ZTM: Zero Trust Mesh Networking Without the VPN Overhead
VPNs are infrastructure from a different era — centralized, brittle, and designed for perimeter security. Zero Trust says the perimeter is dead. But most “zero trust” solutions still require you to trust someone: Tailscale’s coordination servers, Cloudflare’s network, your employer’s identity provider.
ZTM (Zero Trust Mesh) is an open-source alternative that’s truly decentralized. Your hub, your certificates, your mesh.
What ZTM Does
ZTM creates encrypted peer-to-peer mesh networks over HTTP/2 tunnels. Unlike traditional VPNs:
- No central coordination — you run your own hub
- Certificate-based auth — no passwords, no OAuth providers
- HTTP/2 tunnels — traverses NAT and firewalls naturally
- Built on Pipy — a C++ programmable proxy engine (performance-first)
The architecture is simple: one Hub in a reachable location (cloud VM, office server), and Agents on every device you want in the mesh.
Hub (cloud)
/ | \
/ | \
Agent A Agent B Agent C
(home) (office) (phone)
Why HTTP/2?
Most mesh networking tools use WireGuard or custom UDP protocols. ZTM uses HTTP/2 for a reason: it works everywhere. Corporate proxies, restrictive hotel WiFi, that one network that blocks everything except ports 80 and 443 — HTTP/2 tunnels through all of it.
The tradeoff is slightly higher overhead than raw WireGuard. The benefit is zero firewall configuration on endpoints.
Built-in Apps
ZTM comes with practical tooling out of the box:
| App | What it does |
|---|---|
| Tunnel | TCP/UDP tunnels between endpoints |
| Proxy | SOCKS/HTTP forward proxy (exit via any endpoint) |
| Terminal | Remote shell access |
| Script | Execute PipyJS remotely |
Third-party apps can be added — ZTM is really a platform for building decentralized applications, not just a networking tool.
Quick Start
1. Start a Hub (on your cloud VM with public IP):
ztm start hub --listen 0.0.0.0:8888 --names 1.2.3.4:8888 --permit root.json
This generates root.json — your mesh’s trust anchor.
2. Join from any device:
ztm start agent
ztm join my-mesh --as laptop --permit root.json
3. Check the mesh:
ztm get ep # List endpoints
ztm get mesh # Mesh status
There’s also a browser GUI at http://localhost:7777 after starting the agent.
Cross-Platform Reality
ZTM runs on everything:
- macOS, Windows, Linux (x86, ARM)
- Android, iOS
- FreeBSD
- Even RISC-V and LoongArch
This matters for homelabs where you might have a mix of Raspberry Pis, old laptops, cloud VMs, and mobile devices.
The Karpathy Wiki Connection
What does mesh networking have to do with AI agents?
Karpathy’s LLM Wiki pattern describes persistent, compounding knowledge bases maintained by LLMs. The key insight: have the LLM do the tedious maintenance that humans abandon.
ZTM applies similar thinking to infrastructure. Traditional VPNs require constant human maintenance — certificate rotation, firewall rules, client configs. ZTM’s certificate-based model, once configured, is self-maintaining. Add a new device? Issue a permit, join the mesh. No config file surgery.
Both patterns recognize that humans abandon systems when maintenance burden exceeds value. Both solve it by front-loading setup and eliminating ongoing toil.
When to Use ZTM vs Tailscale
Choose ZTM when:
- You want full control (self-hosted hub)
- You need to build custom P2P apps (PipyJS extensibility)
- You’re in environments that block non-HTTP traffic
- You want zero external dependencies
Choose Tailscale when:
- You want zero infrastructure setup
- You need corporate SSO integration
- You prefer managed coordination servers
Frequently Asked Questions
What is ZTM (Zero Trust Mesh)?
ZTM is an open-source decentralized networking platform that creates encrypted peer-to-peer mesh networks using HTTP/2 tunnels. It enables secure connectivity between devices across different networks without relying on centralized VPN infrastructure.
How does ZTM differ from Tailscale or WireGuard?
Unlike Tailscale, ZTM is fully self-hosted — you run your own hub with no external coordination servers. Unlike WireGuard, ZTM uses HTTP/2 tunnels instead of UDP, which means it works through corporate proxies and restrictive firewalls that only allow web traffic.
What platforms does ZTM support?
ZTM runs on macOS, Windows, Linux (x86, ARM, MIPS, RISC-V, LoongArch), FreeBSD, Android, and iOS. It also includes a browser-based GUI accessible at localhost:7777.
How does ZTM handle authentication?
ZTM uses certificate-based authentication. When you start a hub, it generates a permit file (root.json) that acts as your mesh’s trust anchor. Devices join the mesh using this permit — no passwords or OAuth providers required.
What can I do with a ZTM mesh network?
ZTM includes built-in apps for TCP/UDP tunneling, SOCKS/HTTP proxy, remote terminal access, and remote script execution via PipyJS. You can also build custom decentralized applications on top of the mesh.
Is ZTM production-ready?
ZTM has 6,000+ GitHub stars and active development. It’s suitable for personal networks, homelabs, and enterprise use cases. The project includes comprehensive documentation and a wiki.
What is Pipy and why does it matter?
Pipy is a C++ programmable proxy engine that powers ZTM. It provides high performance (C++ speed) with scripting flexibility (PipyJS), allowing custom security policies and network behaviors.
Resources:
ZTM is mature (6k+ stars) but under active development. If you’ve been looking for a self-hosted Tailscale alternative with real programmability, this is worth a look.