Overview

Iroh lets you establish direct peer-to-peer connections whenever possible, falling back to relay servers if necessary. This gives you fast, reliable QUIC connections that are authenticated and encrypted end-to-end.

Iroh is "dial by public key"

In the iroh world, you dial another node by its NodeId, a 32-byte ed25519 public key. Unlike IP addresses, this ID is globally unique, and instead of being assigned, you can cheaply generate as many as you want yourself. It also doesn't change when you change networks. You won't have to think about NATs getting in your way, iroh traverses them for you. Basing connections on asymmetric public keys is what allows iroh to always end-to-end encrypt and authenticate connections.

Peer to peer

Iroh is built on peer-to-peer QUIC using both relays and holepunching.

Peers must know the NodeId of a peer before connecting to it. They verify this NodeId during the connection handshake to provide end-to-end encryption and authentication.

Peer to peer connectivity is established with the help of a relay server. On startup peers register their NodeId with a home relay server. The relay server provides assistance to traverse firewalls, NATs or others alike. If no direct connection can be established, the connection is relayed via the server.

Peers can also connect directly without using a relay server. For this, however, the listening peer must be directly reachable by the connecting peer via one of it's addresses.

Iroh is built on QUIC

This gives iroh super-powers:

  • encryption & authentication
  • stream multiplexing
    • no head-of-line blocking issues
    • stream priorities
    • one shared congestion controller
  • an encrypted, unreliable datagram transport
  • zero round trip time connection establishment if you've connected to another node before

A single QUIC connection can power all of your protocol's complex interactions:

  • Stream both video and audio without video packet loss affecting audio. Prioritize audio by increasing that stream's priority.
  • Use the unreliable datagram transport for your game's state and input networking. Also re-use the same connection for streaming assets or real-time audio or video.
  • Avoid unnecessary network round-trips when your phone comes back from suspension with zero round trip time connection establishment.

The higher level: Give your users agency back

Iroh bootstraps a new internet: Your user's home computer is as inter-connected as a virtual private server. There might not be a need for intermediaries if their powerful smartphone can accept incoming connections like any other service.

This gives users back power and agency to use their devices the way they want to.
No need to fight for static IP addresses from your ISP.
No need to buy domain names to participate in the internet.
No need to set up complicated TLS certificates to get what should be a baseline feature: Encryption.

Want to see where iroh's headed?

See our roadmap to find out what's planned.