No-one can access your device by default. You have to actively allow them via the "services" section in the config.
What I understood: it is basically overlaying privacy and net neutrality on the internet.
I am therefore restricted to communicating with other users of mycoria and can't access "the whole Internet" via mycoria.
Am I correct?
What isn't clear for end users, IMO:
- What's the primary use case it was built for? Are there applications using it for chatting / exchanging data / whatever?
- what's the difference to similar projects like, say, yggdrasil?
- what's the difference to using a VPN?
You can use it for pretty much anything you would use a VPN for, but it is much easier to configure and secure by default with a built-in firewall. Only services you actively expose are reachable by others - by default nothing on your device can be accessed by others.
In the future, it will also provide some amount of privacy on the network.
I think the biggest user-facing difference is the ease of configuration (ie. none) - if Mycoria had proper installers.
Ease of configuration is very much also a feature of the finest VPN software I've ever used, Wireguard.
Mycoria aims to interconnect participants. Eg. you and your friend all have their home server. Everyone wants to connect to their own server, but also to the server of their friends. All of this is super easy with Mycoria. Let a new friend install Mycoria, add them to your friends in the config and give them a URL for accessing. Voila!
Also, Mycoria is an automatic mesh network, I think Wireguard requires a fixed set of peers you configure.
Not really. One can add as many peers (though there's a artificial limit to just how many, I think) at runtime. It isn't fixed. Products like Tailscale couldn't be built otherwise.
A VPN is used to create (the illusion of) privacy when accessing anything on the internet.
But I can't access anything that's not connected to mycoria with it, can I? If I were to access something like Netflix, would I need something like a mycoria reverse proxy server for Netflix?
In an open mesh network, you still want privacy from the other network participants.
Mycoria might have exit nodes similar to Tailscale in the future, but it won't be a fan-out multi-exit system like SPN, for example.
Firms could replace their VPNs for remote work with mycoria and have better security and control.
I could also set this up for my home network and access my (for example) NAS securely.
For the use-case "I want to access a publicly available page anonymously", we still need a VPN / TOR.
What comes to mind to me analogously (more from my experiences than anything) is like a global tailnet that leans on firewalls to segment things?
A cross between tor and a vpn is quite appropriate too
Mycoria has in integrated firewall for this, just in case that information got lost somewhere.
This also means that devices of the company will help other devices of the company to reach their destination, adding to resilience in outages and emergencies.
You can of course build bridges between these networks. This definitely something that is planned.
Not really. Some more recent "VPN" products position themselves that way, but traditionally a VPN has been a way to have something that behaves like a private LAN between computers that are not physically connected to each other (hence the name).
As was patiently explained to me, Mycoria relies to quite an extent on the network effect: you can only use it if other nodes are using it, using it by yourself does not make sense. So the informed layperson's perspective is relevant here. That's why I insist on "dumbing it down" :D
Names are hard.
Personally this Mycoria reminds me more of a global tailnet I.e tailscale's VPN
It would be more correct to call such a provider a secure (two-way) proxy service (and in the past people did), but for some reason they went with VPN and that stuck.
Mycoria is basically the textbook definition of a VPN.
VPN = Virtual Private Network. It’s (historically) a way of tunneling segregated / encrypted traffic over another network - generally to allow access to another private network or similar. That’s exactly what this is.
Protocol wise, consumer VPN is using traditional VPN protocols, but it’s effectively being used as secure proxy.
Any node on the network can find my node via mDNS discovery and access any services which I expose. Services need to be secured in the same way I'd do on the public Internet, and not in the same way I do on a trusted private network between a few trusted nodes.
That said, I do believe this is useful in a lot of scenarios where a VPN might be too much work to set up. While one does need to ensure that all services do authentication, the encryption part is valuable, and this does ease exposing services from non-routable nodes with no consistent public IP.
Also, multicast is completely disabled on Mycoria.
A little more background info for my fellow HN people:
I've spent that last 8 years building privacy technology at Safing as Co-Founder/CTO. The biggest technological achievement there was undoubtedly the SPN (previously called Port17/Gate17): A privacy network (ie. a layer-5 proxy), fitting in the niche between VPNs and Tor. Impossible to misconfigure, good speeds and way superior privacy to VPNs using onion encryption and decoupled authentication/authorization. Funnily enough, this (decoupled auth) is what was later implemented by Apple Private Relay and Google One VPN.
SPN worked great for the most part, but scaling was hard. With the decision to make it a layer-5 proxy for decreased metadata and improved privacy, this meant that also traffic and congestion control had to be re-implemented - no easy feat, and still causing issues.
Meanwhile, I have followed and read a lot about cjdns and Yggdrasil over the past few years and was intrigued by their ideas how to do networking.
After some interesting talks in November 2023, I was at the point where I just wanted to know how far I would get - with all the experience and knowledge I had up to that point - implementing a scalable layer-3 mesh network, that still allowed for some privacy and full security. I spent most evenings of a couple months building it and was surprised how well it went.
Sadly, after a decent MVP and a first friend using it in small scale production, I did not have the time to work on it further.
But I am currently starting a new project, where I will make good use of it, so it will see quite some more development in the coming years!
So, Mycoria works, at least on small scale for now, but is more or less MVP.
Thanks for reading, I hope you have fun poking around and trying it out!
I am also happy to answer any questions you have here!
If you want actually good privacy with a VPN, also good luck with that. (There are very few good companies doing the best they can here, but they are still limited technologically.)
SPN can be seen as my attempt to solve both of these issues.
Mycoria routers, proxies, Tor exit nodes, and VPNs are difficult to run. There needs to be an global incentive, economy, or private community usually. Our Delft University students wrote "The fifteen year struggle of decentralizing privacy-enhancing technology" a decade ago. Scaling to many millions or billions is unsolved.
Have you talked to any lawyer or law professor about your MVP? "Being welcome" has known drawbacks when you operate a central DNS service.
Interesting. Can you link that paper/article?
The DNS is not central. Everyone maintains their own local mapping. When accessing a website on mycoria, you open a URL like this that first creates the mapping and then forwards you to it: http://router.myco/open/speedtest.de.myco/fd13:6239:a07a:eb4...
I'm not who you asked, but this appears to be the article:
Transport is custom in order to support source routing, but I use the WireGuard library for setting up the interface and such.
(I have experience with cryptography in network protocols from Safing/SPN - the cryptography of which was audited without fault. Also, I am _very_ cautious and keep to standards as close as possible.)
How does peer discovery work? Where do the region buckets live?
Any specific reason why you didn't use the standard based segment routing for source routing support, that can be adopted at layer 3 instead of custom layer 4 transport [2]?
For security analysis did you use BAN logic and ProVerif tool for verification [3], [4]?
[1] Gnutella:
https://en.wikipedia.org/wiki/Gnutella
[2] Segment routing:
https://en.wikipedia.org/wiki/Segment_routing
[3] Burrows–Abadi–Needham (BAN) logic:
https://en.wikipedia.org/wiki/Burrows%E2%80%93Abadi%E2%80%93...
[4] ProVerif:
I wasn't really aware segment routing, tbh. However, I do think with where Mycoria is going, the additional control to change things as needed will be required.
I have used VerifPal https://verifpal.com/ for security analysis before, but not yet with Mycoria.
Can you do a comparison with I2P?
Geo encoding simply improves routing to unknown routers, kind of as a baseline structure to the whole network.
But the consistent theme I see with similar solutions is that they ignore the commercial aspect of such solutions. I don't know if you have mass adaption in mind, but the more people use it, I would presume the privacy and anonymity properties would improve? If so, then have you considered introducing participation incentives (financial or not)? That seems to be the critical problem in this space that needs solving, standardized anonymous payment for infrastructure service providers in the network.
Yes, I would expect the privacy would increase by some degree with more users, but I don't know by how much.
Although I will be using the technology in future projects, so Mycoria will benefit from that.
See https://github.com/mycoria/mycoria/blob/master/m/geo_marker....
In the future, non-routable private addresses will solve that for users that require it.
friends: - name: alice # This is your laptop ip: fd1f:2cd5:6feb:7aa7:d674:1b3c:c82c:dfc"
May I suggest r/friend/peer. This is not motivated by pedantry. Relational semantics that are not closed over by the domain of user-agent (in the broadest sense) should not be used in the infrastructure layer. My laptop's server is a user-agent of mine as is the instance running on my phone; they are peers.
Applications built on top of this substrate will be (generally) concerned with social relationships of users and 'friend' et al. will be of use in those layers.
a rationale/comparison section on the front page would be nice.
I would have thought libp2p is library enough to not be comparable. Am I wrong?
Mycoria is a ready-to-run software.
I eventually figured out how to do it but decided not to use the library. However, there is still a real need for an easy to use p2p library for Go that can do some NAT traversal. It's a real pity that the developer of github.com/perlin-network/noise stopped working on it.
But to be honest, the web3 / blockchain vibes are an instant turn off.
(Let's see how the votes turn out for this comment. ;) )
Note: If you _need_ a blockchain in your VPN, I would say https://nym.com/ is the most trustworthy of them out there at the moment.
There's a wholespace of what's known as "dVPNs". I like the concept behind saurik et al's https://orchid.com/vpn; it was specifically marketed as a Tor replacement (with built-in micropayments): https://news.ycombinator.com/item?id=15576457
1) the storage/comm layer (has not much to do with web3/blockchain stuff)
2) the incentive layer to encourage cooperation/participation, and to make the various attacks expensive.
without a functional 2) i'm yet to be convinced that it's possible to create a truly distributed censorship resistant 1).
When accessing a website on mycoria, you open a ULR like this that first creates the mapping and then forwards you to it: http://router.myco/open/speedtest.de.myco/fd13:6239:a07a:eb4...
Will read through it later! Thanks!
Tailscale has central policies. Mycoria is more like a collective where you can offer services to everyone else within the network.
> fd1f:2cf7:903:b50b:e4cb:5c4c:270e:360c
> This does not merely look like an IPv6 address, it is one. But it's also more than that: These addresses are generated by first creating a public/private key pair and then hashing the public key. This means, this IPv6 address is also the fingerprint of the public key of the router
> This way you can distribute both the Mycoria address of a router and its public key with a single data point: An IPv6 address.
What?
* Then how does a computer figure out how to ping that?
* You say it's distributing both the address and the public key with a single data point, but you're hashing it. So, you can restore the public key from the IP if you already know the public key, does everyone store every public key that's currently in use? Are there central stores somewhere that are eventually consistent?
There is not central store. This is done on the fly.
Thanks!
Mycoria focuses a more on scalability, but still has some privacy focus.
This does generally mean no anonymity (and limited privacy)…
With private addresses (in the future) this will also be solved, as Mycoria will be able to temporary addresses / IDs.
But ultimately I always feel uneasy and reluctant to get involved in general decentralized type things as I feel like I'll just be facilitating people sharing/distributing kiddie porn.
At least with Tailscale things are "private", but with this it feels like I would be part of the wider network. Will I be using my nodes to help route CP traffic?
Good luck, Mr. Big Brother!
The Internet should never have been invented, then, right? Same with letters, Facebook, cars, guns, knifes, farming, ...
I hate to nitpick but this project looks promising enough - and the new project you mentioned interesting enough - that I feel the need to. From your FAQ:
> First, there is some structure to the router IPs. While there are special purpose prefixes, most IPs will be in a geo-marked prefix. Every country (+ States in the US) has their own prefix within Mycoria. This means that on the global level, Mycoria routers in the same country share the same prefix. These prefixes are also (tendentially) similar to nearby countries.
Second, within a country prefix, Mycoria uses address-distance routing. This means that packets are sent in the direction of the "address-nearest" other router known. While this is not the most efficient way to route packets, it does work quite well with some additional steps - especially if confined to a smaller geographic region, as Mycoria is doing.
My commentary: One of the unfortunate lessons we learned from the IPv4 internet and management of IANA IPs by the different RIRs (and the subsequent tagging of IPv4 blocks with geographic information) is that layer-8 folks love the idea of layering policy on top of geographic tags. (E.g.: Maxmind says your address is in Pakistan, and according to Pakistani law content offered by another address is verboten, ergo you are blocked.)
Geographic awareness built in to network prefixes may be used against your users in ways that you'd prefer to avoid. Or perhaps it's an acceptable tradeoff for you - it's easy to envision scenarios where 'the juice is worth the squeeze' and users derive enough benefit from geo-aware prefixes to accept the drawbacks. If it's the former, I'd recommend investigating moving from geo-aware prefixes ("I'm within X miles of other people in this jurisdiction") to latency-aware prefixes ("I'm within X ms of other people within this prefix").
(Steelmanning my own recommendation - it's possible that anyone trying to implement layer 8 policies on top of geographical-aware prefixes will just willfuly misinterpret latency-aware prefixes as being close enough to them, which would mean a lot of wasted effort for nothing).
Anyway, just my two cents. Again, very cool project, looking forward to seeing what you build on top of it!
This is what I hope to solve with the private addresses: These are not geo-marked and not routable. Eg. they are randomly generated and cannot be attributed to a geographic location (easily).
If you have a decent amount of private addresses in the mix (1) such that blocking them would 'break' the mycoria experience(2) then it sounds like you've got a decent solution here - geo-aware prefixes for convenience and private addresses for when you'd prefer the anonymity.
1) I freely confess to not knowing what percentage a good mix would be. 20%? 5%? In practice, going back to the VPN example for IPv4, it's "a high enough percentage of important users complaining that their VPN connections are broken for a long enough time". Depending on the jurisdiction that can be 1% (well off / well connected people in a jurisdiction complaining to the right people that in turn overwhelm management with their complaints) to >20% (not necessarily well off or well connected users, but a critical mass that instead overwhelms ISP help desks with complaints).
2) Assumption: mycoria / the app you're building on top of it becomes so important that breaking it completely is a non-starter for the average ISP.
The "iana" field in the configuration kind of suggests that this is not a goal, and this system is basically Tailscale but with IPv6 and a global namespace. But if this is the case, I don't really understand the emphasis on "routing", since pretty much every Internet host can reach pretty much every other Internet host directly using NAT traversal techniques (like BitTorrent does).
If you are trying to hide public-Internet IP addresses (like Tor hidden services do), the routing scheme still doesn't make a ton of sense to me, because presumably you wouldn't want to leak data by picking routes with a deterministic or latency-dependent strategy.
Semi-public authorized access networking really is the future of a more private but more distributed Internet in the age of state sponsored hackers and IoT DDoS bot farms.
Most of these have fallen on their faces because they can't get sufficient adoption rates, and a big part of that is because they refuse to acknowledge that 90%+ of the desktop computer market isn't running Linux or BSD.
Some of them include a half-assed attempt at a Windows client and few if any support MacOS despite it having something like 20-30% of the desktop market
doener•3d ago