Netrinos creates a LAN-like overlay network across your devices. Connections are direct P2P via WireGuard, with no central server routing traffic. Each device gets a stable IP and DNS name (pc.you.netrinos.com). When direct connections fail, they fall back to a relay server that's still encrypted end-to-end. We can't see your traffic.
The most challenging problem to solve was NAT traversal. UDP hole punching works most of the time. The rest is a cocktail of symmetric NAT, CGNAT, and serial NATs. We use STUN-style discovery and relay fallback for the edge cases. I was surprised by how unreliable low-end ISP routers really are, and how much technical wizardry it takes to hide that behind a clean, simple UX.
Our stack is a Go backend for client and server, WireGuard kernel mode for Linux and Windows (macOS is userspace), Wails.io for cross-platform UI. WireGuard does all the heavy lifting. Go ties it all together.
Popular use cases include: RDP to home PCs, accessing NAS without exposing it, and SSH into headless Linux boxes. One customer manages hundreds of IoT devices in the field, eliminating the need to deal with customer routers.
We just released Pro with multi-user, access control, and remote gateway routing. Personal is free (up to 100 devices).
I'd love to hear what you expect from a simple mesh VPN, what's missing from current tools, and what's lacking from your remote access setup. Use code HNPRO26 for a 30-day trial of Pro.
dewey•1mo ago
Edit: Just found this post https://netrinos.com/blog/tailscale-alternatives-2025, so it looks like main differentiator is pricing right now.
felixg3•1mo ago
sh3rl0ck•1mo ago
One isn't.
bongodongobob•1mo ago
antonvs•1mo ago
That relaxation tends to have ripple effects - once you allow tunneling tools in for one purpose - like SaaS integration - then it becomes more normalized and people start using it for other purposes.
observationist•1mo ago
Your network should be zero trust. That means you want to treat every host that connects as if it's on the public internet; the corollary to that is you should give your hosts access to the public internet, unrestricted, and treat your users like adults who don't need micromanaging or constant surveillance (do sane logging, ofc.)
If you need a host that's subject to continuous surveillance, design it as such and require remote access with MFA, and so on.
Give your end users as much freedom as possible, and only constrict it where necessary, or you're going to incentivize shadow IT, unintended consequences, and a whole lot of unnecessary make-work that doesn't contribute to security.
Unrestricted access forces change management, design choices, and policy to confront each user and device for the attack vector they are, and to behave accordingly.
panarky•1mo ago
idiotsecant•1mo ago
wkat4242•1mo ago
Also there's different classes of state sponsored APT groups. You won't stand a chance against the NSA but there's a lot of state sponsored groups in Russia that are just looking for low hanging fruit to get some foreign money for their regime.
hugo1789•1mo ago
Network controls alone don’t stop exfiltration. HDMI/DP can move data faster than most consumer NICs. Does the system account for that scenario?
wkat4242•1mo ago
Same with RBAC. It's not perfect because some people need legit access to stuff and it can be abused. But it makes it much harder for bad actors.
panarky•1mo ago
Stop signs alone don't stop all traffic accidents.
observationist•1mo ago
The actual fix for things like that is to ensure that your sensitive data is properly protected, and things that you don't want exfiltrated aren't put into scenarios where exfiltration is possible. If you need to compromise on security for practicality, then make those exceptions highly monitored with multiple people involved in custody and verification. Zero trust means you don't give any of your users or host devices any trust at all, and modern security software can require multiple party approvals and MFA.
You can use a phone to scan documents as you scroll through them, or mitm hardware devices that appear to be part of a cable, or all sorts of sneaky shenanigans, and it's a never-ending arms race, so you have to decide what level of convenience is worth what level of risk and make policies enforceable and auditable. In some cases that might mean SCIF level security with metal detectors and armed guards, in other cases it might mean ensuring a good password policy for zip files shared via email.
Inconveniencing users by limiting web access and doing the TSA style performative security thing is counterproductive. This doesn't mean you give them install rights, or you don't log web activity, or run endpoint malware scanning, or have advanced unusual activity monitoring on the network and so forth. It just means if Sally from accounting wants to go shopping for ugly christmas sweaters for staff on Etsy, she doesn't have to fill out forms in triplicate and wait 3 months while the IT department gets approvals and management has meetings and the third party security vendor does a policy review and assessment before signing off on it, or telling her no.
sh3rl0ck•1mo ago
However, they have failed to provide isolated networks for the research labs which just need it for even downloading LLMs (they have banned huggingface!).
Moreover, a hostel is residential. They should provide either the option of getting an external connection (which I would happily do!) or provide a means of non-stupid internet which they aren't.
sh3rl0ck•1mo ago
I'm from a cybersec and devops background, and the IT admin here is just an ancient family-appointed person with no idea of how stuff works and with a lot to gain from under the table corporate dealings.
This is a man who believes that 15 megabit is sufficient bandwidth for CompSci students in their hostels (not the college, mind you, the hostel specifically) and decided that banning games was a "hero move".
Vendor locked into Sophos and a custom third party provider, these people have zero idea about what they're doing. I've met them various times and had various discussions up and down the org chart - this is a man who thinks he should have full access to every student's browsing history in their own time and that all VPNs are the same (he doesn't know how VPNs work btw) and allow for evasion from their network policies.
It's all a bit cursed because he fear-mongers the upper echelons of the college administration by showing them made up logs saying "students are hacking the network" to justify this.
c0balt•1mo ago
After two weeks of back and forth the wireguard packets were still being discarded somewhere by a firewall/router thanks to "deny VPNs by default". Tailscale got through those immediately though by using their relays + one of the workarounds for standard wireguard ports being blocked. Point being, the service provided by a mature solution like Tailscale for punching through networks is surprisingly effective even for corporate-level networks.
pcarroll•1mo ago
Imustaskforhelp•1mo ago
sh3rl0ck•1mo ago
linsomniac•1mo ago
- Connected to my phone hotspot in the car outside my son's therapist, it worked for months, but then for 2-3 weeks tailscale wouldn't connect. Browsing worked fine. In the 6 weeks since then, it's worked fine.
- A couple nights ago I was in a Holiday Inn Express. I could successfully connect to tailscale, and ssh to machines at the office (which has tailscale on a public IP, but couldn't pass traffic to my machine at home (behind NAT, we have a DERP next to the machine at the office and also another one on the headscale node at AWS). Maybe they blocked the DERP port?
pcarroll•1mo ago