Mesh VPN (Overlay Network)

A mesh VPN is an overlay network in which devices form encrypted, peer-to-peer tunnels directly with one another instead of routing all traffic through a central concentrator. A lightweight coordination layer distributes public keys and endpoint information so peers can find and authenticate each other, but once a tunnel is up, data flows directly between the two devices. For sovereign operators, this collapses the distinction between "home," "site," and "on the road": every node can reach every other node securely, wherever it sits.

How it differs from a classic VPN

Traditional hub-and-spoke VPNs send everything through one server, creating a bottleneck and a single point of surveillance or failure. A mesh VPN runs as an overlay alongside your existing connectivity, creating its own interface and only carrying traffic addressed to the mesh. Because tunnels are point-to-point, latency and throughput approach those of the raw transport, and losing the coordination server does not necessarily drop established peer links.

Common implementations

Tailscale builds on the WireGuard protocol (ChaCha20-based encryption) and adds the coordination WireGuard deliberately omits — key and endpoint distribution. Nebula, open-sourced after internal use at Slack, is a peer-to-peer mesh using AES-256-GCM. Both let a sovereign operator stitch together miners, nodes, and personal devices into one private network without exposing services to the public internet or trusting a commercial VPN provider with all traffic.

Mesh VPNs operate above key-addressed overlays like Yggdrasil and pair naturally with full node deployments that you want reachable only from trusted devices.