No-one can access your device by default. You have to actively allow them via the "services" section in the config.
What I understood: it is basically overlaying privacy and net neutrality on the internet.
I am therefore restricted to communicating with other users of mycoria and can't access "the whole Internet" via mycoria.
Am I correct?
What isn't clear for end users, IMO:
- What's the primary use case it was built for? Are there applications using it for chatting / exchanging data / whatever?
- what's the difference to similar projects like, say, yggdrasil?
- what's the difference to using a VPN?
You can use it for pretty much anything you would use a VPN for, but it is much easier to configure and secure by default with a built-in firewall. Only services you actively expose are reachable by others - by default nothing on your device can be accessed by others.
In the future, it will also provide some amount of privacy on the network.
I think the biggest user-facing difference is the ease of configuration (ie. none) - if Mycoria had proper installers.
Ease of configuration is very much also a feature of the finest VPN software I've ever used, Wireguard.
Mycoria aims to interconnect participants. Eg. you and your friend all have their home server. Everyone wants to connect to their own server, but also to the server of their friends. All of this is super easy with Mycoria. Let a new friend install Mycoria, add them to your friends in the config and give them a URL for accessing. Voila!
Also, Mycoria is an automatic mesh network, I think Wireguard requires a fixed set of peers you configure.
Not really. One can add as many peers (though there's a artificial limit to just how many, I think) at runtime. It isn't fixed. Products like Tailscale couldn't be built otherwise.
A VPN is used to create (the illusion of) privacy when accessing anything on the internet.
But I can't access anything that's not connected to mycoria with it, can I? If I were to access something like Netflix, would I need something like a mycoria reverse proxy server for Netflix?
In an open mesh network, you still want privacy from the other network participants.
Mycoria might have exit nodes similar to Tailscale in the future, but it won't be a fan-out multi-exit system like SPN, for example.
Firms could replace their VPNs for remote work with mycoria and have better security and control.
I could also set this up for my home network and access my (for example) NAS securely.
For the use-case "I want to access a publicly available page anonymously", we still need a VPN / TOR.
What comes to mind to me analogously (more from my experiences than anything) is like a global tailnet that leans on firewalls to segment things?
A cross between tor and a vpn is quite appropriate too
Not really. Some more recent "VPN" products position themselves that way, but traditionally a VPN has been a way to have something that behaves like a private LAN between computers that are not physically connected to each other (hence the name).
As was patiently explained to me, Mycoria relies to quite an extent on the network effect: you can only use it if other nodes are using it, using it by yourself does not make sense. So the informed layperson's perspective is relevant here. That's why I insist on "dumbing it down" :D
Names are hard.
Personally this Mycoria reminds me more of a global tailnet I.e tailscale's VPN
It would be more correct to call such a provider a secure (two-way) proxy service (and in the past people did), but for some reason they went with VPN and that stuck.
Mycoria is basically the textbook definition of a VPN.
Any node on the network can find my node via mDNS discovery and access any services which I expose. Services need to be secured in the same way I'd do on the public Internet, and not in the same way I do on a trusted private network between a few trusted nodes.
That said, I do believe this is useful in a lot of scenarios where a VPN might be too much work to set up. While one does need to ensure that all services do authentication, the encryption part is valuable, and this does ease exposing services from non-routable nodes with no consistent public IP.
A little more background info for my fellow HN people:
I've spent that last 8 years building privacy technology at Safing as Co-Founder/CTO. The biggest technological achievement there was undoubtedly the SPN (previously called Port17/Gate17): A privacy network (ie. a layer-5 proxy), fitting in the niche between VPNs and Tor. Impossible to misconfigure, good speeds and way superior privacy to VPNs using onion encryption and decoupled authentication/authorization. Funnily enough, this (decoupled auth) is what was later implemented by Apple Private Relay and Google One VPN.
SPN worked great for the most part, but scaling was hard. With the decision to make it a layer-5 proxy for decreased metadata and improved privacy, this meant that also traffic and congestion control had to be re-implemented - no easy feat, and still causing issues.
Meanwhile, I have followed and read a lot about cjdns and Yggdrasil over the past few years and was intrigued by their ideas how to do networking.
After some interesting talks in November 2023, I was at the point where I just wanted to know how far I would get - with all the experience and knowledge I had up to that point - implementing a scalable layer-3 mesh network, that still allowed for some privacy and full security. I spent most evenings of a couple months building it and was surprised how well it went.
Sadly, after a decent MVP and a first friend using it in small scale production, I did not have the time to work on it further.
But I am currently starting a new project, where I will make good use of it, so it will see quite some more development in the coming years!
So, Mycoria works, at least on small scale for now, but is more or less MVP.
Thanks for reading, I hope you have fun poking around and trying it out!
I am also happy to answer any questions you have here!
If you want actually good privacy with a VPN, also good luck with that. (There are very few good companies doing the best they can here, but they are still limited technologically.)
SPN can be seen as my attempt to solve both of these issues.
Mycoria routers, proxies, Tor exit nodes, and VPNs are difficult to run. There needs to be an global incentive, economy, or private community usually. Our Delft University students wrote "The fifteen year struggle of decentralizing privacy-enhancing technology" a decade ago. Scaling to many millions or billions is unsolved.
Have you talked to any lawyer or law professor about your MVP? "Being welcome" has known drawbacks when you operate a central DNS service.
Interesting. Can you link that paper/article?
The DNS is not central. Everyone maintains their own local mapping. When accessing a website on mycoria, you open a URL like this that first creates the mapping and then forwards you to it: http://router.myco/open/speedtest.de.myco/fd13:6239:a07a:eb4...
I'm not who you asked, but this appears to be the article:
Transport is custom in order to support source routing, but I use the WireGuard library for setting up the interface and such.
(I have experience with cryptography in network protocols from Safing/SPN - the cryptography of which was audited without fault. Also, I am _very_ cautious and keep to standards as close as possible.)
Any specific reason why you didn't use the standard based segment routing for source routing support, that can be adopted at layer 3 instead of custom layer 4 transport [2]?
For security analysis did you use BAN logic and ProVerif tool for verification [3], [4]?
[1] Gnutella:
https://en.wikipedia.org/wiki/Gnutella
[2] Segment routing:
https://en.wikipedia.org/wiki/Segment_routing
[3] Burrows–Abadi–Needham (BAN) logic:
https://en.wikipedia.org/wiki/Burrows%E2%80%93Abadi%E2%80%93...
[4] ProVerif:
I wasn't really aware segment routing, tbh. However, I do think with where Mycoria is going, the additional control to change things as needed will be required.
I have used VerifPal https://verifpal.com/ for security analysis before, but not yet with Mycoria.
What happened to referring to individual, topic-specific sites? WP has so many issues with both its data, and their governance.
Oh i guess it's just people being lazy. _I_ don't trust WP for domain-specific knowledge at all.
Indeed. See "Canceling Disputes": https://www.cambridge.org/core/services/aop-cambridge-core/c....
Here are some non-Wiki links:
Gnutella: https://computer.howstuffworks.com/file-sharing.htm
Segment routing: https://www.segment-routing.net/
BAN Logic: https://www.cdk5.net/security/Ed2/BANLogic.pdf
and ProVerif: https://bblanche.gitlabpages.inria.fr/proverif/
Can you do a comparison with I2P?
But the consistent theme I see with similar solutions is that they ignore the commercial aspect of such solutions. I don't know if you have mass adaption in mind, but the more people use it, I would presume the privacy and anonymity properties would improve? If so, then have you considered introducing participation incentives (financial or not)? That seems to be the critical problem in this space that needs solving, standardized anonymous payment for infrastructure service providers in the network.
Yes, I would expect the privacy would increase by some degree with more users, but I don't know by how much.
Although I will be using the technology in future projects, so Mycoria will benefit from that.
See https://github.com/mycoria/mycoria/blob/master/m/geo_marker....
In the future, non-routable private addresses will solve that for users that require it.
a rationale/comparison section on the front page would be nice.
I would have thought libp2p is library enough to not be comparable. Am I wrong?
Mycoria is a ready-to-run software.
I eventually figured out how to do it but decided not to use the library. However, there is still a real need for an easy to use p2p library for Go that can do some NAT traversal. It's a real pity that the developer of github.com/perlin-network/noise stopped working on it.
But to be honest, the web3 / blockchain vibes are an instant turn off.
(Let's see how the votes turn out for this comment. ;) )
Note: If you _need_ a blockchain in your VPN, I would say https://nym.com/ is the most trustworthy of them out there at the moment.
There's a wholespace of what's known as "dVPNs". I like the concept behind saurik et al's https://orchid.com/vpn; it was specifically marketed as a Tor replacement (with built-in micropayments): https://news.ycombinator.com/item?id=15576457
When accessing a website on mycoria, you open a ULR like this that first creates the mapping and then forwards you to it: http://router.myco/open/speedtest.de.myco/fd13:6239:a07a:eb4...
Will read through it later! Thanks!
Tailscale has central policies. Mycoria is more like a collective where you can offer services to everyone else within the network.
> fd1f:2cf7:903:b50b:e4cb:5c4c:270e:360c
> This does not merely look like an IPv6 address, it is one. But it's also more than that: These addresses are generated by first creating a public/private key pair and then hashing the public key. This means, this IPv6 address is also the fingerprint of the public key of the router
> This way you can distribute both the Mycoria address of a router and its public key with a single data point: An IPv6 address.
What?
* Then how does a computer figure out how to ping that?
* You say it's distributing both the address and the public key with a single data point, but you're hashing it. So, you can restore the public key from the IP if you already know the public key, does everyone store every public key that's currently in use? Are there central stores somewhere that are eventually consistent?
There is not central store. This is done on the fly.
Thanks!
Mycoria focuses a more on scalability, but still has some privacy focus.
This does generally mean no anonymity (and limited privacy)…
But ultimately I always feel uneasy and reluctant to get involved in general decentralized type things as I feel like I'll just be facilitating people sharing/distributing kiddie porn.
At least with Tailscale things are "private", but with this it feels like I would be part of the wider network. Will I be using my nodes to help route CP traffic?
Good luck, Mr. Big Brother!
The Internet should never have been invented, then, right? Same with letters, Facebook, cars, guns, knifes, farming, ...
doener•6h ago