01 / 09
wgmesh + cloudroof

OSS CDN-alternative
In Development

Build toward a research-grade content delivery layer using WireGuard mesh and wgmesh overlay routing. Phase 1 is single POP, IPv6-only, and no SLA.

🌍

Global Reach

Early users help shape a research-grade Phase 1 alpha

πŸ”

Fully Encrypted

WireGuard mesh encrypts all internal traffic

🏠

Hidden Origins

Backend servers can be anywhereβ€”even your home

The Challenge

Traditional CDN = Vendor Lock-in

❌ Traditional CDN

  • Cloudflare/AWS controls your traffic
  • Pay per GB β€” costs scale linearly
  • Vendor lock-in β€” hard to migrate
  • No self-hosting β€” origins must be public
  • Compliance risk β€” data through 3rd party

βœ… wgmesh CDN

  • You own everything β€” full control
  • Fixed cost β€” ~$5/mo per edge PoP
  • Portable β€” works on any VPS
  • Origins anywhere β€” home server OK
  • Your network β€” data stays private
Architecture

How It Works

DNS
www.delfi.lt β†’ 2001:db8::1
↓ same IP for everyone
πŸ‡ΊπŸ‡Έ US
User
πŸ‡ͺπŸ‡Ί EU
User
πŸ‡―πŸ‡΅ Asia
User
↓ wgmesh overlay reaches the active POP
Vultr LA
Edge PoP
Hetzner DE
Edge PoP
Vultr Tokyo
Edge PoP
↓ encrypted tunnel
wgmesh
πŸ” WireGuard Full Mesh (10.77.0.0/16)
↓ routes to internal IP
🏠 Japan
WordPress
πŸ‡±πŸ‡Ή Lithuania
API
☁️ B2
Media
POP Design

The "Two Legs" Pattern

Each POP server has two network interfaces: one public, one private mesh.

🌐
Public Leg (eth0)

# Public IPv6 endpoint for Phase 1
eth0: 2001:db8:any::1

# Route-control plane is still in development
neighbor upstream planned 2001:db8::/48

# nginx terminates TLS here
listen 443 ssl;

Users connect here during Phase 1. Routing remains research-grade until the control plane ships.

πŸ”
Mesh Leg (wg0)

# Unique mesh IP per node
wg0: 10.77.0.10/16

# Auto-joins mesh with secret
wgmesh join --secret 'cdn-2025'

# Backend routing
proxy_pass http://10.77.1.50;

Internal traffic flows through encrypted WireGuard mesh.

Routing Model

How Phase 1 Starts Small

πŸ’‘ Phase 1 = one public IPv6 POP, wgmesh overlay routing to private origins, and explicit no-SLA alpha access.

πŸ‡ΊπŸ‡Έ US User
Requests 2001:db8::1
β†’
US ISP sees route via Vultr LA (2 hops)
β†’
US Edge
πŸ‡ͺπŸ‡Ί EU User
Requests 2001:db8::1
β†’
EU ISP sees route via Hetzner (1 hop)
β†’
EU Edge
πŸ‡―πŸ‡΅ Asia User
Requests 2001:db8::1
β†’
Asia ISP sees route via Vultr Tokyo (2 hops)
β†’
Asia Edge

No production claims yet. Founding sponsors help decide which Phase 2 routing features matter first.

Getting Started

How to Get Your Own IP Prefix

OptionDifficultyCostTimeNotes
Vultr IPv6Easy$0 extra24-48hRequest via support ticket, they allocate /48
Path.netEasy~$20/mo/PoPInstantBuilt for routed infrastructure, prefix included
BuyVMEasy~$3.50/mo24hBudget option with IPv6 prefix request
RIPE LIRHard€1400/yrWeeksOwn your prefix forever, more paperwork
GeoDNSEasiestFreeInstantCloudflare DNS geo-steering, useful as a later fallback

πŸš€ Recommended: Start with one IPv6 POP and the same wgmesh backbone. Add broader routing only after Phase 1 proves useful.

Quick Start

Deploy in 5 Minutes

1. Spin up edge VPS

# Vultr, Hetzner, or any VPS
# One in each region you want
US: Vultr Los Angeles
EU: Hetzner Falkenstein
Asia: Vultr Tokyo

2. Join the mesh

# Same command on each edge
wgmesh join
  --secret 'my-cdn-secret-2025'

3. Configure nginx

upstream backend {
  server 10.77.1.50:80;
}

server {
  listen 443 ssl;
  proxy_pass http://backend;
}

4. Join origin to mesh

# On your home server / origin
wgmesh join
  --secret 'my-cdn-secret-2025'

# Gets mesh IP 10.77.1.50
# Now reachable from all edges!
Summary

Your Own Global CDN

πŸ’°

~$15-20/mo Total

3x $5 VPS for global coverage. Origins can be free (home server).

⚑

5 Minute Setup

One command per node. Auto-discovery handles the rest.

πŸ”’

End-to-End Encrypted

TLS to edge, WireGuard to origin. No cleartext ever.

🏠

Origin Anywhere

Home server, Raspberry Pi, or any cloud. Behind NAT = OK.

wgmesh join --secret 'your-secret'

That's it. Same command everywhere. Mesh forms automatically.

github.com/atvirokodosprendimai/wgmesh β†’

New Guide

Mesh Local + Remote
Into One LAN

Connect your Mac, Linux machines, and VPS servers into a single private network. Access any machine from anywhere.

🍎

macOS Setup

Homebrew install, LaunchDaemon config

🐧

Linux Setup

Ubuntu, Fedora, Arch instructions

☁️

Remote Servers

Any VPS, SSH deployment

🌐

Route Advertising

Expose home LAN through mesh

πŸ“– Read the LAN Mesh Guide β†’
Pilot Program

Become a Founding Sponsor

cloudroof is an OSS CDN-alternative in development; you bring the origin (home server, Pi, any VPS). One-click signup via Polar β€” EU merchant of record, benefits activate within minutes. Self-hosting stays free under MIT. Founding sponsors fund the research-grade Phase 1 build.

πŸ’š

$5 / month β€” Founding

Name in CONTRIBUTORS/SPONSORS, Discord access, Phase 2 voting, and first alpha access.

Become a founding member β†’

Payment via Polar.sh (EU MoR, one-click checkout).