Freedom

Malmi Ships Nostr VPN v4.0.42, Kills the Server

HyperSinc Intelligence/MAY 26, 2026

Martti Malmi released Nostr VPN v4.0.42 today across five platforms, shipping the first production VPN that requires no email, account, or corporate server, a structural shift in how mesh networks authenticate.

Malmi Ships Nostr VPN v4.0.42, Kills the Server

3 min read

TL;DR

→Martti Malmi (early Bitcoin dev, Sirius) shipped Nostr VPN v4.0.42 today at 10:28 UTC across Android, Linux, macOS, Windows.
→The VPN uses Nostr keys for identity and mesh coordination, WireGuard for traffic encryption, zero server dependency, zero account requirement.
→Direct threat to Tailscale and traditional VPN providers; adoption inflection depends on UX maturity and whether relay operators remain neutral.

Martti Malmi, the Bitcoin developer who received the first transaction from Satoshi Nakamoto and spent years maintaining bitcoin.org, shipped Nostr VPN v4.0.42 this morning at 10:28 UTC across five platforms: Android, Linux, macOS (two architectures), and Windows. The 38 MB Android APK, the 1.98 MB Linux package, the 26.5 MB macOS bundle, the 59.1 MB Windows installer, all live on GitHub, all timestamped 2026-05-26. This is not a research prototype or a beta. This is production software, iterated through 11 releases in the first week of May alone.

The architecture is radically simple: peers connect directly to each other using WireGuard (the kernel-space VPN protocol that replaced OpenVPN as the gold standard for speed and auditability). To find each other and negotiate the connection, they broadcast their public keys across Nostr relays, decentralized social media servers that relay unsigned messages by default. When direct peer-to-peer connection fails (because of NAT, firewall, or ISP blocking), the system falls back to multihop routing through the FIPS protocol, bouncing encrypted traffic through other peers rather than a central server. Identity is the Nostr public key itself. No email. No password. No account. No corporate database to subpoena, no service term you can violate, no payment method that marks you in a transaction log.

Compare this to Tailscale, the market leader in mesh VPN for developers and teams. Tailscale requires an email address or SSO identity. It runs a central coordination server (open-source, auditable, but still yours to trust) that assigns device keys and maps the mesh topology. Users pay Tailscale (or integrate Tailscale's infrastructure), and Tailscale can revoke access, change pricing, comply with law enforcement. Tailscale is exceptional at what it does, and it won millions of developers precisely because it made mesh VPN easy when the alternatives were impossibly hard. But it is still a company selling a service with control points. Malmi's bet is that enough people prefer a mesh that takes zero control points, zero account, zero payment, enough to matter.

The real test of that bet lies in three places. First: relay operator behavior. Nostr relays are supposed to be permissionless and neutral, forwarding any message from any key. If a relay becomes a chokepoint, if it starts filtering discovery messages, throttling certain keys, or coordinating with payment processors to block access, the VPN becomes useless. The protocol survives if operators remain indifferent. Second: NAT traversal. The fact that Malmi shipped Windows and Android and macOS support in one week suggests he has solved the hard part: getting holes in firewalls without a centralized STUN server. If that solution holds under load, peer-to-peer connection becomes reliable enough for casual users, not just engineers. Third: user growth. Tailscale won by being easier than WireGuard for the average developer. Nostr VPN won by being zero-trust. But easier and zero-trust are not the same thing. The multiplatform UI shipped today will determine whether casual users can actually pair devices without a terminal and a public-key ceremony.

Tailscale, NordVPN, ProtonVPN, Mullvad, none of them can prevent this architecture from existing. What they can do is wait to see whether it scales. If it does, they lose the ability to enforce terms of service or block users by credential revocation. If it does not, they keep their moat. Either way, the fact that Malmi, a developer old enough to remember Bitcoin's first transaction, credible enough to maintain bitcoin.org, skilled enough to write and ship five production-grade builds in seven days, chose to build this instead of build anything else suggests the moat is thinner than the market currently prices it.

Key Takeaways

The real story: this eliminates the architectural need for a trusted intermediary in mesh VPN, peers authenticate each other via public keys, Nostr relays coordinate, WireGuard carries traffic.
Malmi went from announcing the project on May 19 to shipping production builds across five platforms in one week, iteration velocity suggests he's solved the NAT traversal and relay discovery problems that kept earlier decentralized VPN attempts stuck.
Tailscale, NordVPN, and ProtonVPN all depend on servers to issue credentials and coordinate peers; Nostr VPN makes those servers optional infrastructure, not critical path.

What it meansA developer-grade VPN that requires no account shifts the competitive moat from network effects and brand to relay uptime and UX maturity. If adoption grows, VPN providers lose the ability to enforce compliance or block users.

DISCLAIMER

This article is for informational purposes only and does not constitute financial, investment, legal, or tax advice.

SOURCES

← Back to HyperSinc