diff --git a/docs/features/fastd_mode.gif b/docs/features/fastd_mode.gif
new file mode 100644
index 00000000..9f97074f
Binary files /dev/null and b/docs/features/fastd_mode.gif differ
diff --git a/docs/features/vpn.rst b/docs/features/vpn.rst
new file mode 100644
index 00000000..59f4d7c7
--- /dev/null
+++ b/docs/features/vpn.rst
@@ -0,0 +1,57 @@
+Mesh-VPN
+========
+
+Gluon integrates several OSI-Layer 2 tunneling protocols to
+enable interconnects between local meshes and provide
+internetwork access. Available protocols currently are:
+
+- fastd
+- L2TPv3 (via tunneldigger)
+
+fastd is a lightweight userspace tunneling daemon, that
+implements cipher suites that are specifically designed
+to work well on embedded devices. It offers encryption
+and authentication. Its primary drawback are the necessary
+context-switches when forwarding packets.
+
+L2TPv3 is an in-kernel tunneling protocol that performs well,
+but offers no security properties by itself.
+The brokering of the tunnel happens through tunneldigger,
+its primary drawback being the lack of IPv6 support.
+
+fastd
+-----
+
+Configurable Cipher
+^^^^^^^^^^^^^^^^^^^
+
+
+From the site configuration fastd can be allowed to offer
+toggleable encryption in the config mode with the intent to
+increase throughput, although in practice the gain is minimal.
+
+**Site configuration:**
+
+1) Install ``gluon-web-mesh-vpn-fastd`` in ``site.mk``
+2) Set ``mesh_vpn.fastd.configurable = true`` in ``site.conf``
+
+**Gateway configuration:**
+
+1) Prepend the ``none`` cipher in fastds method list
+
+
+**Config Mode:**
+The resulting firmware will allow users to choose between secure (encrypted) and fast (unencrypted) transport.
+
+.. image:: fastd_mode.gif
+
+**Unix socket:**
+To confirm whether the correct cipher is being used, fastds unix
+socket can be interrogated, after installing for example `socat`.
+
+::
+
+       opkg update
+       opkg install socat
+       socat - UNIX-CONNECT:/var/run/fastd.mesh_vpn.socket
+