Architecture

Your traffic never touches our servers. Baseguard's control plane only coordinates — authenticating devices, distributing configuration, and relaying signaling. All network traffic flows directly between your devices through encrypted WireGuard tunnels.

System Overview

Data Plane

The data plane is everything between your devices — encrypted WireGuard tunnels running peer-to-peer. The client runs as a background daemon on each device (Linux, macOS, Windows) and creates a virtual network interface (TUN device) with the node's overlay IP address.

Connections are established on demand. When traffic targets another node for the first time, the client negotiates a P2P connection through the control plane and establishes a direct WireGuard tunnel. Network rules are enforced locally — packets that violate ACL policies are dropped before they enter or leave the tunnel. If a direct connection isn't possible, traffic is routed through a relay server — still encrypted end-to-end.

Control Plane

The control plane is the central coordination service. It never sees or handles your actual network traffic — it only manages signaling and metadata.

It maintains a persistent, encrypted connection (NCP) with every online node. Through this connection, it authenticates devices, distributes the network state (node list, ACL rules, relay servers), pushes real-time updates, and forwards end-to-end encrypted ICE signaling between nodes for P2P connection establishment.

It also exposes a REST API used by the Console and API clients for administration.

Console

The Console is the web-based management interface. It communicates only with the control plane via the REST API — it has no direct access to nodes. Administrators use it to manage organizations, approve nodes, configure tags and network rules, manage users, and view audit logs.

Relay Server

Relay servers provide a fallback path when two nodes cannot establish a direct P2P connection. Nodes authenticate to the relay using short-lived tokens issued by the control plane. The relay forwards encrypted WireGuard packets — it cannot decrypt them.

Key Management

Each device has two separate key pairs, each serving a different purpose:

Device Key — Generated on first run, never changes. This is the device's permanent identity. It's used for the NCP handshake with the control plane and for encrypting authentication requests. The private key never leaves the device.
Node Key — Generated per organization, periodically rotated. This is the WireGuard private key — it encrypts all P2P traffic between nodes. The private key never leaves the device.