An overlay VPN is a modern approach to secure networking that establishes encrypted communication channels between devices by creating a virtual network layer over existing internet infrastructure. Unlike traditional VPNs, which often rely on centralized gateways that can introduce latency and performance bottlenecks, overlay VPNs utilize a peer-to-peer model for direct communication between nodes.
Tailscale exemplifies this approach by combining the WireGuard protocol with a lightweight coordination layer. WireGuard handles fast, secure data encryption, while Tailscale’s coordination server manages encryption keys, facilitates device discovery, and handles NAT traversal. This design eliminates the need for manual configuration of firewall rules or complex port forwarding, enabling seamless connectivity even when devices are behind NAT or dynamic IP addresses.
By leveraging a mesh topology, overlay VPNs like Tailscale improve scalability and reliability. Devices can form efficient, direct connections when possible, reducing latency and ensuring higher performance. Additionally, Tailscale’s architecture enhances security by enforcing Zero Trust principles, ensuring each device authenticates independently and all data remains encrypted.
Overlay VPNs are particularly well-suited for modern distributed systems, enabling secure connections across cloud environments, remote teams, and IoT deployments. This innovative design simplifies network management, minimizes maintenance overhead, and enhances the security posture of organizations.
So is VeilNet another overlay VPN?
The short answer is Yes and No.
Yes
Let’s review the topology of the VeilNet. It is not difficult to say that it shares a lot of common designs of an overlay VPN:
- Both require a signaling server—the coordinator in Tailscale and the veil master in VeilNet.
- Both establish a mesh connection between endpoints.
- Both automatically handle the configuration for routing between endpoints.
Additionally, both overlay VPN and VeilNet offer NAT traversal and provide site-to-site communications.
No
VeilNet has many improvements over the overlay VPN:
- VeilNet is a software-defined network: unlike regular VPN, the routing of traffic between endpoints relies on the route table configuration on the WireGurad TUN interface. The Veil Master supports the rift to dynamically determine to which peer rift the traffic should be sent. Therefore, in regular overlay VPNs, a local network or an exit to the internet can only be supported by one endpoint at any given time because two endpoints with the route to the same destination will create a conflict. In VeilNet, traffic towards the same destination, whether a local network or the internet, could be relied through multiple rifts at the same time. Therefore, infinitely scalable bandwidth as long as you have enough computation resources to deploy additional rifts!
- VeilNet offers much stronger security: in regular overlay VPN, the connector is connected with each other via a WireGuard tunnel, which only has one layer of chacha20 encryption. Additionally, the key exchange is via the coordination server, which has copies for all the key pairs from every connector. Therefore, if the coordination server is compromised, the entire network is in danger. VeilNet, on the other hand, only requires Veil Master for establishing WebRTC connections. The communication between Rift is not only encrypted by the WebRTC data channel but also exchanges their encryption keys via Crystal Kyber1024 KEM, a post-quantum key encapsulation mechanism. Then, every packet is not only encrypted by AES-GCM 256 based on the exchanged encryption key but also encrypted by the Domain secret as well!
- VeilNet also offers real anonymity: since the user’s data first passes through the user deployed Rift, then access local or external network via a paired Rift. Every communication has at least three hops, which absolutely isolate any user information on the receiver side. Therefore, it is impossible to trace the user’s activity without breaking into every rift on the data path. As previously mentioned, this is an impossible task because of post-quantum encryption. Furthermore, when a user visits the internet, its traffic will go through multiple paired Rifts automatically based on the load-balancing algorithm. This makes traffic analysis extremely difficult because the real TCP/UDP session is scattered between an unknown number of data paths.
- VeilNet does not slow down your network: as previously explained, VeilNet relays user’s traffic via multiple Rifts at the same time and scatters the real TCP/UDP session. This happens to render the bandwidth limiter from some Internet Service Providers (ISP) ineffective, especially when their bandwidth limiter is based on per connection. 🙂 You are effectively hiding your real connection into multiple WebRTC connections and exceeding the capacity that one connection is originally allowed!
