frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

Rayfish, Peer-to-peer mesh VPN with no server to trust

https://rayfish.xyz/blog/01-introducing-rayfish
37•captain_dfx•4d ago

Comments

captain_dfx•4d ago
Hi HN, we built Rayfish, a peer-to-peer mesh VPN written in Rust on top of iroh.

The core idea: every node has a keypair, and its identity on the network is that public key. From the key we derive a stable IPv4 in 100.64.0.0/10 and a stable IPv6 in 200::/7, similar in spirit to yggdrasil. Those addresses are yours for as long as you hold the key, and they don't change when you move networks or your physical IP changes. You still reach peers by IP or by a name.ray DNS name, the difference is that the address comes from the identity rather than from where you happen to be.

"No server to trust" is the part we care about most. There is no central control plane that brokers your traffic or holds the keys to your network. Peers find each other and connect directly over iroh's QUIC stack, with NAT traversal, hole punching, and relay fallback handled underneath. Relays, when used, only forward encrypted packets and never see your keys or decide who is in your network. Membership and trust live with the peers, not with us.

How it works in practice:

- Networks are closed by default. You join with a one-time invite, a reusable key for fleets of servers, or live approval from a member already inside. The room id is only for discovery, it is never an admission credential. - Any member can be granted the network key and act as a coordinator, so admitting new peers keeps working even if the original creator is offline. - There is a per-device firewall, directional and scoped by port and protocol, plus Magic DNS so you can reach nodes at name.ray (or just name, no need for the .ray suffix). - A "ray connect" flow links two people directly with no shared room, like a friend request between keys. - No ACLs. Networks are logical partitions. Firewall is per-host. You can combine both to have custom ACLs.

It is a single binary with a daemon and a CLI. `ray up`, then `ray create` or `ray join <invite>`, and you have a private network.

Honest limitations: it is early. The mesh protocol is gated at the transport layer, so we break compatibility between releases when we need to. There has been no third-party security audit yet. Mobile is not there. It runs on Linux and macOS today.

Code: https://github.com/rayfish/rayfish

Happy to get into the addressing scheme, the iroh transport, the admission and coordinator model, or anything else.

Retr0id•1h ago
With IPv6 it's plausible that you can avoid collisions as long as you use an expensive hash function, but for v4 how do you avoid IP collisions?

With only 22 bits of entropy in your v4 addresses, you'll get accidental collisions with only ~2000 users.

tom1337890•1h ago
Great work. I'm currently using tailscale and would love to have another option! Hosting my own iroh-relay makes it truely independent then. Only missing the mobile app now! Keep up the good work!
sillyfluke•50m ago
If you have any previous experience in this domain and/or other relevant credentials it would help to mention them here as well.
applfanboysbgon•47m ago
> Honest [...]

> Happy to get into the addressing scheme

I truly loathe how all of the HN spambots promoting shovelware include a stupid call-to-action for feedback/discussion.

aftbit•8m ago
> Happy to get into ...

No reply to various questions an hour later. I guess they're not really watching.

mac-monet•34m ago
Hey, thanks for sharing this, this is a very cool project and one that is the obvious next step with iroh. I'm curious if you plan to make it into a library to be used, or you intend to keep it solely as an application?
someonebaggy•4d ago
I don't know why your post was autoflagged but what makes your product unique from the rest?
kamranjon•53m ago
This is very cool - I will likely see if I can use it in place of tailscale for my local LLM hosting. I feel like not having that required login would be great. Also the direct connect feature seems pretty cool, since that’s usually all I need for my use case.
whywhywhywhy•50m ago
Having an install script that you paste into the terminal and all it does is download a binary and stick it in a folder is wild.

If your users are savvy enough to be running random scripts they shouldn't need a script to do this and if they're not savvy enough to understand how to do that then the last thing they should be doing on earth is running a random terminal command off a website.

atrettel•26m ago
I still have no comprehension of how curl piped into a shell command has become the default installation method for many projects (looking at you, Rust...). It breaks my brain as to how potentially unsafe it is.
barnabee•21m ago
Everyone’s eventually going to run a binary they downloaded from the same place, if you’ve already decided to do that, why is a curled install script worse?
yubblegum•7m ago
Because it normalizes a practice that, while acceptable in context of a well known project with numerous dedicated eyeballs such as Rust language, is not a generally acceptable method of installing software.
da-x•19m ago
It's all about lowest friction + domain-name trust.

Depending on third party packaging (distribution-validated install) is much higher friction.

thomastjeffery
Fabricio20•38m ago
One thing I seem to struggle to understand is, a simple invite code system is showcased, but how does host Alice in one country know how to contact host Bob in another country with just the invite code? This seems to require a coordination server at least right, or does the invite embed some sort of information that'd allow Bob to directly reach Alice with just the invite code?
Yoofie•8m ago
Looks like no support for Windows :(
Avicebron•5m ago
> and membership is a signed record they each carry, not a question they ask a server.

Sigh..

I like the project though. It looks very similar to something I vibed up recently, must be in the air

•
6m ago
It's because people are too obsessed with providing complete instructions to incorporate any package manager into their instructions.

What we are really missing is an explicit progression from new software to maintained packages across distribution. As it is, each distro expects each package to have a maintainer, and very few people actually want to do that across several distros just to release their software. Generally, the expectation is to instead just wait around for people to make and maintain those packages by virtue of their own interest in your software, but it takes a while, and discoverability isn't automatic.

jayd16•18m ago
What would be your preferred solution?
zuzululu•8m ago
so how did you install npm or docker?
mcsniff•6m ago
Using a package manager usually

Organic Maps

https://organicmaps.app/
317•tosh•2h ago•82 comments

Introduction to Compilers and Language Design

https://dthain.github.io/books/compiler/
167•AlexeyBrin•5h ago•24 comments

The Great Blogging Collapse: What Happened to 100 Successful Blogs?

https://danielstanica.com/posts/Great-Blogging-Collapse
15•thm•3d ago•6 comments

Run Windows 2000 on a DEC Alpha with a new es40 fork

https://raymii.org/s/blog/Run_Windows_2000_for_Dec_Alpha_on_a_new_es40_fork.html
39•jandeboevrie•3h ago•11 comments

Airplane Boneyards List and Map

https://airplaneboneyards.com/airplane-boneyards-list-and-map.htm
44•hyperific•1d ago•8 comments

The Plight of the Martian Farmer

https://mceglowski.substack.com/p/the-plight-of-the-martian-farmer
15•zdw•1h ago•3 comments

Medieval-style fortifications are back in the Sahel

https://www.economist.com/middle-east-and-africa/2026/06/25/medieval-style-fortifications-are-bac...
48•andsoitis•4d ago•35 comments

If you're a button, you have one job

https://unsung.aresluna.org/if-youre-a-button-you-have-one-job/
453•nozzlegear•15h ago•223 comments

Rayfish, Peer-to-peer mesh VPN with no server to trust

https://rayfish.xyz/blog/01-introducing-rayfish
38•captain_dfx•4d ago•23 comments

Shadcn/UI now defaults to Base UI instead of Radix

https://ui.shadcn.com/docs/changelog
231•dabinat•12h ago•123 comments

Solar rail could become common in Europe after successful trial in Switzerland

https://www.euronews.com/2026/07/05/italy-could-be-the-next-country-to-build-a-solar-railway-afte...
47•neilfrndes•2h ago•32 comments

Why DMARC's new "NP" tag can fail with DNSSEC

https://dmarcwise.io/blog/dmarc-np-incompatibility-with-dnssec
7•matteocontrini•2h ago•0 comments

The GNU Emacs Architecture: Unlocking the Core [pdf]

https://www.diva-portal.org/smash/get/diva2:2052282/FULLTEXT01.pdf
140•cenazoic•4d ago•9 comments

Pandoc Lua Filters

https://pandoc.org/lua-filters.html
117•ankitg12•2d ago•10 comments

Fast Software, the Best Software (2019)

https://craigmod.com/essays/fast_software/
96•ustad•9h ago•50 comments

Show HN: KiCad in the Browser

https://demo.pcbjam.com/
55•ViktorEE•4h ago•26 comments

EU Council forces Chat Control via fast-track

https://www.heise.de/en/news/Chat-Control-1-0-EU-Council-forces-messenger-scans-via-fast-track-11...
159•stavros•5h ago•64 comments

Web-based cryptography is always snake oil

https://www.devever.net/~hl/webcrypto
56•enz•9h ago•62 comments

Phosh 0.56.0

https://phosh.mobi/releases/rel-0.56.0/
121•edward•3h ago•41 comments

Cannabis users face substantially higher risk of heart attack (2025)

https://www.acc.org/about-acc/press-releases/2025/03/17/15/35/cannabis-users-face-substantially-h...
110•RickJWagner•5h ago•139 comments

Pi squared is nearly 10

https://mihai.page/pi-square-is-10/
45•freediver•6h ago•45 comments

Autonomous flying umbrella follows and shields users from rain and sunlight

https://www.designboom.com/technology/autonomous-flying-umbrella-follows-users-rain-sunlight-i-bu...
16•amichail•1h ago•10 comments

It's not about physical vs. digital games, it's about ownership

https://popcar.bearblog.dev/its-about-ownership/
3•popcar2•2h ago•0 comments

Megawatts by Microwave

https://computer.rip/2026-07-04-microwave-and-power.html
61•eternauta3k•11h ago•5 comments

Moby Dick Workout (2022)

https://www.hogbaysoftware.com/posts/moby-dick-workout/
86•helloplanets•12h ago•28 comments

Command and Conquer Generals natively ported to macOS, iPhone, iPad using Fable

https://github.com/ammaarreshi/Generals-Mac-iOS-iPad/tree/main
624•asronline•21h ago•263 comments

Meta's Un-Stable Signature

https://hackerfactor.com/blog/index.php?/archives/1098-Metas-Un-Stable-Signature.html
129•ementally•3d ago•21 comments

The Log is the Agent

https://arxiv.org/abs/2605.21997
87•iacguy•14h ago•34 comments

Artful Cats: Feline-Inspired Art and Artifacts

https://www.si.edu/spotlight/art-cats
72•jruohonen•3d ago•5 comments

Atomic Force Microscope [video]

https://www.youtube.com/watch?v=DyIQkqBXhS0
109•mhb•2d ago•15 comments