01 / 08
wgmesh + BGP Anycast

Global CDN
Zero Infrastructure

Build a worldwide content delivery network using WireGuard mesh and anycast routing. No central servers required.

🌍

Global Reach

Users automatically route to nearest edge via BGP anycast

πŸ”

Fully Encrypted

WireGuard mesh encrypts all internal traffic

🏠

Hidden Origins

Backend servers can be anywhereβ€”even your home

The Challenge

Traditional CDN = Vendor Lock-in

❌ Traditional CDN

  • Cloudflare/AWS controls your traffic
  • Pay per GB β€” costs scale linearly
  • Vendor lock-in β€” hard to migrate
  • No self-hosting β€” origins must be public
  • Compliance risk β€” data through 3rd party

βœ… wgmesh CDN

  • You own everything β€” full control
  • Fixed cost β€” ~$5/mo per edge PoP
  • Portable β€” works on any VPS
  • Origins anywhere β€” home server OK
  • Your network β€” data stays private
Architecture

How It Works

DNS
www.delfi.lt β†’ 2001:db8::1
↓ same IP for everyone
πŸ‡ΊπŸ‡Έ US
User
πŸ‡ͺπŸ‡Ί EU
User
πŸ‡―πŸ‡΅ Asia
User
↓ BGP routes to nearest
Vultr LA
Edge PoP
Hetzner DE
Edge PoP
Vultr Tokyo
Edge PoP
↓ encrypted tunnel
wgmesh
πŸ” WireGuard Full Mesh (10.77.0.0/16)
↓ routes to internal IP
🏠 Japan
WordPress
πŸ‡±πŸ‡Ή Lithuania
API
☁️ B2
Media
Edge Node Design

The "Two Legs" Pattern

Each edge server has two network interfaces: one public (anycast), one private (mesh).

🌐
Public Leg (eth0)

# Anycast IP - same on ALL edge nodes
eth0: 2001:db8:any::1

# BGP announces to upstream
neighbor vultr announce 2001:db8::/48

# nginx terminates TLS here
listen 443 ssl;

Users connect here. BGP magic routes them to the nearest edge.

πŸ”
Mesh Leg (wg0)

# Unique mesh IP per node
wg0: 10.77.0.10/16

# Auto-joins mesh with secret
wgmesh join --secret 'cdn-2025'

# Backend routing
proxy_pass http://10.77.1.50;

Internal traffic flows through encrypted WireGuard mesh.

BGP Anycast

How Same IP Works Everywhere

πŸ’‘ Anycast = Multiple servers announce the same IP prefix. Internet routers automatically send traffic to the nearest announcer.

πŸ‡ΊπŸ‡Έ US User
Requests 2001:db8::1
β†’
US ISP sees route via Vultr LA (2 hops)
β†’
US Edge
πŸ‡ͺπŸ‡Ί EU User
Requests 2001:db8::1
β†’
EU ISP sees route via Hetzner (1 hop)
β†’
EU Edge
πŸ‡―πŸ‡΅ Asia User
Requests 2001:db8::1
β†’
Asia ISP sees route via Vultr Tokyo (2 hops)
β†’
Asia Edge

No GeoDNS needed. No latency from DNS resolution. Pure routing magic.

Getting Started

How to Get Your Own IP Prefix

Option Difficulty Cost Time Notes
Vultr BGP Easy $0 extra 24-48h Request via support ticket, they allocate /48
Path.net Easy ~$20/mo/PoP Instant Built for anycast, prefix included
BuyVM Easy ~$3.50/mo 24h Budget option with BGP, request prefix
RIPE LIR Hard €1400/yr Weeks Own your prefix forever, more paperwork
GeoDNS (No BGP) Easiest Free Instant Cloudflare DNS geo-steering, no anycast

πŸš€ Recommended: Start with GeoDNS (free), same wgmesh backbone. Add true anycast later when you have a prefix.

Quick Start

Deploy in 5 Minutes

1. Spin up edge VPS

# Vultr, Hetzner, or any VPS
# One in each region you want
US: Vultr Los Angeles
EU: Hetzner Falkenstein
Asia: Vultr Tokyo

2. Join the mesh

# Same command on each edge
wgmesh join \
  --secret 'my-cdn-secret-2025'

3. Configure nginx

upstream backend {
  server 10.77.1.50:80;
}

server {
  listen 443 ssl;
  proxy_pass http://backend;
}

4. Join origin to mesh

# On your home server / origin
wgmesh join \
  --secret 'my-cdn-secret-2025'

# Gets mesh IP 10.77.1.50
# Now reachable from all edges!
Summary

Your Own Global CDN

πŸ’°

~$15-20/mo Total

3x $5 VPS for global coverage. Origins can be free (home server).

⚑

5 Minute Setup

One command per node. Auto-discovery handles the rest.

πŸ”’

End-to-End Encrypted

TLS to edge, WireGuard to origin. No cleartext ever.

🏠

Origin Anywhere

Home server, Raspberry Pi, or any cloud. Behind NAT = OK.

wgmesh join --secret 'your-secret'

That's it. Same command everywhere. Mesh forms automatically.

github.com/atvirokodosprendimai/wgmesh β†’