Dumb Pipe

Original Article ↗ Hacker News Discussion ↗

Relationship to existing tools (Tailscale, WireGuard, etc.)

  • Many compare Dumb Pipe to Tailscale, ZeroTier, Hamachi, WireGuard, and VPN/overlay tools.
  • Consensus: overlap in “connect anything anywhere” and NAT traversal, but different layers and UX:
    • Tailscale/ZeroTier/etc. = long‑lived mesh/overlay networks, identity, key management, DNS, SSO, RBAC.
    • Dumb Pipe = ad‑hoc, one‑shot or simple tunnels/streams; more like a powerful nc/socat demo.
  • Some note that Tailscale is itself a polished wrapper around WireGuard plus heavy coordination features; Dumb Pipe is closer to “just give me a secure pipe.”

Iroh, QUIC, and technical design

  • Dumb Pipe is built on iroh: a p2p QUIC framework with node IDs (Ed25519 keys), hole‑punching, reconnection, and multiplexed streams.
  • QUIC vs WireGuard:
    • QUIC is a transport (like TCP) with streams, HoL blocking mitigation, datagrams, and language‑agnostic user‑space implementations.
    • WireGuard is a virtual NIC/tunnel abstraction; great for VPNs but heavier if you just want a single secure stream.
  • Iroh supports both reliable streams and unreliable QUIC datagrams, which some see as suitable for games and real‑time apps.

Relays, NAT traversal, and discovery

  • Default behavior: peer‑to‑peer when possible; relays used for initial negotiation and as fallback when hole punching fails.
  • Traffic is always end‑to‑end encrypted, even via relays.
  • Tickets encode IP/ports and relay info; discovery can use DNS or a DHT-based system (pkarr).
  • Some argue discovery is “the whole ball game” and remain skeptical of any hand‑waving around it, even with decentralized options.

Security model

  • Connection is identified by a 32‑byte public key embedded in a ticket. Anyone with the ticket can connect.
  • Transport security is TLS 1.3 over QUIC with raw public keys; brute‑forcing tickets is considered infeasible.
  • Long‑running listeners may eventually need access control (PRs exist but not all merged yet).
  • Some initial concern that “dumb” in the name implies insecurity; others counter that simple, well‑scoped primitives are exactly how to build secure systems.

Use cases, UX, and limitations

  • Common uses discussed: quick file or port forwarding, exposing local dev servers, ad‑hoc tunnels, game networking.
  • It currently targets Linux/macOS; lack of turnkey Windows support is seen as a blocker for some (e.g., games).
  • Marketing/branding and the playful “dumb pipe” character are widely praised as unusually good for a CLI tool.
  • curl | sh installer and reliance on project‑run relays raise mild trust and operational concerns.

Alternatives and prior art

  • Many similar tools are mentioned: SSH + socat, netcat, magic-wormhole, pwnat/slipstream, VPNs, other tunneling/relay services, and long history of Hamachi/Skype/FireWire/ethernet cross‑cables.
  • General sentiment: the problem is old and “solved” many times, but having a modern, QUIC‑based, easy CLI “dumb pipe” is still genuinely useful.