Networking

Headscale37.1k★

It replaces Tailscale's coordination server while using the same WireGuard-based protocol and official Tailscale clients. Completely free and open source under BSD-3. You get the full mesh networking experience: devices register with your Headscale server, get assigned IP addresses, and establish direct WireGuard connections to each other. Supports ACLs (access control lists), DNS, MagicDNS, OIDC authentication, and pre-auth keys. No paid tier. The project is community-driven. Homelabbers: this is one of the most popular self-hosted networking tools for a reason. Small teams: works great for connecting office and remote resources. Growing teams: evaluate if self-hosting the control plane saves enough over Tailscale's $6/user/mo. Large orgs: probably want Tailscale's managed offering for support and compliance. The catch: you lose Tailscale's managed features: their admin dashboard, team management, device posture checks, and the convenience of zero-config. Headscale requires you to run and maintain the control server. Setup is straightforward (single binary + SQLite), but debugging mesh networking issues without Tailscale's support team is on you. Also, DERP relay servers (for when direct connections fail) need separate setup or you rely on Tailscale's public ones.

AdGuard Home33.4k★

AdGuard Home blocks ads, trackers, and malware across every device on your network by running as your DNS server, no per-device installs needed. Every DNS request goes through it, and it blocks the ones that resolve to ad servers or trackers. It's a bouncer for your network's internet traffic. Everything is free under GPL-3.0. No paid tier for AdGuard Home itself. (AdGuard the company sells a separate VPN/ad-blocking app; that's a different product.) The Home DNS server is fully featured: custom blocklists, per-client settings, encrypted DNS (DoH/DoT/DoQ), DHCP server, query logging, and a clean web dashboard. Self-hosting is the only option. Run it on a Raspberry Pi ($35-60), a spare computer, a Docker container, or a VPS. Initial setup takes 15-30 minutes: install the binary, point your router's DNS to it, pick your blocklists. Ongoing maintenance is minimal; update the binary occasionally, review your logs if you're curious. Solo: install it at home. The quality-of-life improvement is immediate: YouTube ads on smart TVs, tracking on every device, gone. Small teams: run it on your office network. Growing teams: it's a home/small-office tool, not enterprise DNS. The catch: DNS-level blocking can't stop everything. Ads served from the same domain as content (like some YouTube ads) slip through. And occasionally a legitimate service breaks because its domain is on a blocklist, and you'll be the family IT person debugging why a website doesn't load.

Tailscale30.1k★

Tailscale creates a private network that works everywhere without opening ports or configuring firewalls. It uses WireGuard (the fast, modern VPN protocol) underneath, but handles all the key exchange, NAT traversal, and device management that makes WireGuard hard to set up yourself. The free tier covers up to 100 devices and 3 users. That's generous. Most personal and small team use cases fit comfortably. You get encrypted connections, MagicDNS (access devices by name), subnet routing, and exit nodes. Paid plans start at $6/user/mo for the Starter tier (adds more users, ACL policies). Business is $18/user/mo with SSO, device posture checks, and custom DERP servers. The catch: the coordination server (the part that manages keys and device registration) is proprietary. Your actual traffic goes peer-to-peer and never touches Tailscale's servers, but device management depends on them. If Tailscale disappears, your network stops working. Headscale is the open source alternative coordination server if that dependency bothers you. Also, Tailscale is BSD-licensed, which is unusually permissive for a VC-funded company. Appreciate that while it lasts.

Envoy27.8k★

It's the data plane behind Istio, AWS App Mesh, and dozens of service meshes. Everything is free under Apache 2.0. No paid tier from the Envoy project itself. It's a CNCF graduated project, which means it's been vetted for production use by the Cloud Native Computing Foundation. Maintained by a large contributor base including engineers from Google, Lyft (where it was created), and Microsoft. Self-hosting is the only option, and the ops burden is significant. Envoy is powerful but complex. Configuration is verbose YAML. The learning curve is steep if you're not already in the service mesh world. Most teams don't run Envoy directly. They use it through Istio or a gateway controller. Solo developers: you don't need this. Use Nginx or Caddy. Small teams with a few services: still probably overkill. Use Traefik or Caddy. Growing teams with 10+ microservices: this is where Envoy starts making sense, especially through Istio or a gateway API. The catch: Envoy is infrastructure for infrastructure people. The configuration complexity is legendary. Unless you're building a service mesh or need advanced traffic management (circuit breaking, retries, observability), simpler proxies do the job with 10% of the config.

Nebula17.1k★

Nebula creates an encrypted overlay mesh that connects machines across different networks into one private network. It's a VPN that doesn't need a central server to route all traffic. Every node connects directly to every other node, peer-to-peer. MIT license, Go. Built by Slack's infrastructure team for their own use, then open sourced. Uses a lighthouse node for discovery (helps nodes find each other) but actual traffic flows directly between peers. WireGuard-style encryption, runs on Linux, macOS, Windows, iOS, and Android. Fully free. No paid tier, no managed service. Defined Networking (the company behind it) sells a managed control plane but Nebula itself is completely free to self-host. Solo: overkill unless you're connecting personal machines across locations. Small teams (2-10): solid for connecting dev environments to cloud resources without exposing ports. Medium to large: this is where Nebula shines: hundreds of nodes across cloud providers and offices on one flat network. The catch: you're building your own network infrastructure. Certificate management, firewall rules, lighthouse configuration, it's not hard but it's not "install and go" either. If you just need remote access to a few servers, Tailscale (which is built on WireGuard) is dramatically simpler. Nebula is for teams that want full control and are willing to manage it.

ZeroTier16.6k★

ZeroTier creates a virtual network between your devices, your office, and your cloud VMs. No port forwarding, no VPN server to maintain. Install the agent on each machine, join a network ID, and they can talk to each other directly, peer-to-peer. ZeroTier uses its own protocol (not WireGuard), handles NAT traversal, and supports both layer 2 and layer 3 networking. That layer 2 support is a genuine differentiator: you can bridge entire network segments across the internet, which Tailscale (layer 3 only) cannot do. The self-hosted controller option gives you full control over your network infrastructure with no dependency on a third party. The license is BSL 1.1 (converts to Apache 2.0 after 4 years), so it's source-available with eventual open source. The catch: Tailscale has gained significantly more developer traction in recent years. It's simpler to set up, uses WireGuard (which is audited and well-trusted), and has a larger integration ecosystem. If you don't need layer 2 networking or full self-hosting, Tailscale is the easier choice. But if either of those matters to you, ZeroTier is the tool that actually delivers them.

rathole13.2k★

Rathole punches a hole through without opening ports on your router. It's essentially a tunnel from your private network to a public endpoint. Written in Rust, so it's fast and lightweight. We're talking single-digit MB of RAM. Compared to frp (the other big player here), rathole uses less memory and handles more concurrent connections. Setup is straightforward: a config file on the server side, a config file on the client side, done. Everything is free. No paid tier, no cloud service, no catch on features. You self-host both ends. Docker image available, or grab the binary. The catch: you need a server with a public IP to act as the relay. If you don't already have a VPS, that's $5/mo minimum. And the docs are thin: the README covers the basics but you'll be reading config examples more than prose. Solo devs and home labbers, this is your tool. Teams needing managed tunnels with dashboards should look at Cloudflare Tunnel (free) or ngrok instead.

mullvadvpn-app6.9k★

Mullvad is that. No accounts, no profiles. You get a random number as your ID, pay your money, and connect. The client app is fully open source so you can verify it does what it claims. GPL v3, written in Rust. The app supports WireGuard and OpenVPN, has a kill switch, split tunneling, and DNS leak protection. Available on Windows, macOS, Linux, Android, and iOS. The Rust codebase means the app itself is fast and resource-light. This is NOT a free tool. Mullvad costs 5 EUR/mo (~$5.50 USD) with no discounts for longer commitments. Everyone pays the same. You can pay with cash mailed in an envelope, crypto, or card. No free tier. The open source part is the client app. You can build it yourself and connect to Mullvad's servers, or theoretically point it at your own WireGuard server. But the value is the server network, and that's paid. Solo users who care about privacy: this is the VPN to use. Teams needing business VPN features (centralized management, SSO): look elsewhere. The catch: no free tier means you're paying from day one. The server network is smaller than NordVPN or ExpressVPN. And 5 EUR/mo with no annual discount makes it pricier than competitors who offer $3/mo on 2-year plans. You're paying a premium for the privacy model.

blocky6.5k★

Blocky is a DNS proxy that filters requests before they reach your devices. Same concept as Pi-hole but written in Go, runs as a single binary, and needs zero dependencies. No database, no web server framework, no PHP. Point your router's DNS at Blocky, configure your blocklists, and every device on your network stops loading ads and trackers. It supports DNS-over-HTTPS, DNS-over-TLS, conditional forwarding, and client-specific rules. Apache 2.0. Fully free. No paid tier, no cloud version. Self-host only. The catch: Blocky has no web dashboard out of the box. Pi-hole gives you a slick admin panel with graphs and query logs. Blocky gives you a config file and an API. If you want a UI, you'll need to set up Grafana or a third-party frontend. For people comfortable with YAML config files, that's fine. For everyone else, Pi-hole's UI is hard to beat.

sozu3.6k★

A reverse proxy that can reload its configuration without dropping a single connection. If you're running web services and need a load balancer in front of them, Sozu does what nginx and HAProxy do, but with true zero-downtime config changes: no reload signal, no worker restart, no connection reset. Written in Rust. Memory-safe, fast, lightweight. Handles HTTP/1.1, HTTP/2, WebSocket, and TLS. The config changes happen through a command socket: you send a message, the proxy updates instantly. No file edits, no restarts. Small but the project has been around since 2016, originally built by Clever Cloud (a French PaaS provider) for their own infrastructure. Completely free under AGPL-3.0. No paid tier. The catch: the ecosystem is tiny compared to nginx or Traefik. Documentation is sparse. Community support is limited; you're mostly on your own. If hot config reloading is your primary requirement, Envoy and HAProxy also handle this well with much larger communities. Sozu is interesting technology but unless you specifically need Rust-native proxy with zero-downtime reloads and don't mind being an early adopter, nginx or Traefik are safer choices.

easylist2.9k★

The filter lists that tell it what to block probably come from EasyList. It is the most widely used ad-blocking filter subscription, maintained by a community of contributors who track and block ad domains, trackers, and annoyances across the web. You do not use EasyList directly. It is a dependency of the tools you already use. When your ad blocker updates its filters, it is pulling from lists like these. The catch: this is a filter list, not software. You do not install it, build with it, or self-host it. It is useful to know about because it powers the ad-blocking ecosystem, but it is not a tool you evaluate the same way as a database or framework.

docktail646★

Docktail does it with labels. Add a label to your Docker container, and Docktail automatically registers it as a Tailscale service. No port forwarding, no VPN configs, no firewall rules. This solves a specific pain point: you have a dozen self-hosted services in Docker and you want them accessible from your phone, laptop, or remote machines over Tailscale, without opening ports to the internet. Docktail watches your Docker daemon and handles the Tailscale registration automatically. AGPL-3.0, fully free. You need a Tailscale account (free for personal use, up to 100 devices). The catch: AGPL-3.0 is aggressive copyleft. If you modify this and serve it, you owe the source code. The project is very early. Small community, limited documentation, and if the maintainer moves on, you're forking it yourself. Also, Tailscale itself has limits on the free tier (3 users).