Our increasingly connected world runs on several layers of networking stacks that help route, find, and receive data from external sources. But that's not the only way to communicate digitally, even if the IP-based networking stack that runs the internet is the generally accepted method. There are many compromises in its design, tracing back to the origin of the Internet Protocol, and there are other ways to do things.

Decentralized mesh networks are one, and if you've used any of the next-gen VPN solutions like Tailscale or ZeroTier, you have some idea of what I'm talking about. These solutions still layer new protocols over the accepted IP-based network stack, but other ways exist to achieve the same goal.

One is called Reticulum, an open-source, cryptography-based network stack. It's the protocol and transport layers for making secure, decentralized, and resilient local or wide-area networks, designed to be medium-agnostic, in that it works on almost any transmission medium that could reliably pass a few bytes at a time. It's pretty neat, but tricky to use on its own, but that's what the VPN built on top of the Reticulum stack handles for you.

What is Reticulum anyway?

And why do we need another networking stack?

Reticulum uses existing hardware, like LoRa radios, Wi-Fi, Ethernet, serial lines or anything else that can pass data and turns it into a mesh-based network stack. But it can also be used over external programs, or piped over existing IP networks, so it's completely medium agnostic. While traditional networking uses IP allocations for addressing individual devices, Reticulum uses a concept of destinations, which are defined using cryptographic keys.

It doesn't require centralized infrastructure, can be designed as open or needs authentication to join the mesh, and uses full end-to-end encryption for data in transit. It needs no drivers, no kernel modules, and runs on anything Python 3 can run, making it a fully software-defined networking solution.

Differences from the traditional network stack:

It's also low-bandwidth, designed to work on anything with a half-duplex channel with 5 bits per second and MTU of 500 bytes as a minimum. That adds radios and a whole scope of low-power IoT devices into the mix for the mesh, making it great for off-grid messaging, remote sensors, disaster response, or anyone who could benefit from a decentralized, encrypted network.

It's built to be secure with initiator anonymity

Because cryptographic keys identify nodes on the network, nothing else about the device being used, the user using it, or anything else that might identify it is passed on across the network. All communications are secured by ECDH X25519 key exchange, with AES-128/256 encryption. The network doesn't reveal anything about the identity of the sender of a message by default and design, making this secure by design and without the overhead and cruft of IP networking.

Reticulum is pretty neat on its own

Reticulum doesn't need much to get going, with a simple pip package manager command to install:

pip install rns

or pipx as it was on my Ubuntu install.

That's all it takes to get Reticulum running on your device, but then what programs can you use with it? Well, there's Nomad Network which is a spy thriller-esque encrypted communications suite that has synchronous, asynchronous, and file-sharing capabilities. Or the GUI-based Reticulum MeshChat app that works on macOS and Windows.

That's only the surface of what you can do, and remember, these apps don't need any connections to the public internet to work. They don't even need Ethernet, or IP networks, or any existing network functionality at all.

But there's more utility to be found

Reticulum with a P2P VPN over the top makes it work with existing software

Now that we've got a completely new software-defined networking stack, we can do all kinds of things with it. The rns-vpn project builds a P2P VPN over the Reticulum mesh network, which had me scratching my head for a minute because it adds encryption again on top of an already encrypted network, until I realized why.

The extra encryption is to preserve the privacy-by-design of Reticulum while adding a static IP address to each node in the mesh. This keeps you private, but lets the users use existing IP-based tools to communicate, as you can reach each peer with its assigned IP address.

The configuration file for this basically has a list of the cryptographic LXMF address that Reticulum uses and an assigned IP address for the VPN to use:

vpn_ip = "10.0.0.1/24"

[peers]
"10.0.0.2" = "xxx"

An LXMF address looks like 4faf1b2e0a077e6a9d92fa051f256038, and would go where the xxx is in the config file. The neat thing is that because it's a hash, you can have multiple devices on the network with the same app or device name, because the destination hash will still be unique.

This is similar to ZeroTier in many ways

Using a VPN over Reticulum is similar to how ZeroTier works over an IP-based internet stack, in that you can transparently route traffic over the mesh to individual clients, without needing to add your own networking code to your applications. It's a little different in that the VPN over Reticulum lets you add a static IP address to the cryptographic identifier for each node, so you can use IP-based apps over the Reticulum network without having to reverse engineer anything. That's pretty smart, reducing the barrier to entry for this potentially life-saving networking stack that's perfect for disaster rescue and recovery missions and more.

Make your own mesh network with encryption and resilient networking

Reticulum isn't the only alternative network stack out there, but it has some real promise in the sheer number of devices that can run it. Think mesh networks for remote villages or those underserved communities where robust internet infrastructure has yet to arrive. It enables free, encrypted messaging over radio communications, or almost anything else that can carry a signal, and connects each device into a unified mesh network for the community.