There's definitely a lot of muddled up terminology here. What they're calling "mesh networking" here is really just VPN in the conventional sense, and what they're calling "VPN" is only a single feature of VPN, namely securely forwarding traffic through an intermediary server. Mesh networking is something else entirely; the "mesh networking" provider they link to as an alternative option doesn't even have the word "mesh" on their site.
Meshnet is their peer-to-peer secure networking solution, not their conventional VPN solution. It allowed you to have multiple devices in your account directly communicate with one another, set a device as gateways for routing network traffic of devices connected to Meshnet (basically making your own VPN server), sending files directly between devices, and likely more I'm not aware of.
It was essentially their Tailscale / ZeroTier offering, but in the opposite manner to Tailscale which added Mullvad integration to provide a more conventional VPN atop their mesh network.
They are removing Meshnet, and the primary capabilities of NordVPN will be their global set of traditional VPN servers. Some of the features like P2P file transmission can be replaced by e.g. NordLocker albeit without P2P if I understand it correctly. But mesh networking is gone in December.
Historically, VPN (Virtual Private Network) was a LAN like network overlaid on the internet devices could communicate with each other as if they were connected to the same network.
One of the possible configurations you could have in such a setup is one or more gateways to the internet. Much like the gateway on a traditional LAN, traffic bound for the internet would first go to the gateway.
In modern times, when people say VPN they're typically referring to a VPN with only a gateway and nothing else that all traffic gets routed through. NordVPNs Meshnet would be more similar to what a traditional VPN actually is, a means for separate devices to communicate as if they were local.
As NordVPN correctly points out, this is not new, not what most people using their VPN service are looking for, and for those that are, they're better served elsewhere.
I did not realize they had ever offered this. I suppose that may be related to why it's shutting down.
One potential alternative might be to investigate https://tailscale.com/mullvad
You can use tailscale for normal device->device routing, and add mullvad VPN as an optional outgoing ip gateway.
Tailscale spy on all of your traffic/behavior by default, so this isn't a great recommendation to people who used NordVPN for privacy reasons without the disclaimer that they will need to opt out of Tailscale's spying by setting a special environment variable on every single machine in their Tailnet: https://tailscale.com/kb/1011/log-mesh-traffic
“Each Tailscale agent in your distributed network streams its logs to a central log server (at `log.tailscale.io`). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”
But Tailscale never sees the device keys, so what they obtain and log is, at best, metadata. They have no capacity to decrypt any Tailnet traffic.
I'd be interested to know which competing services exist that DON'T do the exact same thing in order to evaluate issues reporting by users or observed across multiple customer environments.
If you’re concerned about logs being sent by each node in a tailnet , then you’re better off just self-hosting your own tailscale control plain using headscale . You can run it as a container in a NAS.
Self-hosting is cool and is what I already do for myself, but suggesting it is not relevant here because it's not feasible for a ton of people who might not even have one particular machine that can run 24/7 to self-host a control plane. Think about a person who has three laptops and two phones or whatever, where if any two of them are online they should be able to communicate over the mesh.
The post I was replying to is suggesting paying-for-Tailscale-Mullavad-mesh as a substitute for paying-for-NordVPN-mesh to which I say “yes, but”. It is a total non-starter to try and push most people into “install all this software, register a domain, set up this TLS automation, write this Headscale config, know what the config keys mean†, keep this machine up 100% of the time, stay on top of updates, don't get haxx0red” compared to “install this app, log in, and enter your credit card details”.
† Do you really expect the app-and-credit-card crowd (who are totally valid and deserve working mesh networking that doesn't spy on them!!) to know what even one of the keys in this config means? Really? https://github.com/juanfont/headscale/blob/main/config-examp...
In advance, sort of. The devices can be swapped around at basically any time. There's a little lag for a device to get the config update enabling Mullvad on it IME, usually 30 seconds or so.
I always thought the feature sounded interesting - but - Nord just isn’t a company that screams trustworthy to me, so I never bothered to try it. I’d definitely never store my passwords with them. I’m surprised that’s not their least used feature.
> Nord just isn’t a company that screams trustworthy to me
Same. Blanket advertising on half the YouTube channels I watch tips their reputation very mush towards "meh". I have no clue if they're ny better or worse than the average vpn company, but "the average vpn company" these days seems to be a super low bar - from things I read it seems they're mostly monetising by selling your privacy to data brokers or your internet bandwidth as "residential proxies" to ai copyright thieves.
Not a subscriber but I read the comments and apparently they offered this service to non-subscribers as well? My guess was it was a nice loss-leader to attract new customers and they've decided they no longer need it (since signups presumably skyrocketing with all the recent law changes).
Don't know why they didn't just restrict it to paying subs or charge extra for it instead of getting rid of it, seems a stupid business decision that's going to cause lots of cancellations from subscribers that did use it and saw it as a differentiating feature from the competition.
At least when mullvad nuked port forwarding they conveyed their reasoning quite clearly (they kept getting legal claims for people hosting illegal content or torrenting).
I have to hard agree with a commenter from that article: I had no fucking idea NordVPN even had this feature, and as a fully self-admitted addict of video essays, I have seen a LOT of fucking NordVPN ads.
It wouldn't make me buy it, I'm just not in the market, but that's an insane feature to just not advertise. And its not surprising it never got much attention.
- My primary avenue for YouTube vids is Apple TV, which is the ONLY reason I pay for premium
- Honestly most of the creators I follow there make their ad reads entertaining enough that I'm not really bothered. I'm just emphasizing here I have heard a shit ton and a half of Nord ads, by a bunch of different creators, and I have NEVER heard of this feature. It's wild to me.
Once again, I'll both big-up and ask what's up with Tinc.
As in, I've been using it for years and still do, it's sort of an integral part of my whole deal, but it also seems kind of unmaintained, I haven't checked on that.
And it's not the easiest to set up, but it feels miles ahead of whatever the Wireguard equivalent is or isn't these days.
Tinc unfortunately has a complete lack of maintainers with enough time to dedicate to it.
Tinc 1.1 should make setting up easier; it has a CLI to set up and add nodes without having to manually edit config files. And you can generate invitation URLs which can make it even easier.
Can I ask, is Tinc supposed to be open-source-barebones-Tailscale? What are the benefits/drawbacks to a more hosted solution like Tailscale or even running one's own Headscale server?
The point of Tinc is basically OpenVPN but automatically meshes and there is no such thing as a "main server?" Just get them all to find any of the others, and everyone's connected.
They used to correctly call themselves proxies back in the day. They only started calling themselves "VPNs" because "Private Network" makes for good marketing with the "hide your traffic from snoopers" angle, even though it's not the kind of private network a VPN is.
There's definitely a lot of muddled up terminology here. What they're calling "mesh networking" here is really just VPN in the conventional sense, and what they're calling "VPN" is only a single feature of VPN, namely securely forwarding traffic through an intermediary server. Mesh networking is something else entirely; the "mesh networking" provider they link to as an alternative option doesn't even have the word "mesh" on their site.
I'm not following what you're saying here at all.
Meshnet is their peer-to-peer secure networking solution, not their conventional VPN solution. It allowed you to have multiple devices in your account directly communicate with one another, set a device as gateways for routing network traffic of devices connected to Meshnet (basically making your own VPN server), sending files directly between devices, and likely more I'm not aware of.
It was essentially their Tailscale / ZeroTier offering, but in the opposite manner to Tailscale which added Mullvad integration to provide a more conventional VPN atop their mesh network.
They are removing Meshnet, and the primary capabilities of NordVPN will be their global set of traditional VPN servers. Some of the features like P2P file transmission can be replaced by e.g. NordLocker albeit without P2P if I understand it correctly. But mesh networking is gone in December.
Historically, VPN (Virtual Private Network) was a LAN like network overlaid on the internet devices could communicate with each other as if they were connected to the same network.
One of the possible configurations you could have in such a setup is one or more gateways to the internet. Much like the gateway on a traditional LAN, traffic bound for the internet would first go to the gateway.
In modern times, when people say VPN they're typically referring to a VPN with only a gateway and nothing else that all traffic gets routed through. NordVPNs Meshnet would be more similar to what a traditional VPN actually is, a means for separate devices to communicate as if they were local.
As NordVPN correctly points out, this is not new, not what most people using their VPN service are looking for, and for those that are, they're better served elsewhere.
I did not realize they had ever offered this. I suppose that may be related to why it's shutting down.
One potential alternative might be to investigate https://tailscale.com/mullvad You can use tailscale for normal device->device routing, and add mullvad VPN as an optional outgoing ip gateway.
Tailscale spy on all of your traffic/behavior by default, so this isn't a great recommendation to people who used NordVPN for privacy reasons without the disclaimer that they will need to opt out of Tailscale's spying by setting a special environment variable on every single machine in their Tailnet: https://tailscale.com/kb/1011/log-mesh-traffic
“Each Tailscale agent in your distributed network streams its logs to a central log server (at `log.tailscale.io`). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”
But Tailscale never sees the device keys, so what they obtain and log is, at best, metadata. They have no capacity to decrypt any Tailnet traffic.
I'd be interested to know which competing services exist that DON'T do the exact same thing in order to evaluate issues reporting by users or observed across multiple customer environments.
ETA: Not that it's probative, but here's an example of how Tailscale wildly differs from other VPN/Mesh networks: https://www.linkedin.com/posts/apenwarr_zscaler-ceo-just-ann...
> But Tailscale never sees the device keys, so what they obtain and log is, at best, metadata. They have no capacity to decrypt any Tailnet traffic.
https://news.ycombinator.com/item?id=44853709
If you’re concerned about logs being sent by each node in a tailnet , then you’re better off just self-hosting your own tailscale control plain using headscale . You can run it as a container in a NAS.
https://subnetsavy.com/wp-content/uploads/articles/headscale...
Self-hosting is cool and is what I already do for myself, but suggesting it is not relevant here because it's not feasible for a ton of people who might not even have one particular machine that can run 24/7 to self-host a control plane. Think about a person who has three laptops and two phones or whatever, where if any two of them are online they should be able to communicate over the mesh.
The post I was replying to is suggesting paying-for-Tailscale-Mullavad-mesh as a substitute for paying-for-NordVPN-mesh to which I say “yes, but”. It is a total non-starter to try and push most people into “install all this software, register a domain, set up this TLS automation, write this Headscale config, know what the config keys mean†, keep this machine up 100% of the time, stay on top of updates, don't get haxx0red” compared to “install this app, log in, and enter your credit card details”.
† Do you really expect the app-and-credit-card crowd (who are totally valid and deserve working mesh networking that doesn't spy on them!!) to know what even one of the keys in this config means? Really? https://github.com/juanfont/headscale/blob/main/config-examp...
I wish Tailscale let you pay for one Mullvad exit node but then switch which device is using it. Right now it's tied to a single device.
They say it's $5 for 5 devices on their page, and that it works as a Tailscale exit node... is that not true?
Looks like you're right, you can add up to five devices for the same price.
You still have to choose those devices in advance though.
In advance, sort of. The devices can be swapped around at basically any time. There's a little lag for a device to get the config update enabling Mullvad on it IME, usually 30 seconds or so.
I always thought the feature sounded interesting - but - Nord just isn’t a company that screams trustworthy to me, so I never bothered to try it. I’d definitely never store my passwords with them. I’m surprised that’s not their least used feature.
> Nord just isn’t a company that screams trustworthy to me
Same. Blanket advertising on half the YouTube channels I watch tips their reputation very mush towards "meh". I have no clue if they're ny better or worse than the average vpn company, but "the average vpn company" these days seems to be a super low bar - from things I read it seems they're mostly monetising by selling your privacy to data brokers or your internet bandwidth as "residential proxies" to ai copyright thieves.
Yeah - honestly - if it's not Mullvad or iVPN I'm out.
[dead]
Not a subscriber but I read the comments and apparently they offered this service to non-subscribers as well? My guess was it was a nice loss-leader to attract new customers and they've decided they no longer need it (since signups presumably skyrocketing with all the recent law changes).
Don't know why they didn't just restrict it to paying subs or charge extra for it instead of getting rid of it, seems a stupid business decision that's going to cause lots of cancellations from subscribers that did use it and saw it as a differentiating feature from the competition.
At least when mullvad nuked port forwarding they conveyed their reasoning quite clearly (they kept getting legal claims for people hosting illegal content or torrenting).
Usually this means the product owner is disinterested or leaving the company.
I have to hard agree with a commenter from that article: I had no fucking idea NordVPN even had this feature, and as a fully self-admitted addict of video essays, I have seen a LOT of fucking NordVPN ads.
It wouldn't make me buy it, I'm just not in the market, but that's an insane feature to just not advertise. And its not surprising it never got much attention.
To block NordVpn ads on youtube, use SponsorBlock extension - a crowdsourced database of malicious video segments.
I'm aware of it, but two things:
- My primary avenue for YouTube vids is Apple TV, which is the ONLY reason I pay for premium
- Honestly most of the creators I follow there make their ad reads entertaining enough that I'm not really bothered. I'm just emphasizing here I have heard a shit ton and a half of Nord ads, by a bunch of different creators, and I have NEVER heard of this feature. It's wild to me.
Once again, I'll both big-up and ask what's up with Tinc.
As in, I've been using it for years and still do, it's sort of an integral part of my whole deal, but it also seems kind of unmaintained, I haven't checked on that.
And it's not the easiest to set up, but it feels miles ahead of whatever the Wireguard equivalent is or isn't these days.
Tinc unfortunately has a complete lack of maintainers with enough time to dedicate to it.
Tinc 1.1 should make setting up easier; it has a CLI to set up and add nodes without having to manually edit config files. And you can generate invitation URLs which can make it even easier.
Can I ask, is Tinc supposed to be open-source-barebones-Tailscale? What are the benefits/drawbacks to a more hosted solution like Tailscale or even running one's own Headscale server?
Not sure; Tinc existed first.
The point of Tinc is basically OpenVPN but automatically meshes and there is no such thing as a "main server?" Just get them all to find any of the others, and everyone's connected.
I had the impression tinc development had stalled. Would be glad to be corrected.
Oh, so do I. But I wonder if it's just in that class of things like Openbox? There may just not be more to do. I'm still using it.
I would be surprised. Bit rot is real. Security-critical software not touched for years is unlikely to be secure on a recent system.
I'd really like to see some combination of Tinc that manages the layer 2 mesh routing with wireguard underneath for the point to point tunnels.
2025: A major VPN company stops offering Virtual Private Networks.
They used to correctly call themselves proxies back in the day. They only started calling themselves "VPNs" because "Private Network" makes for good marketing with the "hide your traffic from snoopers" angle, even though it's not the kind of private network a VPN is.
... so they can pivot to AI.