Show HN: Netrinos – A keep it simple Mesh VPN for small teams
netrinos.com52 points by pcarroll 3 days ago
52 points by pcarroll 3 days ago
I'm the founder at Netrinos. I built a WireGuard-based mesh VPN because remote access has always been a pain. After years of SSH tunnels, IPsec headaches, and the ssh log horror movie, I wanted something simpler: install, sign in, get work done.
Netrinos creates a LAN-like overlay network across your devices. Connections are direct P2P via WireGuard, with no central server routing traffic. Each device gets a stable IP and DNS name (pc.you.netrinos.com). When direct connections fail, they fall back to a relay server that's still encrypted end-to-end. We can't see your traffic.
The most challenging problem to solve was NAT traversal. UDP hole punching works most of the time. The rest is a cocktail of symmetric NAT, CGNAT, and serial NATs. We use STUN-style discovery and relay fallback for the edge cases. I was surprised by how unreliable low-end ISP routers really are, and how much technical wizardry it takes to hide that behind a clean, simple UX.
Our stack is a Go backend for client and server, WireGuard kernel mode for Linux and Windows (macOS is userspace), Wails.io for cross-platform UI. WireGuard does all the heavy lifting. Go ties it all together.
Popular use cases include: RDP to home PCs, accessing NAS without exposing it, and SSH into headless Linux boxes. One customer manages hundreds of IoT devices in the field, eliminating the need to deal with customer routers.
We just released Pro with multi-user, access control, and remote gateway routing. Personal is free (up to 100 devices).
I'd love to hear what you expect from a simple mesh VPN, what's missing from current tools, and what's lacking from your remote access setup. Use code HNPRO26 for a 30-day trial of Pro.
https://netrinos.com
The "No IT Department" part of your marketing immediately turns me off because that's actively encouraging "shadow IT". We all get that sometimes companies have IT policies which are outdated and get in the way, but that's a problem for someone up the chain to solve. A team or department deciding to just start doing their own thing with something like this which isn't managed by or even known about by the official company IT is at best a path to future problems if not an immediate compliance problem. Compliance, "up the chain", "department", "the official company IT", etc... These are all things that the target audience either doesn't have, or doesn't want. If the above words are important to you, then you're probably not in the target market. What's the main differentiator between Tailscale and Netrinos? Edit: Just found this post https://netrinos.com/blog/tailscale-alternatives-2025, so it looks like main differentiator is pricing right now. One's banned in my hostel because of a stupid sysadmin. One isn't. Would you mind revealing which one is banned? I wonder what they are using to make that determination. Not allowing random VPN connections on a LAN is pretty standard. I've been surprised at how many people here are able to use tailscale and the like. Guessing it's just because there are likely smaller teams here that don't have any kind of managed network. Someone is making your IT team do extra work without a good understanding of their systems if they're banning tailscale or granting special network level access thinking that ip or mac address based profiling is secure. Your network should be zero trust. That means you want to treat every host that connects as if it's on the public internet; the corollary to that is you should give your hosts access to the public internet, unrestricted, and treat your users like adults who don't need micromanaging or constant surveillance (do sane logging, ofc.) If you need a host that's subject to continuous surveillance, design it as such and require remote access with MFA, and so on. Give your end users as much freedom as possible, and only constrict it where necessary, or you're going to incentivize shadow IT, unintended consequences, and a whole lot of unnecessary make-work that doesn't contribute to security. Unrestricted access forces change management, design choices, and policy to confront each user and device for the attack vector they are, and to behave accordingly. And then a few of those users who you treated like adults who don't need surveillance make a private network among themselves and other nodes in Russia and China to exfiltrate the corporation's most sensitive intellectual property, serve as a bridge for state-sponsored bad actors to bypass your firewall, and tunnel command-and-control traffic through your "unrestricted" egress, and now your zero-trust philosophy has created a zero-accountability blind spot that your IR team discovers eighteen months later during a breach investigation. Smaller teams, yes, but also it seems as though the SaaS explosion has led to many enterprises significantly relaxing the "hardness" of their network boundaries, at least when it comes to integration with companies whose services they depend on. I've seen Tailscale and tools like ngrok being approved to get into large enterprises who you might think wouldn't allow it. Some of these enterprises will set up a bastion in a DMZ to control that, but I've been surprised by how many don't do that. That relaxation tends to have ripple effects - once you allow tunneling tools in for one purpose - like SaaS integration - then it becomes more normalized and people start using it for other purposes. I really like your fair differentiation and feature comparison vs Tailscale, netbird etc. Love to see the ecosystem of wireguard based services growing into different business segments, i.e. you targeting SMBs/small teams. Not for me, but legitimate use case and product :) >We use STUN-style discovery and relay fallback How does your relay compare to Tailscale's (DERP)? Can anyone explain to me (someone not so network security savvy) if there are any privacy or security concerns using a wire guard provider like this? As I understand it, with traditional VPNs, you basically have to trust third-party audits to verify the VPN isn't logging all traffic and selling it. Does the WireGuard protocol address theses issues? Or is there still the same risk as a more traditional VPN provider? This is not providing the same functionality as a "traditional VPN," in the sense that it does not do anything to your traffic going to the wider internet. With popular VPN services, they are an encrypted tunnel for all your internet traffic (some use the same protocol, WireGuard), but at the end of the tunnel they decrypt the message and send it to whatever website you requested, which is exactly what can cause those privacy issues you describe. In this case, though, it creates an encrypted tunnel _only between your own devices_. This allows you to connect to all your devices, home desktop, phone, laptop, as if they were on the same network, allowing you to do fairly sensitive things like remote desktop without having to expose your machine to the public internet or deal with firewall rules in the same way. Assuming this project is legitimate, then the only traffic this service would even touch would be those between your own devices, nothing related to public internet requests. And, on top of that, the requests should be encrypted the entire way, inaccessible to any devices other than the ones sending and receiving the requests. There are many caveats and asterisks I could add, but I think that's a fairly straightforward summary. Naive question here: with WireGuard VPN, does all traffic route through the VPN or only those packets bound for the other devices in the mesh? WireGuard itself can be configured to work either way. Our target market is smaller teams and people with limited IT skills. So, we chose not to send all traffic through the vpn. The only traffic going through the VPN is traffic to and from your other devices (in your account). Internet access is still through your default network. In the Pro version, you can route specific destinations through other peers, also belonging to you. An example use case here would be accessing your web banking while on vacation in a distant country. You would route your bank website through your home connection. Similarly, our access control is only restricting traffic that comes from your devices on the wireguard network. We do not interfere with the settings of your own personal firewall. The GitHub link on your website is 404 (https://github.com/netrinosnetwork) Yep. Stating Github and providing a non existent Github link is a serious redflag which brings trust issues. Either provide the Github (for whatever reasons) or remove the link from your website. I am assuming it is closed source. Personally I don't trust new VPN solutions without published source code! Alternatives: Tailscale with Headscale or better Self-hosted Netbird if one is a itty-bitty IT savvy. Netbird (self-hosted) offers a lot lot more with the self-hosted solution.
- SSO
- Independent networks
- Superb policies / ACLs
- Keybased onboarding
- auto-expiration and a lot more like integrations and what not! Tough to beat the Netbird Open source offering if one tends to spent a little time and effort (though not everyone's cup of coffee!) Such can look at tailscale's offering since the free version of Tailscale offers more than what is offered here and all the client applications are open source and constantly updated. If pricing is going to the only difference, (at a high level, everything under the hood looks similar - wireguard based, zero config, p2p mesh, port forwarding etc etc.,) bring a lot more trust by offering an open source version like others. Seems similar in purpose to https://vpncloud.ddswd.de/ (above is very easy to use and works very well w/ my experience) Only downsides are no mobile support & seems to be somewhat abandoned I use Twingate both for personal use (my home) and to access AWS EC2 servers (no public ips) and really love it. Very polished, easy setup. How does Netrinos compare? Full disclaimer: huge Linux fanboy here. Not really related to the product itself, but your landing page design looks close to the official Microsoft style which I dont have the best memories of.. It might be intentional to show the "seamless integration" to Windows users but my penguin loving soul got scared! Thanks for that feedback. I share your feelings about Linux. It never occurred to us that it would be reminiscent of old MS days. We were going for "clean and uncluttered". If it makes you feel better, all core development for Netrinos is done on Linux. Then, the code is adapted to work on macOS and Windows. Almost all of the code is cross-platform, including the UI. Only the implementation details are platform specific. e.g. Linux uses nftables. MacOS uses pfctl. Windows, we had to write our own packet filter to avoid touching the often misconfigured Windows Firewall.
wolrah - an hour ago
boplicity - an hour ago
dewey - 4 hours ago
sh3rl0ck - 2 hours ago
pcarroll - 2 hours ago
bongodongobob - 2 hours ago
observationist - an hour ago
panarky - 7 minutes ago
antonvs - an hour ago
felixg3 - 4 hours ago
focusgroup0 - 19 minutes ago
ImPleadThe5th - an hour ago
jscd - 22 minutes ago
ImPleadThe5th - an hour ago
pcarroll - 10 minutes ago
tjfl - 3 hours ago
indianmouse - 2 hours ago
nickorlow - 3 hours ago
nickorlow - 3 hours ago
nodesocket - 38 minutes ago
Can_K - 3 hours ago
pcarroll - 2 hours ago