[pedrocr]

I've been using tinc[1] as a way to get a mesh VPN on all my machines that works even if some of them are behind restrictive firewalls. It works really well and I've automated the setup with puppet so I just deploy it automatically any time I bring up a machine. Highly recommended.

Anyone know if there has been any recent work on making wireguard cover this use case? I'm not really worried about security as I treat this overlay network as just as insecure as any other (running ssh over it) and mitigate exploits by running the tinc daemon as a normal user. But it would still be nice to get more performance and security from an in-kernel quality solution like wireguard.

[1] https://tinc-vpn.org/

[e12e]

I use zerotier[1] in a similar fashion, and I don't think there's any out of box solution to get wireguard to do "smart" routing (have two hosts on same switch talk directly, still be able to talk to server in a remote datacenter and a client roaming on cellular - with multicast and mDNS/bonjour working seamlessly).

It should be possible to set something up - but I believe you'd need some kind of managing daemon that helped nodes rendevouz and set up routes.

[1] https://www.zerotier.com

[Daegalus]

I use zerotier in a similar fashion. It has been great.

[ldng]

The site mention compression. I was under the impression that encryption and compression don't always play well together ?

[wolrah]

Properly encrypted data is basically impossible to compress. Lossless compression requires repeating patterns in the data and lossy compression requires an ability to understand the content. Since properly encrypted data should be indistinguishable from random noise, neither of these things apply.

Compressing first and then encrypting the compressed data works fine though.