Jumping VPN: session-centric architecture – multipath and failover demos (opens in new tab)

Hi HN,

I'm experimenting with a session-centric networking model for VPNs.

Traditional VPNs bind connection identity to a tunnel. If the transport path fails, the connection usually resets.

In this prototype the session identity becomes the stable anchor, while transports and relay paths can change underneath.

Quick demo scenario:

SESSION CREATED client → relay1 → server

possible DDoS / path degradation detected

RELAY SWITCH

client → relay2 → server

SESSION SURVIVES

Screenshot of the demo: https://limewire.com/d/78j1c#8iNiseGB4j

I also built a small OpenVPN compatibility gateway prototype that accepts UDP traffic and maps incoming packets to a session.

Repo: https://github.com/Endless33/jumping-vpn-preview

Curious what networking / Go / distributed systems people think about a session-centric model vs tunnel-centric VPNs.

Hi HN,

Building a VPN where session is the stable anchor, transport is volatile/replaceable.

Pushed new 60-second demos: - Multipath failover (one path dies → seamless switch) - Path kill & recover - Distributed ownership takeover - NAT rebinding test

Also: basic UDP echo server runs in Termux on Android phone.

Repo: https://github.com/Endless33/jumping-vpn-preview

Short video (UDP test): https://vm.tiktok.com/ZNRuY8uug/

Looking for feedback on: - session vs tunnel-centric approach - invariants / state machine - next: QUIC + real multipath

What do networking / Go people think?

Small clarification about the demos.

The goal of the prototype is not to build “another VPN”, but to experiment with a different connection model where the session identity is the stable anchor and transports are replaceable.

In the demos the session survives events like:

• transport failure • relay change • path replacement • NAT rebinding

The runtime treats these events as state transitions rather than connection resets.

Current prototype includes:

• session runtime with deterministic state machine • transport abstraction layer • relay forwarding experiments • trace-based invariant verification

Right now everything is still very experimental.

The main question I'm exploring is whether a session-centric model could simplify recovery logic under network volatility compared to tunnel-centric designs.

If anyone here works on networking protocols or distributed systems, I would be very interested in feedback on the architecture.

In particular:

• session identity design • relay coordination • migration safety • possible attack surfaces

This started as a personal research experiment and I'm curious how people from the networking community view the idea.

This started as a small experiment while exploring how session identity could be separated from transport stability.

The current repo is just a research prototype, but the goal is to explore things like: - transport migration - relay switching - session continuity under network volatility

Happy to hear criticism or ideas from people who have worked on VPN protocols or transport layers.

One question I'm exploring:

If session identity becomes the primary anchor of the connection, should transports even be visible to the protocol layer?

Or should transports simply become replaceable attachments that the runtime can swap without affecting the session state?

Curious how people working on QUIC / VPN protocols think about that.

Another small detail: the prototype emits structured trace logs for every session event.

This makes it possible to verify protocol invariants and replay execution traces to debug recovery behavior.