We implement STUN and TURN/DERP using native WireGuard rather than separate protocols.

Netrinos uses a central rendezvous server that participates in WireGuard handshakes solely to collect your devices' public endpoints and share that information with your other devices. When a device roams to a new location, the server learns the new endpoint and updates the other devices in your account.

When direct P2P fails, Netrinos falls back to a relay server. The relay is a WireGuard peer, but it does not have the keys to decrypt your traffic. Your devices negotiate keys directly with each other, so the relay just forwards opaque encrypted packets.

If you are particularly security conscious, you can host your own relay server. Enable it with a checkbox in the app. This could be a home PC with a stable connection, or a $5 cloud server account.

Updated: Original answer did not address DERP