Karadul — Self-hosted, zero-dependency mesh VPN system written in Go.
🧪 Latest: v0.2.0-beta.1 — 48 security fixes, IPv6 STUN, firewall rules, store GC, 78% test coverage. Release notes →
Karadul is a WireGuard-compatible, self-hosted mesh VPN system that enables secure peer-to-peer connectivity across NAT boundaries. It combines a coordination server, encrypted tunnels, NAT traversal, and relay infrastructure into a single Go binary with zero external dependencies.
Think of it as: Tailscale + Headscale in one binary, built from scratch.
| Principle | Description |
|---|---|
| Zero External Dependencies | Only Go stdlib + extended stdlib. All other components hand-written. |
| Single Binary | One binary serves all roles: node, coordination server, DERP relay. |
| Self-Hosted First | No SaaS dependency. You own the coordination server, DERP relays, all keys. |
| WireGuard-Compatible Protocol | Uses Noise IK handshake, X25519, ChaCha20-Poly1305, BLAKE2s. |
brew tap karadul/karadul
brew install karadul# Download latest release
curl -LO https://github.com/karadul/karadul/releases/latest/download/karadul-linux-amd64
chmod +x karadul-linux-amd64
sudo mv karadul-linux-amd64 /usr/local/bin/karadul# PowerShell - Download and install
Invoke-WebRequest -Uri "https://github.com/karadul/karadul/releases/latest/download/karadul-windows-amd64.exe" -OutFile "karadul.exe"
# Move to PATH (e.g., C:\Windows\System32 or create C:\Tools and add to PATH)docker run -d --name karadul \
--cap-add NET_ADMIN \
--cap-add NET_RAW \
-p 8080:8080 \
-p 3478:3478/udp \
ghcr.io/karadul/karadul:latest \
server --addr=:8080go install github.com/karadul/karadul/cmd/karadul@latest
# or
git clone https://github.com/karadul/karadul.git
cd karadul
go build -o karadul ./cmd/karadul# Start as coordination server
karadul server --addr=:8080
# Create an auth key
karadul auth create-key
# On another node, join the mesh
karadul up --server=https://your-server:8080 --auth-key=<key>
# Check status
karadul status| Feature | Karadul | Tailscale | Headscale | NetMaker | ZeroTier |
|---|---|---|---|---|---|
| Architecture | Single binary, all-in-one | Client + SaaS control plane | Self-hosted control plane (separate) | Self-hosted server + agents | Centralized controller |
| Self-Hosted | ✅ Native | ❌ SaaS only | ✅ Yes | ✅ Yes | |
| Zero Dependencies | ✅ Go stdlib only | ❌ Various deps | ❌ PostgreSQL, etc. | ❌ MongoDB, CoreDNS | ❌ Custom protocol |
| Single Binary | ✅ Yes | ❌ Client + daemon | ❌ Server + DB | ❌ Server + DB + UI | ❌ Client + controller |
| Built-in DERP Relay | ✅ Yes | ✅ Yes | ❌ Separate | ✅ Yes | |
| WireGuard Protocol | ✅ Compatible | ✅ Yes | ✅ Yes | ❌ Custom | |
| MagicDNS | ✅ Built-in | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes |
| ACL Support | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes |
| NAT Traversal | ✅ STUN + Hole Punching | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes |
| Exit Nodes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes |
| Platforms | Linux, macOS, Windows, BSD | All platforms | All platforms | Linux, macOS, Windows, BSD | All platforms |
| Mobile Support | 🚧 Planned | ✅ iOS/Android | ✅ Via Tailscale client | ✅ iOS/Android | ✅ All platforms |
| Open Source | ✅ MIT | ❌ Client only | ✅ BSD-3 | ✅ Apache 2.0 | ❌ BUSL/SSPL |
| Complexity | Low (one binary) | Low (managed) | Medium (setup required) | Medium (setup required) | Low (managed) |
Choose Karadul if you want:
- A truly single-binary solution with no database dependencies
- Zero external dependencies (no PostgreSQL, MongoDB, etc.)
- Full self-hosting without relying on any SaaS
- To understand and audit the entire codebase (pure Go, hand-written components)
- A lightweight alternative that just works with minimal configuration
Choose Tailscale if you want:
- A managed SaaS with zero operational overhead
- Proprietary features like Mullvad VPN integration
- Large-scale enterprise support
Choose Headscale if you want:
- Self-hosted Tailscale-compatible control plane
- Already familiar with Tailscale ecosystem
- Don't mind running PostgreSQL + separate services
Choose NetMaker if you want:
- Self-hosted WireGuard management with UI
- Enterprise-grade network management features
- Don't mind MongoDB/CoreDNS dependencies
Choose ZeroTier if you want:
- A managed solution with custom protocol (not WireGuard)
- Easy setup via web interface
- Don't need self-hosting capability
Karadul includes a built-in web interface for monitoring and managing your mesh network.
- Dashboard — System metrics, traffic stats, and network overview
- Topology — Interactive mesh network graph (React Flow)
- Nodes — Node list, search, details panel, and management
- Peers — Peer connections, filtering, and status
- Settings — Auth keys, ACL rules, and general configuration
- Real-time — WebSocket updates for live data
- Dark/Light mode — Theme toggle
# Start the server with web UI enabled
karadul server --addr=:8080 --web-addr=:8081
# Or build from source with web UI
make build-with-webThe web UI runs on port 8081 by default and proxies API requests to the coordinator on port 8080.
cd web
npm install
npm run dev # Development server at http://localhost:5173
npm run test # Run tests (416 tests, 96%+ coverage)
npm run build # Production build┌─────────────────────────────────────────────────────────────┐
│ karadul binary │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌──────────────┐ │
│ │ CLI │ │ Node │ │ Coord │ │ DERP Relay │ │
│ │ Engine │ │ Engine │ │ Server │ │ Server │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └──────┬───────┘ │
│ └─────────────┴─────────────┴─────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Web UI (React + TypeScript) │ │
│ │ Dashboard │ Topology │ Nodes │ Peers │ Settings │ │
│ └──────────────────────────┬───────────────────────────┘ │
│ │ │
│ Core Libraries │
│ ┌─────────┐ ┌─────────┐ ┌──────┐ ┌─────────┐ ┌─────────┐ │
│ │ crypto │ │ tunnel │ │ nat │ │ mesh │ │ dns │ │
│ │ (noise) │ │ (tun) │ │(stun)│ │(peers) │ │(magic) │ │
│ └─────────┘ └─────────┘ └──────┘ └─────────┘ └─────────┘ │
└─────────────────────────────────────────────────────────────┘
# Node commands
karadul up # Start as mesh node
karadul down # Stop the node
karadul status # Show node status
karadul peers # List connected peers
karadul ping <peer> # Ping a specific peer
# Server commands
karadul server # Start coordination server
karadul server --with-relay # Coordination + DERP relay
karadul relay # Start DERP relay only
# Admin commands
karadul keygen # Generate node keypair
karadul auth-keys create # Create authentication key
karadul exit-node enable # Enable as exit node
karadul exit-node use <peer> # Route traffic through peer
# Windows-specific (beta)
karadul wintun-check # Check Wintun driver installation
karadul firewall setup # Add Windows Firewall rules
karadul firewall check # Check firewall configuration- Noise Protocol Framework — Modern, formally-verified cryptographic handshake (Noise IK)
- X25519 — Elliptic Curve Diffie-Hellman key exchange
- ChaCha20-Poly1305 — Authenticated encryption (AEAD) for all data packets
- BLAKE2s — Fast cryptographic hashing and HMAC
- Constant-time comparisons —
crypto/subtleused for all secret comparisons (signatures, admin tokens) - Per-node shared secrets — HKDF-derived signing keys, never raw public keys
- Atomic store persistence — Write lock held through mutation + disk write
- Body size limits — All HTTP endpoints enforce
io.LimitReader - Input validation — Public keys (base64 32-byte), hostnames, node IDs all validated
- No hardcoded keys — All keys generated at runtime via
crypto/rand - Self-hosted — You control all infrastructure and keys
| Metric | Value |
|---|---|
| Build | Clean (go build, go vet pass) |
| Tests | 14/14 packages passing, zero race conditions |
| Coverage | ~78% weighted average across packages |
| Source lines | ~14,800 LOC |
| Test lines | ~13,500 LOC |
| Dependencies | 3 (golang.org/x/crypto, golang.org/x/sys, gorilla/websocket) |
| Issues fixed | 48 total (3 critical, 10 high, 28 medium, 7 low) |
| TODO/FIXME/HACK | 0 |
| Production Score | 9.45/10 |
For the full production readiness report, see PRODUCTION_READINESS.md.
- PRODUCTION_READINESS.md — Production readiness audit, features, gaps, recommendations
- SPECIFICATION.md — Detailed technical specification
- Windows Beta Guide — Windows installation and usage
- Beta Release Checklist — Post-release tasks
- Roadmap — Future plans and milestones
- Contributing — How to contribute
If you find Karadul useful, please consider:
MIT License — See LICENSE for details.
"Ağ ören, mesh kuran, dokunduğu her noktayı birbirine bağlayan sistem"