Have you struggled with sub-router configuration for dynamic networks in your infrastructure? Or hit scalability limits with existing overlay network solutions?
When you add a new pod to your Kubernetes cluster, WireGuard-based overlay VPNs need to update configuration files across all nodes. When you scale your multi-region infrastructure, every new subnet requires manual sub-router configuration—this is the reality of operating WireGuard-based mesh VPNs at scale.
I built VeilNet to solve this—a post-quantum secure overlay network that reduces mesh complexity from O(n^2) to O(n) by eliminating static configurations entirely.
This is not a critique of WireGuard or WireGuard-based overlay VPNs, but an explanation of how they no longer fit modern dynamic infrastructure.
WireGuard is excellent for point-to-point communication, but it becomes limiting when used as the foundation for mesh networks.
---
### 1. The core limitation: WireGuard is meant to be static
WireGuard's design is intentionally simple: static peer configuration files, pre-distributed keys, and explicit allowed networks. This makes it fast for P2P tunnels, but problematic for overlay networks where every node must maintain correct configurations and peer relationships scale O(n^2).
WireGuard-based overlay VPNs compensate with centralized control planes that generate configurations dynamically, but in elastic infrastructure, this creates operational friction: every new subnet requires manual sub-router configuration, every pod network change triggers updates across all nodes, and dynamic container networks become a configuration nightmare for DevOps teams. Also, sub-routers themselves become a performance bottleneck.
---
### 2. VeilNet's goal: reduce complexity to O(n) with intelligence
VeilNet solves this architecturally by combining decentralized TOR-like dynamic multi-hop network, reinforcement learning, and post-quantum cryptography. Nodes register once, then dynamically discover routes and establish secure channels as needed. No pre-distributed keys, no static peer lists, no manual subnet configuration, but full stack accessibility.
*Key features:* - Decentralized SDN: no centralized control plane, nodes self-organize through decentralized control channels - Non-mesh and ephemeral: links created on-demand, preventing mesh explosion - Native multi-hop: inspired by Tor but with P2P encryption and no hop limitations - Post-quantum cryptography: Kyber KEM and Dilithium signatures with packet-level authentication
---
### 3. Multi-region Kubernetes without subnet routers
One practical outcome: supporting elastic multi-region Kubernetes clusters without manual sub-router configuration. With VeilNet, each node runs a single registration command, and Pod/Service CIDRs are routable end-to-end automatically—no subnet routers, exit nodes, or special gateway roles.
We documented a minimal setup here: https://veilnet.net/docs/guides/k3s
---
VeilNet is already in active use—we use it ourselves to run our production cluster, a single Kubernetes cluster spanning 15 countries. I'm sharing this here to get feedback from people operating dynamic infrastructure at scale.
If you're interested in trying it out, our community realm is free to use with no limitations on devices or users. For the private realm, join the waitlist at https://veilnet.net/sign-up. Personal users can also use VeilNet as a TOR alternative. The connector code is available on GitHub (https://github.com/veil-net/conflux) and documentation is at https://veilnet.net/docs.
I'm happy to answer technical questions here, or join our Discord (https://discord.gg/yKCZCZutDR) for discussions and support.