Show HN: Netrinos – A keep it simple Mesh VPN for small teams (netrinos.com)

93 points by pcarroll ↗ HN
I'm the founder at Netrinos. I built a WireGuard-based mesh VPN because remote access has always been a pain. After years of SSH tunnels, IPsec headaches, and the ssh log horror movie, I wanted something simpler: install, sign in, get work done.

Netrinos creates a LAN-like overlay network across your devices. Connections are direct P2P via WireGuard, with no central server routing traffic. Each device gets a stable IP and DNS name (pc.you.netrinos.com). When direct connections fail, they fall back to a relay server that's still encrypted end-to-end. We can't see your traffic.

The most challenging problem to solve was NAT traversal. UDP hole punching works most of the time. The rest is a cocktail of symmetric NAT, CGNAT, and serial NATs. We use STUN-style discovery and relay fallback for the edge cases. I was surprised by how unreliable low-end ISP routers really are, and how much technical wizardry it takes to hide that behind a clean, simple UX.

Our stack is a Go backend for client and server, WireGuard kernel mode for Linux and Windows (macOS is userspace), Wails.io for cross-platform UI. WireGuard does all the heavy lifting. Go ties it all together.

Popular use cases include: RDP to home PCs, accessing NAS without exposing it, and SSH into headless Linux boxes. One customer manages hundreds of IoT devices in the field, eliminating the need to deal with customer routers.

We just released Pro with multi-user, access control, and remote gateway routing. Personal is free (up to 100 devices).

I'd love to hear what you expect from a simple mesh VPN, what's missing from current tools, and what's lacking from your remote access setup. Use code HNPRO26 for a 30-day trial of Pro.

https://netrinos.com

23 comments

[ 3.5 ms ] story [ 48.4 ms ] thread
I really like your fair differentiation and feature comparison vs Tailscale, netbird etc.

Love to see the ecosystem of wireguard based services growing into different business segments, i.e. you targeting SMBs/small teams.

Not for me, but legitimate use case and product :)

Full disclaimer: huge Linux fanboy here.

Not really related to the product itself, but your landing page design looks close to the official Microsoft style which I dont have the best memories of..

It might be intentional to show the "seamless integration" to Windows users but my penguin loving soul got scared!

The "No IT Department" part of your marketing immediately turns me off because that's actively encouraging "shadow IT".

We all get that sometimes companies have IT policies which are outdated and get in the way, but that's a problem for someone up the chain to solve. A team or department deciding to just start doing their own thing with something like this which isn't managed by or even known about by the official company IT is at best a path to future problems if not an immediate compliance problem.

Can anyone explain to me (someone not so network security savvy) if there are any privacy or security concerns using a wire guard provider like this?

As I understand it, with traditional VPNs, you basically have to trust third-party audits to verify the VPN isn't logging all traffic and selling it. Does the WireGuard protocol address theses issues? Or is there still the same risk as a more traditional VPN provider?

Naive question here: with WireGuard VPN, does all traffic route through the VPN or only those packets bound for the other devices in the mesh?
I use Twingate both for personal use (my home) and to access AWS EC2 servers (no public ips) and really love it. Very polished, easy setup. How does Netrinos compare?
>We use STUN-style discovery and relay fallback

How does your relay compare to Tailscale's (DERP)?

We implement STUN and TURN functionality natively in WireGuard rather than using separate protocols.

Netrinos uses a central rendezvous server that participates in WireGuard handshakes solely to collect your devices' public endpoints and share that information with your other devices. When a device roams to a new location, the server learns the new endpoint and updates the other devices in your account.

When direct P2P fails, Netrinos connections fall back to a relay server. The relay is a WireGuard peer, but it can only relay traffic between peers in your account. All customer accounts are strictly firewalled from each other.

If you want more control, you can enable a device in your account as a relay server with a checkbox in the app. This could be a home PC with a stable connection or a low-cost cloud server.

Well, I wish you the best with this - but I really don't understand the target market.

The obvious competitor here is Tailscale. But let's say, reasons, and Tailscale isn't an option. Then you go down the path... TwinGate, Teleport, Netbird, Pomerium, Netmaker, ZeroTier, etc...

Even the initial pricing and free tier are you're up against are going to mostly be a deal breaker compared to what's out there.

Trusting a VPN provider is a lot. If you're running the control plane - why should I trust Netrinos?

Yeah not owning the control plane is why I don't use tailscale. I might use headscale at some point but for now I'm covered anyway :) and I don't like my control plane exposed to the internet even if it's self hosted. So I went for something else.
Any plans for Exit Node capability (traditional egress VPN)?
I only use Tailscale for two features - one is having every machine on the network use a logical name of the pattern {projectname}-{environment} ie: `ssh me@hn-prd` and the other is exit nodes. I couldn't work out from your site if either of these two things is doable here.
Is there something like tailgate (or this) with only cli (I much dislike tailgate gui stuff on mac/win, on mobile its kind of needed) and you own small connection gateway on your own vps? I know tailgate has an open source implementation but I could not get that working while bored at the airport so that's not simple enough (the thing is enormous as well while it should just 'handshake' and that's it right?).
Netrinos can be entirely cli on all 3 platforms.

If you install the OpenSSH server on Windows, you can manage Netrinos in a terminal, just like on Linux or Mac. e.g.

https://netrinos.com/cdn/images/screens/windows-terminal.png

https://netrinos.com/cdn/images/screens/linux-terminal.png

On a trip to Europe last year, I tried it from the Air Canada in-flight WiFi somewhere over Iceland. I was able to RDP to my desktop at home, then RDP right back to my laptop on the plane. Performance wasn't great. And it's not a terribly useful use case. But it did work.

Wireguard deserves a lot of credit there. No ports were opened on my home end. And who knows what the plane has for NAT.

Thanks to everybody who participated. This has been an excellent discussion and has resulted in some interesting ideas to pursue.