your landing page design looks close to the official Microsoft style which I dont have the best memories of..
It might be intentional to show the "seamless integration" to Windows users but my penguin loving soul got scared!
Thanks for that feedback. I share your feelings about Linux. It never occurred to us that it would be reminiscent of old MS days. We were going for "clean and uncluttered".
If it makes you feel better, all core development for Netrinos is done on Linux. Then, the code is adapted to work on macOS and Windows. Almost all of the code is cross-platform, including the UI. Only the implementation details are platform specific.
e.g. Linux uses nftables. MacOS uses pfctl. Windows, we had to write our own packet filter to avoid touching the often misconfigured Windows Firewall.