In 2009, a Finnish teenager called Martti Malmi answered a forum post from a pseudonymous cryptographer and helped build the infrastructure that would become Bitcoin. He coded bitcoin.org, set up the first forums, facilitated the first exchange. Satoshi trusted him with the keys to the kingdom — literally.
Sixteen years later, Malmi has done it again. Not with money this time, but with the network itself.
Nostr VPN v4.0.37, released yesterday, is a decentralised mesh VPN that uses Nostr keypairs for identity and something called FIPS (Free Internetworking Peering System) for the data plane. No registration. No email. No third-party authentication server. Your identity is a cryptographic keypair you generate yourself, and that’s it. You exist because math says you do.
If that sounds familiar, it should. It’s the same design principle that made Bitcoin work.
The Cypherpunk Thread That Never Broke
In 1991, Phil Zimmermann released PGP — Pretty Good Privacy — and the US government tried to prosecute him for it. Exporting strong encryption was classified as exporting munitions. A piece of software that let ordinary people send private messages was, in the eyes of the state, a weapon.
Zimmermann won. The case was dropped. But the lesson was seared into a generation of programmers: privacy doesn’t get given to you. You have to build it, ship it, and dare them to stop you.
Satoshi understood this. Bitcoin wasn’t a request for permission to transact freely — it was a fait accompli. No CEO. No server to subpoena. No throat to choke. Malmi, as Satoshi’s first real collaborator, absorbed that philosophy at the source.
Nostr VPN is the same playbook applied to networking. And it matters more than most people realise.
What’s Actually Under the Hood
The architecture is elegant in that specific way that only Rust-based, no-bullshit projects manage:
- Identity = Nostr keypair. No accounts, no OAuth, no “Sign in with Google.” You are your key. The same sovereign identity model that underpins Nostr — the decentralised social protocol — now handles your network routing.
- Dual encryption. Hop-by-hop encryption between peers, plus end-to-end encryption between endpoints with forward secrecy. Compromise one node and you get nothing useful.
- NAT holepunching with fallback. When direct connections fail (and behind carrier-grade NAT, they often do), traffic routes through other FIPS nodes via Nostr-based multihop. No central relay required.
- Multi-transport. UDP, TCP, Ethernet, Tor, and Bluetooth — simultaneously. The mesh finds whatever path works.
- Cross-platform. macOS, Linux, Windows, Android. All Rust.
Read that list again. This isn’t a VPN in any traditional sense. There’s no VPN provider. There’s no subscription. There’s no server farm in Switzerland that pinky-promises not to log your traffic. It’s a mesh network where the participants are the infrastructure.
The Tailscale Problem
I like Tailscale. I use it. It solved a real problem — making WireGuard accessible to people who don’t want to manage key distribution manually. But here’s the thing: Tailscale has a coordination server. It’s centralised. Your device identities live on their infrastructure. Your network topology is known to them.
They’re good people. I trust them today. But “trust us” is exactly the architecture that cypherpunks spent forty years trying to eliminate. The whole point — the entire point — of cryptographic identity is that you shouldn’t have to trust anyone. The math is the trust.
Nostr VPN doesn’t ask you to trust Martti Malmi. It doesn’t ask you to trust anyone. Your keypair is generated locally. Your routing is peer-to-peer. If Malmi disappeared tomorrow, the network would keep running because there’s nothing central to disappear.
Sound like anything else? A certain whitepaper from 2008, perhaps?
Identity as Keypair, Not Account
This is the philosophical core that most coverage will miss. We’ve been trained to think of identity as something granted by a provider. You are your Google account. You are your Apple ID. You are your Microsoft 365 tenant. Every service you touch requires you to prove yourself to a centralised authority that can, at any moment, revoke your existence.
The cypherpunk alternative — the one Zimmermann fought for, that Hal Finney demonstrated by receiving the first Bitcoin transaction, that Satoshi encoded into the genesis block — is that identity is mathematical. You generate a keypair. The public key is your identity. The private key is your proof of ownership. No intermediary required.
Nostr VPN takes this principle and applies it to something we interact with every single day: network connectivity. Your VPN identity isn’t an account with a provider. It’s a key you control. You can use it across any FIPS node, any transport, any network — and nobody can deplatform you because there’s no platform.
Why a Finnish Programmer’s Side Project Matters More Than Cloudflare’s Annual Report
Cloudflare handles something like 20% of all web traffic. They’re building zero trust networks for enterprises. They have thousands of employees and billions in revenue. And their entire model depends on you trusting Cloudflare.
Malmi, working mostly alone, has shipped a tool that makes trust irrelevant. Not because he’s smarter than Cloudflare’s engineering team (though he might be — the man was collaborating with Satoshi at 18). But because he’s solving a different problem. Cloudflare asks: “How do we make centralised infrastructure more secure?” Malmi asks: “What if we didn’t need centralised infrastructure at all?”
That’s the question that created Bitcoin. It’s the question that created PGP. It’s the question that every meaningful advance in digital freedom has started with.
The Uncomfortable Truth
Most people won’t use Nostr VPN. Not yet. The UX of sovereign technology is always harder than the UX of custodial technology — that’s the trade-off for not having a benevolent intermediary smooth everything out for you. Managing your own keys is harder than clicking “Sign in with Google.”
But that’s not the point. PGP was unusable for most people too. Bitcoin was “too complicated” for a decade. The point is that the tool exists. The architecture is proven. The code is open source. And when the day comes that you need a network connection that no government, corporation, or ISP can intercept, monitor, or shut down — it’ll be there.
Martti Malmi helped build the system that separated money from the state. Now he’s working on separating the network from the state. Same principles. Same philosophy. Same quiet Finnish determination.
If you care about encryption as a right rather than a feature, about identity as mathematics rather than permission, about infrastructure that serves users rather than surveils them — pay attention. The first collaborator of the most important open-source project in history just shipped his next one.
The code is on GitHub. Your keypair is waiting.
Leave a Reply