VPNs do not allow you to connect two devices directly, they have to go through the VPN. They also do not allow you to connect devices that are not on the VPN. Iroh does P2P connections and punches holes through NATs when needed, so you can connect directly to devices on different networks that are behind firewalls.
From my VERY brief understanding: this is like if you want the hole-punching of a VPN, but your stuff is public, so not only do you not want all the security of a VPN, but it works against you. But I'm happy to be corrected!
You don't have to have it public. You can have your app gate against any auth method you like to implement on top. And you can have private relays to segregate your traffic and discovery depending on setup.
Modern VPNs based on wireguard can do direct connections with hole punching. It's just a lot more work to setup on your own, or you have to sign-up to a SaaS like tailscale and use their relays, and they'll do the hole punching for you.
Here this is a decentralized network with a lot of existing public relays. But in principle a VPN can solve a lot of the same problems. It's just that commercial VPNs are not decentralized, and doing your own wireguard setup is a pain.
This allows you to provide information to an arbitrary person (a friend/coworker/etc) to let them access the thing without them having to jump through all the extra hoops of joining your tailnet/them joining yours/adding a VPN/etc.
With Tailscale at least, you can pretty easily share a node with someone else. If your target audience are solo developers or hobbyists, making it even easier to share access is surely nice; from the perspective of someone in charge of making sure our company IT is balancing security and ease of networking, the literal last thing I want is making it easier to grant someone access.
There are policies defining who can talk to what; they are deployed from a GitHub repository with defined rules on who can modify them and who has to review them; there are zero scenarios where I want an alternative way of granting access to any device or service under our control.
Cisco Dynamic Multipoint VPN will start by connecting to a central VPN server and then learn the public IPs of endpoints and automatically create VPN tunnels to them. It can scale to thousands of endpoints.
VPNs do not allow you to connect two devices directly, they have to go through the VPN. They also do not allow you to connect devices that are not on the VPN. Iroh does P2P connections and punches holes through NATs when needed, so you can connect directly to devices on different networks that are behind firewalls.
From my VERY brief understanding: this is like if you want the hole-punching of a VPN, but your stuff is public, so not only do you not want all the security of a VPN, but it works against you. But I'm happy to be corrected!
You don't have to have it public. You can have your app gate against any auth method you like to implement on top. And you can have private relays to segregate your traffic and discovery depending on setup.
vpns typically add at least one hop. this has the possibility of connecting directly via hole punching
Modern VPNs based on wireguard can do direct connections with hole punching. It's just a lot more work to setup on your own, or you have to sign-up to a SaaS like tailscale and use their relays, and they'll do the hole punching for you.
Here this is a decentralized network with a lot of existing public relays. But in principle a VPN can solve a lot of the same problems. It's just that commercial VPNs are not decentralized, and doing your own wireguard setup is a pain.
Already possible with taiscale, netmaker, zerotier etc.
https://tailscale.com/blog/how-nat-traversal-works
But only for devices already on that tailnet.
This allows you to provide information to an arbitrary person (a friend/coworker/etc) to let them access the thing without them having to jump through all the extra hoops of joining your tailnet/them joining yours/adding a VPN/etc.
With Tailscale at least, you can pretty easily share a node with someone else. If your target audience are solo developers or hobbyists, making it even easier to share access is surely nice; from the perspective of someone in charge of making sure our company IT is balancing security and ease of networking, the literal last thing I want is making it easier to grant someone access.
There are policies defining who can talk to what; they are deployed from a GitHub repository with defined rules on who can modify them and who has to review them; there are zero scenarios where I want an alternative way of granting access to any device or service under our control.
but what exactly is the use case? I was responding to the nat traversal topic..
If I wanted to share something internal with a friend I would use ngrok or any of the million alternatives.
Anyway, this is exactly why my top-level comment says that this project needs a "versus" page in the docs.
Cisco Dynamic Multipoint VPN will start by connecting to a central VPN server and then learn the public IPs of endpoints and automatically create VPN tunnels to them. It can scale to thousands of endpoints.