Noq: n0's new QUIC implementation in Rust

3/19/2026 at 6:40:25 PM

https://github.com/quinn-rs/quinn/issues/224#issuecomment-38...

It's lovely to see the polite and respectful back and forth in this comment thread where the Iroh folks are talking about deciding to fork. :)

by tekacs

3/19/2026 at 10:56:10 PM

Great interaction. Very refreshing after some of the past problems I've encountered with maintainers treating forks as hostile or "stealing our work".

The message also exposes a reality of how hard it can be to upstream internal changes: They admit they don't have the time to go back and re-submit all of their work as tiny incremental patches that could be reviewed and approved upstream. They estimate it would be on the order of 100 PRs necessary to break it up and get it reviewed. That's a very large time investment for a company that needs to keep moving forward.

Hopefully they stay close in the rest of the implementation details of the project they forked from. After a fork becomes battle-tested enough it might be reasonable to start merging things in larger chunks rather than treating them as incremental development again.

by Aurornis

3/19/2026 at 6:54:21 PM

I very much agree, a nice contrast to so much open source drama

by bigfishrunning

3/19/2026 at 7:02:55 PM

disclosure: I work on the team behind noq. Can't emphasize enough that the quinn maintainers are really lovely people, and quinn is an excellent project.

by b_fiive

3/19/2026 at 10:02:03 PM

Can confirm! We work closely with them at Datum

by drewr

3/20/2026 at 12:50:28 PM

[dead]

by openclaw01

3/19/2026 at 7:30:46 PM

iroh seems like a very well positioned product in the era of people rapidly building applications for personal use. I'm really interested in seeing how they continue to grow.

I personally have been looking off and on at providing an "app relay" using it, where people can get an OSS, self-hostable (if desired), zero config way to remotely access their app/data on their network. This would be separate than a "network relay" (a la Tailscale), as this is done selectively as part of the application server and client, requires no knowledge or configuration as the user, and exposes a much smaller surface area.

by agg23

3/19/2026 at 9:13:13 PM

The zero-config part is where it gets tricky in practice. I spent a while getting mDNS-based discovery working across different home networks and it's a mess. Half the consumer routers silently drop multicast between subnets, some just rate-limit it into uselessness. You end up layering fallback after fallback (broadcast, then direct probe, then relay) and writing heuristics to pick which path actually works. Having multipath baked into QUIC so the transport just tries all paths and converges on the best one would've saved me a lot of that.

by nulltrace

3/19/2026 at 11:01:52 PM

Is your project public?

by apitman

3/19/2026 at 11:04:18 PM

You may be interested in my list here: https://github.com/anderspitman/awesome-tunneling

In particular I believe OpenZiti has a similar focus on embedding the tunnel in the apps.

by apitman

3/20/2026 at 10:00:01 AM

Good pointer. OpenZiti does fit that model well — app-embedded rather than network-wide relay/VPN first (though OpenZiti also supports non-embedded options). The main difference is it’s not just connectivity in the app, but identity- and policy-driven service access, so you get authN/Z-before-connect, with explicit Zero Trust principles, rather than just a tunnel embedded in the client/server.

by PLG88

3/20/2026 at 4:26:47 AM

This is exactly the type of thing I was thinking of. Thanks

by agg23

3/20/2026 at 10:01:47 AM

Glad it helped (I work on the project). Reading up on Iroh, OpenZiti approaches this less as ‘how do I reach that host across any path’ and more as ‘which identity is allowed to access which service across paths’,’ which feels like a better fit for app-specific access based on zero trust principles than a general network relay.

by PLG88

3/19/2026 at 7:09:20 PM

Love the folks from n0. I regularly use their sendme cli for peer to peer file transfer!

by adityamwagh

3/20/2026 at 7:50:38 PM

Same here. They've built an amazing toolkit that's such a joy to build with. Feels like game changer to have p2p that both reliable, fast, and fun.

by 2color

3/20/2026 at 3:02:41 AM

Good to know. I usually use magic wormhole, which works great, but it does install a lot of python modules to achieve it. I'm always a little reluctant to install that on our production Windows SQL servers, and I rarely touch them, so usually when I do I just do a "netcat" equivalent via either a powershell snippet or https://github.com/linsomniac/toothpyk or I just "wget" it on the Windows side. For SQL Server ISOs, the Windows built in wget is terribly slow though.

Thanks for the sendme pointer.

by linsomniac

3/20/2026 at 3:41:01 PM

One thing I find interesting with QUIC and similar approaches is that they still bind connection continuity quite tightly to transport state.

I've been thinking about whether session identity could be separated entirely from transport, so that transport failure becomes a recoverable event rather than connection death.

Curious if anyone has seen practical systems that push this further than QUIC does.

by JumpingVPN2027

3/19/2026 at 9:50:40 PM

Excuse me if this is explained somewhere, but how does noq/iroh relays QUIC packets between peers? How does relay know which QUIC packets it receives should be sent where, since QUIC is famously hard to track? Do you stream to relay new/retire_connection_id packets through different connection so that it can link them to specific peers? Or is the relayed QUIC wrapped in different protocol?

by Kazik24

3/20/2026 at 8:44:18 AM

noq doesn't implement any relaying logic itself. From the perspective of noq, iroh relays are another IP subnet that it's sending packets to and receives packets from, so just another path.

> Or is the relayed QUIC wrapped in different protocol?

Yes, that's what's happening.

On the iroh/iroh-relay side, we implement this relaying using WebSockets. The datagrams are wrapped with a header saying which EndpointId (ed25519 public key) we want the packet to be relayed to. Because of a handshake between iroh clients and iroh relays, the relay knows and has authenticated the source EndpointId of datagrams it relays.

So yeah, we're tunneling QUIC datagrams through HTTPS over TCP (we encrypt twice). The relay really is just a fallback and for coordination. We specifically made these choices for maximum ubiquity for the fallback (not affected by UDP blocking, looks like "normal" traffic).

by matheus23

3/19/2026 at 9:07:11 PM

The iroh team keeps cooking, unreal.

I’m excited to have a weekend to just sit down and tinker with iroh, it’s been on my list for a while. I want to make an overlay network like nebula with it

by dangoodmanUT

3/20/2026 at 12:54:29 PM

you might want to take a look at those, they have been mentioned on their discord: - https://github.com/rustonbsd/iroh-lan - https://github.com/lucascherzer/iron

by Landing7610

3/20/2026 at 9:05:48 AM

https://github.com/n0-computer/noq/blob/f3a73c7bdd722e9b18fb...

by jaufuuhs

3/20/2026 at 12:55:44 PM

even more interesting news from iroh that was annoounced recently: https://www.iroh.computer/blog/iroh-0-97-0-custom-transports...

by Landing7610

3/20/2026 at 9:34:48 AM

Not to be confused with https://github.com/tsoding/Noq

Which got it's name from 'Not Coq'

by whatsakandr

3/20/2026 at 8:51:14 AM

have you guys checked nQUIC? Would be interesting to see Noise integrated in Noq as well :)

by baby

3/20/2026 at 9:03:41 AM

There were experiments :) https://github.com/dignifiedquire/nquinn

The cool thing about noq (and Quinn, where we inherited this from), is that you can implement your own "Session" trait. So that can be either TLS or nQUIC.

by matheus23

3/19/2026 at 10:24:37 PM

> noq (”number 0 QUIC”)

Wouldn't that be n0q then?

by mrbluecoat

3/20/2026 at 3:40:58 AM

Now, see. that's what I said as well. But the rest of the team was tired of me trying to name the hosted iroh "n0des", which I'm now ready to admit was a stretch. And so now here we are spelling n0q as noq. c'est la vie.

by b_fiive

3/19/2026 at 6:53:48 PM

I was just reading the QUIC multipath RFC. Didn't it come out literally yesterday? I guess it's common to have the implementation foreshadowing the RFC but it's jarring to see them back to back like this.

by jeffbee

3/20/2026 at 1:09:04 AM

Many QUIC features get implemented while in draft stage as people iterate on the RFC's design (e.g., ACK Frequency[0] is currently on draft version 14 and I implemented support for it three years ago in quinn).

[0]: https://datatracker.ietf.org/doc/html/draft-ietf-quic-ack-fr...

by wofo

3/20/2026 at 5:14:37 AM

It’s common enough for groups to not consider the spec done until there is a decent bit of implementation experience (both because actual implementers tend to find interesting bugs in specs, and because many things are hard to measure without any implementation).

by gsnedders

3/20/2026 at 10:47:55 AM

> I guess it's common to have the implementation foreshadowing the RFC

"Rough consensus and running code" is the IETF's unofficial motto. Working Group Drafts are generally accompanied by implementations.

by unmole

3/19/2026 at 7:04:00 PM

It's been a draft for a long while, and was only recently approved

by b_fiive

3/19/2026 at 9:14:56 PM

It’s pretty common for IETF drafts to be substantially complete well before they are finalized as RFCs. For example, supporting ML-KEM in TLS is still a draft, but there are already multiple large scale deployments of it since the technical aspects were nailed down a while ago

by kevvok

3/20/2026 at 12:05:44 AM

Can this establish an QUIC connection without the other end having a CA cert? Or, like most other QUIC libs will it default to only allowing connections to corporation approved domains?

by superkuh

3/20/2026 at 8:47:23 AM

The TLS authentication story is fully configurable. This hasn't changed compared to Quinn. We use noq in iroh, and in iroh we use raw public keys (RFC7250). When you use iroh, you don't need to set up DNS or TLS certificates, you just generate a key, share the public key and others can connect to you. (Of course the trouble is sharing the public key securely.)

by matheus23

3/20/2026 at 1:26:45 AM

It turns out that "Have the defaults arranged so that they suit a handful of crazy people but inconvenience literally everybody else" isn't popular. In fact preferring a tiny minority preference is sort of inherently unpopular, that's basically its defining feature as a policy.

by tialaramex

3/20/2026 at 2:56:57 AM

Visiting websites (or making connections to IP based services) that aren't CA approved is not some crazy niche desire as you're painting it. It was the default for a very long time and is still the only way to access many websites. When changing the feature requires recompiling a lib and linking it into your browser which you also recompile it's basically reality and not just a default. The only reality. And that's bad. It should be a setting at least.

by superkuh

3/19/2026 at 9:48:01 PM

[dead]

by AiStockAgent62

3/19/2026 at 9:06:03 PM

[dead]

by ChrisSpoke68