# Innernet — Simplified WireGuard Mesh Networking > Innernet is a tool for managing private WireGuard-based mesh networks with a central coordination server, CIDR-based access control, and automatic peer discovery for teams and infrastructure. ## Install Save in your project root: # Innernet — Simplified WireGuard Mesh Networking ## Quick Use ```bash # Install server cargo install innernet-server # Or from package manager (Arch, Debian) # Create a new network innernet-server new --network-name mynet --network-cidr 10.42.0.0/16 # Add a peer (generates invitation file) innernet-server add-peer mynet --name laptop --cidr 10.42.1.0/24 --admin false # On the peer: join the network sudo innernet install invitation.toml # Refresh peer list and connections sudo innernet up ``` ## Introduction Innernet simplifies the creation and management of private WireGuard networks for organizations. Instead of manually configuring WireGuard on each node, innernet provides a coordination server that handles peer discovery, key exchange, and CIDR-based access policies — letting you build secure mesh networks across cloud instances, offices, and laptops. ## What Innernet Does - Manages WireGuard peer configurations centrally with automatic distribution to all nodes - Implements CIDR-based access control so different network segments can be isolated - Handles peer discovery and NAT traversal for nodes behind firewalls - Provides invitation-based onboarding: generate a file, share it, and the peer joins automatically - Periodically syncs peer lists so new nodes are reachable by all authorized peers ## Architecture Overview Innernet uses a client-server model where the server maintains the authoritative peer database in SQLite. Each client periodically contacts the server over a WireGuard tunnel to fetch updated peer lists and push its own endpoint information. The actual data traffic flows peer-to-peer through WireGuard — the server only coordinates metadata. CIDRs form a hierarchy that determines which peers can communicate with each other. ## Self-Hosting & Configuration - Server runs on a single publicly-reachable host with minimal resources (SQLite backend) - Network topology defined via CIDR hierarchy — assign subnets to teams, environments, or roles - Invitation files contain initial WireGuard keys and server endpoint for one-command onboarding - Peer refresh interval configurable to balance freshness against server load - Admin peers can manage the network (add/remove peers, modify CIDRs) via the CLI ## Key Features - Built on WireGuard for proven cryptographic security and high performance - CIDR-based access groups provide network segmentation without complex firewall rules - Automatic peer discovery eliminates manual key exchange and endpoint configuration - Lightweight coordination server with no persistent connections — uses WireGuard for all communication - Designed for self-hosting with no external dependencies or cloud services required ## Comparison with Similar Tools - **Tailscale** — hosted coordination with broader NAT traversal; innernet is fully self-hosted with CIDR-based access control - **Headscale** — self-hosted Tailscale control server but more complex; innernet is simpler with native CIDR policies - **Netmaker** — full-featured mesh VPN with web UI; innernet is lighter and CLI-focused - **WireGuard (raw)** — requires manual config on every peer; innernet automates peer management and key distribution ## FAQ **Q: Does all traffic route through the innernet server?** A: No. The server only distributes peer metadata. Actual traffic flows directly between peers via WireGuard tunnels. **Q: Can innernet work with peers behind NAT?** A: Yes. Peers report their endpoints to the server, and WireGuard's UDP hole-punching handles most NAT scenarios. **Q: How does access control work?** A: CIDRs form a tree. A peer can only communicate with peers in its own CIDR or parent CIDRs, providing natural network segmentation. **Q: What happens if the coordination server goes down?** A: Existing connections continue working since they are direct WireGuard tunnels. New peers cannot join and existing peers cannot discover updates until the server returns. ## Sources - https://github.com/tonarino/innernet - https://blog.tonari.no/introducing-innernet --- Source: https://tokrepo.com/en/workflows/asset-559e88da Author: AI Open Source