Mesh Networking
Overview
Durantic provides WireGuard-based encrypted mesh networks that connect your machines across different physical locations, data centers, and network environments. All traffic between machines in a mesh is encrypted end-to-end using WireGuard.
Mesh networks let machines communicate as if they were on the same local network, regardless of where they are physically located — behind NAT, in different cloud providers, or in on-premises data centers.
How It Works
Setting up a mesh network follows a straightforward process:
- Create a mesh — Define a new mesh network in the dashboard and assign it a CIDR block (for example,
10.100.0.0/16). - Assign machines — Add machines to the mesh. Each machine automatically receives an IP address from the CIDR block.
- Automatic tunnel setup — The agent on each machine configures a WireGuard interface and establishes encrypted tunnels to all other machines in the mesh.
- NAT traversal — The agent handles endpoint discovery and NAT traversal automatically, finding the best path between peers.
No manual WireGuard configuration is required. The control plane distributes peer information and the agents handle all tunnel setup, key exchange, and keepalive management.
IP Allocation
When a machine joins a mesh network, Durantic automatically allocates an IP address from the mesh's CIDR block. You can view a machine's mesh IP on its Network tab.
IP addresses are stable — a machine keeps the same mesh IP as long as it remains in the mesh. If a machine is removed and later re-added, it may receive a different address.
Monitoring Mesh Health
Durantic provides detailed visibility into mesh network status through two tabs on each machine's detail page.
Peers Tab
The Peers tab shows the connectivity status between the current machine and every other machine in the mesh.
For each peer, you can see:
| Field | Description |
|---|---|
| Connectivity status | Whether the peer is reachable |
| Path type | Direct, relayed, or transit |
| Handshake age | Time since the last successful WireGuard handshake |
| BGP state | The BGP session state with this peer (if applicable) |
Each peer row is expandable to reveal detailed metrics including latency, packet loss, and throughput statistics.
Endpoints Tab
The Endpoints tab shows how the machine is discovered by and reachable to other peers.
Endpoint types include:
| Type | Description |
|---|---|
| STUN | Public endpoint discovered via STUN servers |
| Peer-observed | Endpoint as seen by other machines in the mesh |
| Mesh-observed | Endpoint detected through mesh network traffic |
NAT Traversal
The Durantic agent handles NAT traversal automatically so machines behind firewalls and NAT devices can participate in the mesh without manual port forwarding.
The NAT traversal process includes:
- STUN endpoint discovery — The agent queries STUN servers to determine its public IP address and port mapping.
- Peer-observed endpoint sharing — Machines share the endpoints they observe for each other through the control plane, enabling connections even when STUN alone is insufficient.
- Adaptive keepalive intervals — The agent adjusts WireGuard keepalive timing based on the NAT type to maintain established connections.
This approach works behind most NAT types, including symmetric NAT in many cases.
Gateway Nodes
You can designate machines as gateway nodes to enable routing between different mesh networks. Gateway nodes participate in multiple meshes and route traffic between them using eBGP (External Border Gateway Protocol).
This is useful when you have separate mesh networks for different environments or teams but need controlled connectivity between them.
For details on BGP routing and route distribution, see BGP Routing.
Route Reflector Mode
For large mesh networks with 250 or more nodes, direct BGP peering between all machines becomes impractical. In this scenario, you can enable route reflector mode on gateway nodes.
Route reflector nodes act as central BGP route distribution points. Instead of every machine exchanging routes with every other machine, machines exchange routes only with the route reflectors, which then distribute routes to all peers. This reduces the total number of BGP sessions from O(n^2) to O(n) and keeps the mesh performant at scale.