Mesh VPN for P2P Networked Services

One of the fun things about the Internet and Open Source community is that from time to time I’ll be pondering some problem. “How do I set up a ___” and after working the issue for an hour or two, decide to just do a quick web-search on the idea… and find others have already “gone there”. It is bitter sweet sometimes as I’ve often discovered someone else stole my bright idea before I even had it ;-) but such is life.

Recently, censorship and attacks on freedom of speech have become rampant tools of the Petulant Insufferable Left. The poor little dears, snowflakes all, can’t stand the idea of people having thoughts they have not approved and positively recoil in horror when anyone says those thoughts or, GASP!, writes them down. (For example, saying that “since the Koran states Mohammed had sex with a prepubescent 9 year old girl, you are wondering if that makes him a pedophile?” can get you hounded off of Twitter, banned from Facebook, and fined in the EU – even though the facts are accurate and you are just asking a question as you don’t know the answer… As a second example, I’m now wondering if just stating a hypothetical example is enough to cause assaults of various kinds.)

But whatever. The simple fact is that all sorts of voices are being silenced and soon the Internet will be safe for all the Globalist Leftist Snowflakes and also useless for anything beyond ordering a pizza.

What brought this on was the current banning of Alex Jones / Infowars and the Twitter / Facebook purges that sent a huge conservative wave of users to and Bitchute; and then got de-platformed. Clearly there is an all out assault on free speech with special emphasis on conservatives and unpopular-with-the-globalist-left speech.

So what to do?

In the short run it will be a game of whack-a-mole with the deplatformed folks moving to new providers (until, one hopes, they land on a set with a bit of spine…)

The end game will be a full on Peer-to-Peer based system over encrypted VPN links so there simply isn’t any platform to be kicked off of, nor any ISP who can shut you down. The worst case would be needing to do that in a Dark Web mode, such as using TOR over the .onion net or something similar.

But how to get from one to another and what is the state of play today?

Well first off the good news is that all this has already been worked out and is in use. Nothing new needs to be written. The bad news is it is mostly used for things that are illegal, unpopular, or forbidden somewhere (for all the Dark Web stuff). While the basic services, like a VPN, are not illegal or even suspicious, the Dark Web is not for everyone. It would most likely be better to build an analog of it, but for shunned services and speech as opposed to illegal activities (though as noted above, just stating the facts is now illegal in parts of the E.U.)

So I was pondering what it would take to set up an overlay network and have folks using private side DNS and their own P2P web servers and such. It occurred to me that traffic would need to go from home to home over a VPN virtual private network so that the ISP couldn’t even see it. There would need to be a private DNS system for the overlay network, and then some services built, like private web servers and email servers. All pretty standard stuff in the corporate world, but not familiar to the average Joe or Jane.

FWIW, I’ve set up many private networks between corporate sites. The description above is what is typically done inside a company by the I.T. staff. You have a private network, your internal machines are in your own DNS server, you have your own internal email, web, etc. servers and services. I’ve even set up various VPN links to partner companies or remote branches of the same company, so those resources could be privately shared but hidden from public view (or even the view of the ISP Internet Service Provider – who just sees an encrypted river of bits).

But the hard bit would be making this ‘user friendly’ enough for the home gamer to do it. Especially setting up a VPN based overlay network and running a DNS server. It is my opinion that there is a niche here for an integrated application that configures and joins such a private network with little more than answering a few questions.

One first step would be making the VPN mesh overlay network. I had just started to ponder it when I thought “Has it been done?”

Tinc is an open-source, self-routing, mesh networking protocol and software implementation used for compressed and encrypted virtual private networks. It was started in 1998 by Guus Sliepen, Ivo Timmermans, and Wessel Dankers, and released as a GPL-licensed project.


Tinc is available on Linux, FreeBSD, OpenBSD, NetBSD, DragonFly BSD, Mac OS X, Microsoft Windows, Solaris, iOS, Android with full support for IPv6.

Future goals

The authors of Tinc have goals of providing a platform that is secure, stable, reliable, scalable, easily configurable, and flexible.

Embedded technologies

Tinc uses OpenSSL or LibreSSL as the encryption library and gives the options of compressing communications with zlib for “best compression” or LZO for “fast compression”.

Projects that use tinc

Freifunk has tinc enabled in their routers as of October 2006.
OpenWrt has an installable package for tinc.
OPNsense, an open source router and firewall distribution, has a plugin for Tinc
pfSense has an installable package in the 2.3 release.
Tomato has tinc support included in the Shibby mod.
NYC Mesh use tinc to encrypt traffic around their mesh network

Oh, gee, a fairly simple to install and configure self-routing mesh VPN for Windows, Mac, & *Nix. Already in use.

It uses config files, so would need maintenance each time a new user node joined. I could see an enhancement to let nodes join, advertize their information, and have it automatically add to the config files (for ease of use) or leave it as-is to keep it a controlled trust group.

What is tinc?

tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet. tinc is Free Software and licensed under the GNU General Public License version 2 or later. Because the VPN appears to the IP level network code as a normal network device, there is no need to adapt any existing software. This allows VPN sites to share information with each other over the Internet without exposing any information to others. In addition, tinc has the following features:

Encryption, authentication and compression
All traffic is optionally compressed using zlib or LZO, and LibreSSL or OpenSSL is used to encrypt the traffic and protect it from alteration with message authentication codes and sequence numbers.

Automatic full mesh routing
Regardless of how you set up the tinc daemons to connect to each other, VPN traffic is always (if possible) sent directly to the destination, without going through intermediate hops.

NAT traversal
As long as one node in the VPN allows incoming connections on a public IP address (even if it is a dynamic IP address), tinc will be able to do NAT traversal, allowing direct communication between peers.

Easily expand your VPN
When you want to add nodes to your VPN, all you have to do is add an extra configuration file, there is no need to start new daemons or create and configure new devices or network interfaces.

Ability to bridge ethernet segments
You can link multiple ethernet segments together to work like a single segment, allowing you to run applications and games that normally only work on a LAN over the Internet.

Runs on many operating systems and supports IPv6
Currently Linux, FreeBSD, OpenBSD, NetBSD, OS X, Solaris, Windows 2000, XP, Vista and Windows 7 and 8 platforms are supported. See our section about supported platforms for more information about the state of the ports. tinc has also full support for IPv6, providing both the possibility of tunneling IPv6 traffic over its tunnels and of creating tunnels over existing IPv6 networks.

So at present a new guy wanting to join means everyone gets to edit a config file. That’s just one daemon and a message passing away from fully self configuring.

Inside of such a mesh VPN you would still need to run some services. Email, file sharing, web browsing, FTP servers, etc. Many present P2P services are for things like file sharing (BITorrent for getting things like software and songs), but there are others. Some of them have their own way of making the overlay network:

Content delivery

In P2P networks, clients both provide and use resources. This means that unlike client-server systems, the content-serving capacity of peer-to-peer networks can actually increase as more users begin to access the content (especially with protocols such as Bittorrent that require users to share, refer a performance measurement study). This property is one of the major advantages of using P2P networks because it makes the setup and running costs very small for the original content distributor.

File-sharing networks

Many file peer-to-peer file sharing networks, such as Gnutella, G2, and the eDonkey network popularized peer-to-peer technologies.

Peer-to-peer content delivery networks.
Peer-to-peer content services, e.g. caches for improved performance such as Correli Caches
Software publication and distribution (Linux distribution, several games); via file sharing networks.

It is worth noting that Bitchute runs as P2P:


The company was founded by Ray Vahey. He described it as a way to avoid censorship and demonetisation by established services like YouTube.

The first video on BitChute was posted on January 3, 2017. It was called “This is the first video on #BitChute”, It was a sample video of a woman using a tablet. The video was uploaded to test the uploading process.

In September 2017, conservative internet celebrity Lauren Southern said she was considering switching to the site in response to YouTube’s demonetisation of political videos. Southern automatically mirrors her YouTube channel on BitChute since March 23, 2017.


BitChute is based on the peer-to-peer WebTorrent system; a torrent program that can run in a web browser. Users watching a video also seed it.
WebTorrent, despite similar functionally, is not compatible with BitTorrent.

The BitChute website acts as a front end and portal for WebTorrent. When users upload a video it is converted to a WebTorrent and given a page on BitChute’s website.

Hard to deplatform the video server when it is all of the video watchers ;-)

IMHO, this is the end game. Things like Bitchute running over voluntary overlay networks in a meshed VPN system.

Similarly, for “micro-blogging” (think “tweeting”…) we have Twister:

Twister is free software for experimental peer-to-peer microblogging. Being completely decentralized means that no one is able to shut it down, as there is no single point to attack. The system uses end-to-end encryption to safeguard communications. It is based on both BitTorrent and Bitcoin-like protocols and is considered a (distributed) Twitter clone.

The problem with these kinds of systems is that performance is low when first starting up as nobody else is seeding the given material, then once a topic has lost interest it also has few seeds. With enough growth in users, that tends to end as a problem.


Twister is a Twitter-like microblogging platform that utilizes the same blockchain technology as Bitcoin, and the file exchange method from BitTorrent, both based on P2P technologies.

Twister is experimental software in alpha phase, implemented as a distributed file sharing system. User registration and authentication is provided by a Bitcoin-like network, so it is completely distributed and does not depend on any central authority. Distribution of posts uses Kademlia distributed hash table (DHT) network and BitTorrent-like swarms, both provided by libtorrent.[10] Included versions of both Bitcoin and libtorrent are highly patched, and intentionally not interoperable with the already existing networks.

Miguel Freitas, aiming to build a censor-resistant public posting platform,[11] began development on Twister in July 2013 to address the concerns of free speech and privacy. Building off the work of Bitcoin and Bittorrent, he was able to have the core working by October 2013. Lucas Leal was hired to create HTML and CSS for the user interface, with Miguel writing required JavaScript code. 2,500 user accounts were registered in the first six days of operation.[12]

As a completely decentralized network, no one is capable of incapacitating Twister since there is not a unique point of attack to the system. Twister uses end-to-end encryption to protect the communications. Furthermore, Twister is designed to prevent other users from knowing your GSM localization, IP address, and who you are following. Users can publish public messages as with other microblogging platforms, but when they send direct messages and private messages to other users, these are protected from unsolicited access.

In an extreme limit case, folks can resort to Friend To Friend or F2F networks where you must know someone who trusts you to gain access:

A friend-to-friend (or F2F) computer network is a type of peer-to-peer network in which users only make direct connections with people they know. Passwords or digital signatures can be used for authentication.

Unlike other kinds of private P2P, users in a friend-to-friend network cannot find out who else is participating beyond their own circle of friends, so F2F networks can grow in size without compromising their users’ anonymity. Retroshare, WASTE, GNUnet, Freenet and OneSwarm are examples of software that can be used to build F2F networks, though RetroShare is the only one of these configured for friend-to-friend operation by default.

Many F2F networks support indirect anonymous or pseudonymous communication between users who do not know or trust one another. For example, a node in a friend-to-friend overlay can automatically forward a file (or a request for a file) anonymously between two friends, without telling either of them the other’s name or IP address. These friends can in turn automatically forward the same file (or request) to their own friends, and so on.

Dan Bricklin coined the term “friend-to-friend network” in 2000.

While I’d rather we just kept the top web free and open, the simple fact is that the Dark Web has been around for decades and we can easily add other layers. Then it is also possible for any subset of the internet to just move onto a private overlay network of their own. Even a mesh VPN based one if desired, or the simpler F2F sort. There are plenty of P2P services already running on the open internet so that is an option as well

So the bits will flow. Just a question of over which paths.

Subscribe to feed


About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Political Current Events, Tech Bits and tagged , , . Bookmark the permalink.

7 Responses to Mesh VPN for P2P Networked Services

  1. saighdear says:

    Greetings once again from Bonnie Scotland: How’s the Bread making coming along?
    Don’t know if these comments are open to Public viewing – never see any comments.
    Yes ( sigh) …censorship and attacks on freedom of speech AND freedom to do things. If you don’t belong to big research organisations ( £$ ) how do you develop something like Jas Watt with IC Engines – the ECO FREEKZ take over – and it causes pollution…… all future Mech. developments it seems will HAVE to be linked to an Computers/ECUs, etc to control it, etc How do the Jas Watts of the world do that? … and so on. Unnecessary complications for a country Lad.
    Was out in the fields again this morning and was ruminating like the Horses – Beautiful frosty clear morning, leaves twinkling to the ground- but a stench in the nose from nearby Automotive traffic – what kind of Diesel are they burning this last fefw days – never noticed before OUTSIDE, – only inside near some folk’s Cars. My Tractors DO NOT SMELL like that …… Bio Diesel ? – the root of all Air Pollution ?
    Going back to Bread – One can Bake a Loaf with STANDARD cheapo Flour which doesn’t look ANY DIFFERENT from the special bread-making flour….. just “proving” the point of Spooned Education…..
    Enjoying your writings – bit like ” Letter from America ” by – remember him? Alistair Cooke ?

  2. H.R. says:

    E.M. wrote: “Petulant Insufferable Left”

    I’d add Loony to that so we’d have the Petulant Insufferable Loony Left or PILLs.

    Usage: “The PILLs are demanding that [………].”

    I’m drawing a blank there because my brain is just not loony enough to come up with an example of the loony things that rattle around in the PILLs’ heads, but you get the drift. I’d also note that the PILLs are the useful idiots for the GEBs.
    I’m encouraged to see that the GEBs will never be able to control the flow of information. The internet, with its availability of unfiltered information, is the reason the GEBs have been found out and are losing the control they had when they had a monopoly on what people saw, heard, and read.

  3. jim2 says:

    Checking the EFF web site, I didn’t see any mention of GAB, so sent them an email asking “What about GAB?”

  4. Pouncer says:

    Back to the old days: remember dial-up to local hosts of BBS downloadable files and texts?

    FIDO net?

  5. E.M.Smith says:


    Petulant Insufferable Loony Left Shills – PILLS ?

    The PILLS are demanding that you treat all minorities as “special” – except the minority of white males… (Yes, In California, I’m a small minority. As 1/2 the population is Hispanic and then of the remaining 1/2 they are 1/2 women… that puts non-Hispanic White Male at under 1/4 without even counting the Asians & Blacks… but we are not a “minority”… Go figure.)

    The biggest issue is just that it takes some awareness and effort to set up things like a mesh VPN or private overlay networks. Plus it is obvious when traffic is encrypted. Now the good thing is that as ever more traffic is encrypted (all that https stuff where the S means secure or encrypted) the overlay VPNs are just part of the buzz… I’ve already seen indications that the encrypted comms are no longer being picked out / found / decrypted.


    Bread making is on hold as I explore if wheat is evil (gluten and leaky gut, see: ) but may well return with “gluten free” examples. Time will tell.

    Bread making flour has a slightly larger content of gluten so makes a somewhat more elastic dough and finer grain texture in the cell size. IMHO it works a bit better for sourdough too. But 99% of the bread I’ve ever made has been with “All purpose” flour which is, as ‘all’ would imply, fine for bread. Semolina is best for things like pasta (very high protein content so makes a heavy loaf if you try to make bread with it…) and cake flour has very little gluten protein so gives fluffy cakes that fall apart and fluffy fall apart bread too.

    The different flours do matter, but as it isn’t too much or too little gluten protein, the All Purpose flour can reach to any of the other uses; just not so well in the details. It’s least able to make pasta worth eating, but you can make decent egg noodles with it.

    Yes, bio-diesel has a more acrid burned french fries smell. Acrylamides IIRC. Depending on how it is made. Straight vegetable oil is the most smelly. Biodiesel made with complete removal of the glycerin is the least smelly.

    The new Watts of today are programming computers in grammar school. My old college roommate teaches robotics to high school students as a volunteer position. There are competitive teams and they do tournaments. So each semester there are a few hundred students from local high schools who have demonstrated they can build, and program, a robot for a challenge task.

    Think about that for a moment. A few hundred, every semester, produced just in Silicon Valley alone.

    Those kids are not at all dismayed at the idea of “it has a computer in it that you must program”…

    Oh My! Being compared to Alistair Cooke? I don’t know if my modesty will survive ;-) but thanks!



    Though it may be about as useful as asking the ACLU where are their 2nd and 10th Amendment cases…

  6. E.M.Smith says:


    In fact, my muse had started with remembering the first mesh network I’d set up – a UUCP based interchange of NetNews.

    UUCP is Unix to Unix Copy and was the first basic data interchange between unix machines. It was mostly used over dial-up systems (modems) but also works over IP based networks or, really, any path of communication.

    We were moving mountains of “News Groups” over it as late as about 1990 at a prior employer (and likely after that – I “moved on” when I was laid off; but I think NetNews continued and I’d not be surprised to find UUCP still in use).

    Looks like it is still in use, but out of favor:


    Sascha Segan of PC Magazine said in 2008 that “Usenet has been dying for years”. Segan said that some people pointed to the Eternal September in 1993 as the beginning of Usenet’s decline. Segan believes that when pornographers and software crackers began putting large (non-text) files on Usenet by the late 1990s, Usenet disk space and traffic increased correspondingly. Internet service providers questioned why they needed to host space for pornography and unauthorized software. When the State of New York opened an investigation on child pornographers who used Usenet, many ISPs dropped all Usenet access or access to the alt.* hierarchy.]

    In response, John Biggs of TechCrunch said “As long as there are folks who think a command line is better than a mouse, the original text-only social network will live on“.

    AOL discontinued Usenet access in 2005. In May 2010, Duke University, whose implementation had kicked off Usenet more than 30 years earlier, decommissioned its Usenet server, citing low usage and rising costs. After 32 years, the Usenet news service link at the University of North Carolina at Chapel Hill ( was retired on February 4, 2011.

    Usenet traffic changes

    Over time, the amount of Usenet traffic has steadily increased. As of 2010 the number of all text posts made in all Big-8 newsgroups averaged 1,800 new messages every hour, with an average of 25,000 messages per day. However, these averages are minuscule in comparison to the traffic in the binary groups. Much of this traffic increase reflects not an increase in discrete users or newsgroup discussions, but instead the combination of massive automated spamming and an increase in the use of .binaries newsgroups in which large files are often posted publicly. A small sampling of the change (measured in feed size per day) follows:

    Which shows traffic rising all the way to 2018. As you can choose what news groups to carry, or not, it would be fairly simple to just add a “” news group and tunnel all their traffic through Usenet. Hmmm…. It might be amusing to set up a Usenet News server on a R. Pi for one news group and just see how well it works. I’d need to find a site willing to send me data, but that ought not be too hard.

    They have a map of the layout of Usenet in 1981 in that article. I find it amusing that Apple is not on it. I joined Apple a year or two after that and by the mid 1980’s to early 1990’s Apple was one of the major hubs for Usenet News distribution. I ran it on Apple Vax, our “Honey Pot” machine ;-) So it was highly visible and very active as a machine, and a lot of Apple folks had accounts on it (they had to agree to put nothing of importance on it, nothing secret) for “reading news”. It was at the same time our most visible site and widely used for communications with folks outside the company AND the Honey Pot where attackers would be drawn for their first attacks. (A mostly idle nearly dead Honey Pot is not nearly as attractive and sets of alarm bells in the attacker…)

    Note that as long ago as the 1980s there were sites shutting down access as “pornographers” were using the system… The attempt to “stop the bits” has been ongoing and relentless and failing from the start of “social networking”…

    From the top of that link:

    Usenet (/ˈjuːznɛt/) is a worldwide distributed discussion system available on computers. It was developed from the general-purpose Unix-to-Unix Copy (UUCP) dial-up network architecture. Tom Truscott and Jim Ellis conceived the idea in 1979, and it was established in 1980. Users read and post messages (called articles or posts, and collectively termed news) to one or more categories, known as newsgroups. Usenet resembles a bulletin board system (BBS) in many respects and is the precursor to Internet forums that are widely used today. Discussions are threaded, as with web forums and BBSs, though posts are stored on the server sequentially. The name comes from the term “users network”.

    One notable difference between a BBS or web forum and Usenet is the absence of a central server and dedicated administrator. Usenet is distributed among a large, constantly changing conglomeration of servers that store and forward messages to one another in so-called news feeds. Individual users may read messages from and post messages to a local server operated by a commercial usenet provider, their Internet service provider, university, employer, or their own server.

    Usenet has significant cultural importance in the networked world, having given rise to, or popularized, many widely recognized concepts and terms such as “FAQ”, “flame”, and “spam”.

    Yes, I’ve been up to my eyeballs in this whole social networking / banning thing for about 36 years… Through several generations of communications layer ( we started with a 9600 baud modem link at Apple eventually upgrading to a T1 to Olivetti who where just down the street – this was before the era of ISPs and everyone had to ‘find a friend’ to make point to point hard leased line connections into the shared network space. Essentially the same process as setting up that VPN mesh today, but using leased lines and modems not an underlaying internet) and through several generations of “social networking”…

    And all the old layers are still available. I still have a modem and I could easily set up a UUCP link with friends and start a Gab News Group and then it would just depend on folks finding another friend or two each and ‘setting up a link’. It would be faster and easier to do that with tinc over the internet now, but it could still be done the old way.

    Similarly, it would be quite possible to set up a web server that ran over such a VPN and then all the browser based stuff would be the way folks use it today. The application doesn’t know what network it runs over…

    There is an embarrassment of riches in communications paths, protocols, encryption methods, applications layer agents. The hard part is just choosing one to use ;-) Trying to police all of them and all of the combinations has never worked very well. Shutting it off has failed miserably.

  7. noneofyour goddamnbusiness says:

    Try onionshare. It’s not pretty…you won’t be able to host your own professional webpage – but it’s very easy, very secure, and very adequate for spreading Samizdat. And it gets better with each release.

    V3 onions support very long secure urls with security cookies. Next version of onionshare likely will support everything (right now you are limited to V2 onions if you use security cookies).

    Can’t get much easier or more secure.

Anything to say?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.