ZTM: Zero Trust Mesh Networking Without the VPN Overhead

By Prahlad Menon 2 min read

VPNs are infrastructure from a different era — centralized, brittle, and designed for perimeter security. Zero Trust says the perimeter is dead. But most “zero trust” solutions still require you to trust someone: Tailscale’s coordination servers, Cloudflare’s network, your employer’s identity provider.

ZTM (Zero Trust Mesh) is an open-source alternative that’s truly decentralized. Your hub, your certificates, your mesh.

What ZTM Does

ZTM creates encrypted peer-to-peer mesh networks over HTTP/2 tunnels. Unlike traditional VPNs:

  • No central coordination — you run your own hub
  • Certificate-based auth — no passwords, no OAuth providers
  • HTTP/2 tunnels — traverses NAT and firewalls naturally
  • Built on Pipy — a C++ programmable proxy engine (performance-first)

The architecture is simple: one Hub in a reachable location (cloud VM, office server), and Agents on every device you want in the mesh.

                    Hub (cloud)
                   /    |    \
                  /     |     \
           Agent A   Agent B   Agent C
           (home)   (office)   (phone)

Why HTTP/2?

Most mesh networking tools use WireGuard or custom UDP protocols. ZTM uses HTTP/2 for a reason: it works everywhere. Corporate proxies, restrictive hotel WiFi, that one network that blocks everything except ports 80 and 443 — HTTP/2 tunnels through all of it.

The tradeoff is slightly higher overhead than raw WireGuard. The benefit is zero firewall configuration on endpoints.

Built-in Apps

ZTM comes with practical tooling out of the box:

AppWhat it does
TunnelTCP/UDP tunnels between endpoints
ProxySOCKS/HTTP forward proxy (exit via any endpoint)
TerminalRemote shell access
ScriptExecute PipyJS remotely

Third-party apps can be added — ZTM is really a platform for building decentralized applications, not just a networking tool.

Quick Start

1. Start a Hub (on your cloud VM with public IP):

ztm start hub --listen 0.0.0.0:8888 --names 1.2.3.4:8888 --permit root.json

This generates root.json — your mesh’s trust anchor.

2. Join from any device:

ztm start agent
ztm join my-mesh --as laptop --permit root.json

3. Check the mesh:

ztm get ep  # List endpoints
ztm get mesh  # Mesh status

There’s also a browser GUI at http://localhost:7777 after starting the agent.

Cross-Platform Reality

ZTM runs on everything:

  • macOS, Windows, Linux (x86, ARM)
  • Android, iOS
  • FreeBSD
  • Even RISC-V and LoongArch

This matters for homelabs where you might have a mix of Raspberry Pis, old laptops, cloud VMs, and mobile devices.

The Karpathy Wiki Connection

What does mesh networking have to do with AI agents?

Karpathy’s LLM Wiki pattern describes persistent, compounding knowledge bases maintained by LLMs. The key insight: have the LLM do the tedious maintenance that humans abandon.

ZTM applies similar thinking to infrastructure. Traditional VPNs require constant human maintenance — certificate rotation, firewall rules, client configs. ZTM’s certificate-based model, once configured, is self-maintaining. Add a new device? Issue a permit, join the mesh. No config file surgery.

Both patterns recognize that humans abandon systems when maintenance burden exceeds value. Both solve it by front-loading setup and eliminating ongoing toil.

When to Use ZTM vs Tailscale

Choose ZTM when:

  • You want full control (self-hosted hub)
  • You need to build custom P2P apps (PipyJS extensibility)
  • You’re in environments that block non-HTTP traffic
  • You want zero external dependencies

Choose Tailscale when:

  • You want zero infrastructure setup
  • You need corporate SSO integration
  • You prefer managed coordination servers

Frequently Asked Questions

What is ZTM (Zero Trust Mesh)?

ZTM is an open-source decentralized networking platform that creates encrypted peer-to-peer mesh networks using HTTP/2 tunnels. It enables secure connectivity between devices across different networks without relying on centralized VPN infrastructure.

How does ZTM differ from Tailscale or WireGuard?

Unlike Tailscale, ZTM is fully self-hosted — you run your own hub with no external coordination servers. Unlike WireGuard, ZTM uses HTTP/2 tunnels instead of UDP, which means it works through corporate proxies and restrictive firewalls that only allow web traffic.

What platforms does ZTM support?

ZTM runs on macOS, Windows, Linux (x86, ARM, MIPS, RISC-V, LoongArch), FreeBSD, Android, and iOS. It also includes a browser-based GUI accessible at localhost:7777.

How does ZTM handle authentication?

ZTM uses certificate-based authentication. When you start a hub, it generates a permit file (root.json) that acts as your mesh’s trust anchor. Devices join the mesh using this permit — no passwords or OAuth providers required.

What can I do with a ZTM mesh network?

ZTM includes built-in apps for TCP/UDP tunneling, SOCKS/HTTP proxy, remote terminal access, and remote script execution via PipyJS. You can also build custom decentralized applications on top of the mesh.

Is ZTM production-ready?

ZTM has 6,000+ GitHub stars and active development. It’s suitable for personal networks, homelabs, and enterprise use cases. The project includes comprehensive documentation and a wiki.

What is Pipy and why does it matter?

Pipy is a C++ programmable proxy engine that powers ZTM. It provides high performance (C++ speed) with scripting flexibility (PipyJS), allowing custom security policies and network behaviors.


Resources:

ZTM is mature (6k+ stars) but under active development. If you’ve been looking for a self-hosted Tailscale alternative with real programmability, this is worth a look.