Why You Might Not Want a Mesh VPN

Posted by
February 22, 2022

Disclaimer: I’m a creator of Netmaker, a mesh VPN platform.

Mesh VPN’s are really cool. Think about a VPC in Amazon, a subnet in a data center, or your local LAN. These are groups of co-located devices that all talk to each other directly and securely.

Mesh VPN’s are a lot like the LAN or VPC, but the devices can live anywhere. Imagine creating a private network of computers, servers, phones, and IoT devices scattered across the globe.

That’s why a lot of people choose Netmaker as their virtual networking platform: it creates mesh virtual networks using WireGuard, which is blazing fast compared to older stuff like OpenVPN or ZeroTier.

We’ve been working on Netmaker for about a year now, and in recent months we’ve gotten some queries from users who wanted less connectivity.

These users were setting up stuff like internet gateways or remote access to servers. In such scenarios, they had a bunch of devices that needed access to an endpoint, but didn’t want them all to access each other.

Hmmmm, we thought…yeah maybe that makes sense…they don’t want a hundred other devices to know how to reach their laptop while accessing a remote server. That does make sense.

Luckily, WireGuard is very flexible, and we were able to add in a new feature called “Point to Site” networks with relative ease. So what’s the difference? Think of a star topology, minus the relaying:

Every node in the network gets a single peer, the “hub.” In a star topology, this hub typically acts as a relay, and forwards traffic around the network. We already have a feature for that in Netmaker (it’s called…a relay).

Instead, in the point-to-site network, that’s it. This becomes ideal for scenarios where you need to provide secure access to…

  • a single machine from a bunch of other machines.
  • a subnet in a remote location from a bunch of other machines.
  • a bunch of devices from one “bastion” machine
  • the internet from a bunch of devices

All of these can be achieved with a mesh network as well, and we’ve been performing these types of patterns for a while. The difference is, with the point-to-site network, you don’t get all those extra, unnecessary connections in the process.

This can also be combined with an egress gateway (another Netmaker original) to provide access to a full remote network. So if you’ve got a server in AWS, it can act as a gateway into your VPC for a bunch of remote machines.

So, in short, a mesh network is cool, really flexible, and gives you the access you need. However, you may get more access than you need with the mesh. In such cases, you might wanna go with something a little more…limited.

More posts


A WireGuard® VPN that connects machines securely, wherever they are.
Star us on GitHub
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.