Building site-to-site VPNs over LTE/5G or behind NAT and stateful firewalls has always been painful. You either need a central relay server with a public IP, or spend hours configuring port forwarding and STUN. STUNMESH-go takes a different approach. It helps WireGuard peers find each other and establish direct P2P connections without running your own infrastructure.

The key idea is simple. Reuse existing public services instead of running your own. STUNMESH-go uses STUN servers to discover NAT endpoints, encrypts peer information with Curve25519, and stores it using flexible plugins, whether that's Cloudflare DNS, a shell script, or any custom key-value storage backend. Peers fetch each other's information and WireGuard handles the rest.

This session will cover: - Cross-platform packet capture (Linux raw sockets vs BSD BPF) - The plugin system and bringing your own storage without running servers - Compatibility with WireGuard kernel module (no wireguard-go embedding needed) - Minimizing binary size for embedded systems - Real deployments (SD-WAN over LTE and site-to-site VPN mesh) - Dealing with stateful firewalls and carrier-grade NAT

This talk shares experience from building P2P networking that works across Linux, FreeBSD, macOS, and embedded routers like VyOS, EdgeOS, and OpenWrt.

Github: https://github.com/tjjh89017/stunmesh-go/