Networking

Meet Net

A zero-config WireGuard mesh networking platform that connects your devices, servers, and cloud instances into a secure private network. No port forwarding, no firewall rules, no VPN gateways — just instant encrypted connectivity between everything you own.

Download View on Flow 
# Install and join your mesh
$ koder-net up --login-server https://net.koder.dev

# Your device is now connected
$ koder-net status
  laptop     100.64.0.1   connected  2ms
  server-01  100.64.0.2   connected  8ms
  pi-home    100.64.0.3   connected  14ms

# SSH directly — no port forwarding needed
$ ssh user@server-01

# Share a subnet
$ koder-net route add 192.168.1.0/24

Features

Everything you need, built from the ground up.

Zero-Config Mesh

Install the agent, authenticate, and your device joins the mesh. Automatic peer discovery, NAT traversal, and key rotation with no manual configuration.

WireGuard-Based

Built on WireGuard for kernel-level encryption at wire speed. Minimal attack surface with state-of-the-art cryptography (ChaCha20, Curve25519, BLAKE2s).

Subnet Routing

Expose entire subnets through gateway nodes. Connect on-premise networks, cloud VPCs, and Kubernetes clusters without complex VPN tunnels.

Access Control Lists

Fine-grained network policies define who can reach what. Tag-based ACLs, user groups, and port-level rules enforced at every node.

🔒
Exit Nodes

Route internet traffic through any node in your mesh for secure browsing, geo-shifting, or centralized egress through your corporate network.

MagicDNS

Automatic DNS for every device in your network. Access machines by name instead of IP. Split DNS for internal domains with public DNS fallback.

Network Setup

Create a mesh network and add devices in seconds.

  • Single command to join any device
  • Automatic NAT traversal via DERP relays
  • WireGuard keys generated and rotated automatically
# Create a new network
$ koder-net network create "production"

# Generate auth keys for automated enrollment
$ koder-net authkey create --reusable --ephemeral
  tskey-auth-k3x7f...

# Join with auth key (e.g., in cloud-init)
$ koder-net up --authkey tskey-auth-k3x7f...

Access Control

Define who can access what with tag-based policies.

  • Tag devices by role (server, dev, staging)
  • Port-level access rules
  • Policy-as-code in JSON or HCL
// acl.json — network policy
{
  "acls": [
    {
      "action": "accept",
      "src": ["tag:dev"],
      "dst": ["tag:staging:*"]
    },
    {
      "action": "accept",
      "src": ["tag:server"],
      "dst": ["tag:server:443,8080"]
    }
  ]
}

Kubernetes Integration

Connect Kubernetes clusters to your mesh for cross-cluster service access.

  • Kubernetes operator for automatic node enrollment
  • Service mesh integration via sidecar or CNI
  • Cross-cluster service discovery
# Install Koder Net operator
$ kubectl apply -f https://net.koder.dev/k8s/operator.yaml

# Expose a service to the mesh
apiVersion: net.koder.dev/v1
kind: MeshService
metadata:
  name: api-gateway
spec:
  hostname: api.internal
  ports: [443, 8080]

How It Compares

See how Koder Net stacks up against the competition.

FeatureKoder NetTailscaleZeroTierNebulaNetmakerCloudflare Tunnel
Self-hosted control planePartialPartial
WireGuard-based encryption
Zero-config NAT traversalPartial
Subnet routingPartial
ACL / network policiesPartial
MagicDNS / auto DNS
Kubernetes operator
No vendor lock-inPartial

Frequently Asked Questions

Koder Net is fully self-hosted with no dependency on external coordination servers. You own the control plane, the DERP relays, and all metadata. It also integrates natively with the Koder ecosystem (Koder Auth for SSO, Koder DNS for split DNS, Koder Observability for monitoring).

Yes. Koder Net uses DERP relays for NAT traversal and can fall back to HTTPS-based tunneling (port 443) to punch through even the most restrictive firewalls. Direct WireGuard connections are established whenever possible for optimal performance.

There is no hard limit. The self-hosted control plane has been tested with 10,000+ devices. WireGuard's lightweight protocol means each peer adds minimal overhead.

Yes. Deploy a gateway node in each network and advertise subnet routes. Traffic between VPCs and on-premise networks flows through encrypted WireGuard tunnels without complex VPN gateway configurations.

Yes. All traffic between mesh nodes is encrypted with WireGuard using ChaCha20-Poly1305. Keys are automatically generated, distributed, and rotated. There is no unencrypted fallback.

Ready to get started?

WireGuard Mesh Networking Made Simple

Download View Source