Innernet — Simplified WireGuard Mesh Networking

Introduction

Innernet simplifies the creation and management of private WireGuard networks for organizations. Instead of manually configuring WireGuard on each node, innernet provides a coordination server that handles peer discovery, key exchange, and CIDR-based access policies — letting you build secure mesh networks across cloud instances, offices, and laptops.

What Innernet Does

• Manages WireGuard peer configurations centrally with automatic distribution to all nodes
• Implements CIDR-based access control so different network segments can be isolated
• Handles peer discovery and NAT traversal for nodes behind firewalls
• Provides invitation-based onboarding: generate a file, share it, and the peer joins automatically
• Periodically syncs peer lists so new nodes are reachable by all authorized peers

Architecture Overview

Innernet uses a client-server model where the server maintains the authoritative peer database in SQLite. Each client periodically contacts the server over a WireGuard tunnel to fetch updated peer lists and push its own endpoint information. The actual data traffic flows peer-to-peer through WireGuard — the server only coordinates metadata. CIDRs form a hierarchy that determines which peers can communicate with each other.

Self-Hosting & Configuration

• Server runs on a single publicly-reachable host with minimal resources (SQLite backend)
• Network topology defined via CIDR hierarchy — assign subnets to teams, environments, or roles
• Invitation files contain initial WireGuard keys and server endpoint for one-command onboarding
• Peer refresh interval configurable to balance freshness against server load
• Admin peers can manage the network (add/remove peers, modify CIDRs) via the CLI

Key Features

• Built on WireGuard for proven cryptographic security and high performance
• CIDR-based access groups provide network segmentation without complex firewall rules
• Automatic peer discovery eliminates manual key exchange and endpoint configuration
• Lightweight coordination server with no persistent connections — uses WireGuard for all communication
• Designed for self-hosting with no external dependencies or cloud services required

Comparison with Similar Tools

• Tailscale — hosted coordination with broader NAT traversal; innernet is fully self-hosted with CIDR-based access control
• Headscale — self-hosted Tailscale control server but more complex; innernet is simpler with native CIDR policies
• Netmaker — full-featured mesh VPN with web UI; innernet is lighter and CLI-focused
• WireGuard (raw) — requires manual config on every peer; innernet automates peer management and key distribution

FAQ

Q: Does all traffic route through the innernet server? A: No. The server only distributes peer metadata. Actual traffic flows directly between peers via WireGuard tunnels.

Q: Can innernet work with peers behind NAT? A: Yes. Peers report their endpoints to the server, and WireGuard's UDP hole-punching handles most NAT scenarios.

Q: How does access control work? A: CIDRs form a tree. A peer can only communicate with peers in its own CIDR or parent CIDRs, providing natural network segmentation.

Q: What happens if the coordination server goes down? A: Existing connections continue working since they are direct WireGuard tunnels. New peers cannot join and existing peers cannot discover updates until the server returns.

Sources

• https://github.com/tonarino/innernet
• https://blog.tonari.no/introducing-innernet