What is a P2P Mesh VPN?

ShadowNet represents a shift from traditional centralized VPN architectures to a decentralized, peer-to-peer (P2P) mesh topology. This section contrasts these approaches at a low technical level.

Hub-and-Spoke (Traditional)

In protocol terms, traffic from Node A to Node B is encapsulated and sent to a central Concentrator (C). C decapsulates, inspects routing tables, re-encapsulates, and forwards to B.

Latency(A→B) = Latency(A→C) + Latency(C→B) + Processing(C)
  • Bandwidth Bottleneck: Hub limits total network throughput.
  • Single Point of Failure: If Hub dies, network halts.
  • Hair-pinning: Traffic U-turns at the hub, wasting bandwidth.

Full Mesh (ShadowNet)

Nodes maintain a routing table `O(n)` where `n` is peer count. Traffic is sent directly to the destination's discovered public endpoint using UDP.

Latency(A→B) = Latency(Direct Path)
  • Linear Scaling: Capacity grows with node count.
  • Resilience: Control plane failure affects only *new* connections.
  • Data Sovereignty: No intermediate server touches data.

Architecture Deep Dive

The O(n²) Connection Problem

In a full mesh of `N` nodes, there are potentially `N*(N-1)/2` connections. Maintaining state for thousands of tunnels is resource-intensive. ShadowNet uses Lazy Loading: tunnels (WireGuard sessions) are often initialized only when traffic is requested, though currently, we eagerly formulate the mesh for small networks.

Zero Trust

Identity is cryptographic (Public Key). IP addresses are ephemeral transport details.

Self-Healing

If a direct path fails, STUN/Discovery logic re-runs to find new endpoints.

NAT Agnostic

Works behind residential routers, CGNAT (Carrier Grade NAT), and LTE mobile networks.