Design
Architecture
Objectives
Encrypt all signaling messages
Plug-able signaling backends:
- GRPC
- Kubernetes API-server
- WebSocket
Support Trickle ICE
Support ICE restart
Support ICE-TCP
Encrypt exchanged ICE offers with WireGuard keys
Seamless switch between ICE candidates and relays
Zero configuration
- Alleviate users of exchanging endpoint IPs & ports
Enables direct communication of WireGuard peers behind NAT / UDP-blocking firewalls
Single-binary, zero dependency installation
- Bundled ICE agent & WireGuard user-space daemon
- Portability
Support for user and kernel-space WireGuard implementations
Zero performance impact
- Kernel-side filtering / redirection of WireGuard traffic
- Fallback to user-space proxying only if no Kernel features are available
Minimized attack surface
- Drop privileges after initial configuration
Compatible with existing WireGuard configuration utilities like:
Monitoring for new WireGuard interfaces and peers
- Inotify for new UAPI sockets in /var/run/wireguard
- Netlink subscription for link updates (patch is pending)
Related RFCs
- RFC6544 TCP Candidates with Interactive Connectivity Establishment (ICE)
- RFC8838 Trickle ICE: Incremental Provisioning of Candidates for the Interactive Connectivity Establishment (ICE) Protocol
- RFC8445 Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal
- RFC8863 Interactive Connectivity Establishment Patiently Awaiting Connectivity (ICE PAC)
- RFC8839 Session Description Protocol (SDP) Offer/Answer Procedures for Interactive Connectivity Establishment (ICE)
- RFC6062 Traversal Using Relays around NAT (TURN) Extensions for TCP Allocations
- RFC8656 Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)
- RFC8489 Session Traversal Utilities for NAT (STUN)
- RFC8866 SDP: Session Description Protocol
- RFC3264 An Offer/Answer Model with the Session Description Protocol (SDP)
- RFC7064 URI Scheme for the Session Traversal Utilities for NAT (STUN) Protocol
- RFC7065 Traversal Using Relays around NAT (TURN) Uniform Resource Identifiers