FreedomMesh
FreedomMesh is the network layer. It connects FreedomDesktop instances with encrypted, peer-to-peer tunnels. Users never see it. They shouldn’t have to.
How It Works
FreedomMesh uses Nebula, an open-source mesh VPN originally built by Slack, deployed at 50,000+ nodes. Every connection is encrypted with the Noise protocol (X25519 + ChaCha20). Lighthouses see who is connecting, never what they’re sending.
The key architectural decision: FreedomMesh only carries FreedomCore application traffic. The Nebula firewall is locked down to FreedomCore app ports. No arbitrary network access. No browsing the internet through someone else’s mesh. The mesh exists to serve the apps. Nothing else gets in. Nothing leaks out.
This is what makes it A2A instead of VPN. A VPN is a general-purpose pipe. FreedomMesh is a purpose-built channel between trusted applications.
Lighthouses
A lighthouse is the group’s infrastructure. One small binary. One cheap server.
Every group — a family, a firm, a project — runs their own lighthouse. It costs $5/month on a VPS, or runs free on a Raspberry Pi. FreedomCore provides the software. The group provides the hardware.
The lighthouse handles:
- Peer discovery — helps devices find each other across the internet
- Relay — forwards traffic when direct connections fail (~10-15% of connections, mostly mobile on carrier networks)
- Certificate authority — issues and manages group membership certificates
FreedomCore operates public lighthouses for bootstrapping (Toronto, Sydney). But once a group is established, their lighthouse is sovereign. FreedomCore cannot see, access, or interfere with group traffic.
NAT Traversal
The hardest problem in peer-to-peer networking: getting two devices behind firewalls to talk directly.
| Scenario | Success Rate |
|---|---|
| Home network to home network | >90% (UDP hole-punch) |
| Home to mobile carrier (CGNAT) | ~80% |
| Mobile to mobile (both CGNAT) | ~50-60% |
| Worst case (symmetric NAT both sides) | Falls back to relay |
When direct connection fails, traffic relays through the group’s lighthouse. The lighthouse cannot decrypt the traffic — it’s just forwarding encrypted packets.
For mobile phones on carrier networks, the lighthouse acts as a TURN-equivalent relay. This is the same approach used by WebRTC (which achieves ~98% connectivity with STUN + TURN fallback).
The Browser Gateway
For zero-install guest access:
- Guest scans a QR code or opens an invite link
- Browser loads a lightweight page served by the group’s lighthouse
- WebRTC data channel established over HTTPS (port 443 — penetrates all firewalls)
- Lighthouse bridges WebRTC traffic into the Nebula mesh
- Guest can access shared resources (documents, chat, video)
- Close the browser tab = disconnect. No residue on the device.
No competitor offers zero-install browser access to a mesh network. This is FreedomCore’s “try before you install” moment.
Certificate-Based Access
Access control is cryptographic, not password-based.
Every participant holds a certificate signed by their group’s certificate authority. The certificate contains: identity, group memberships, expiration time, and a public key.
Root CA (Johnny's office)
├── cert: Alice, groups: ["deal-123-oak", "deal-456-elm"]
├── cert: Bob, groups: ["deal-123-oak"]
└── cert: Sally, groups: ["deal-789-pine"]Sally cannot communicate with deal-123-oak peers. Her certificate doesn’t list that group. Nebula enforces this at the crypto layer — packet authentication fails. She cannot modify her own certificate without the CA private key.
When a workspace dissolves, certificates expire. No manual cleanup. No lingering access. The math enforces it.
What FreedomMesh Is Not
- Not a consumer VPN. It doesn’t hide your IP or route your Netflix through another country.
- Not a replacement for your home network. It overlays on top of your existing internet connection.
- Not a general-purpose tunnel. It only carries FreedomCore application traffic.
- Not centralized. There is no FreedomCore server that all traffic passes through.
FreedomMesh is plumbing. Invisible, encrypted, reliable plumbing that connects FreedomDesktop instances and nothing else.
Notes
This page has no subtopics yet.
Want structure here? Add a child doc at src/content/docs/mesh/<child>.md.