Baseguard

FAQ

Frequently asked questions

General

What is Baseguard?

Baseguard is a mesh VPN that creates secure, direct connections between devices. Unlike traditional VPNs, traffic doesn't route through a central server—devices connect directly to each other using P2P connections.

How is Baseguard different from traditional VPNs?

FeatureTraditional VPNBaseguard
TopologyHub-and-spokeFull mesh
Traffic pathThrough serverDirect P2P
Single point of failureYesNo
Access controlIP-basedTag-based

Is my traffic encrypted?

Yes. All traffic is encrypted end-to-end using WireGuard (ChaCha20-Poly1305). Encrypted packets are transmitted directly from node A to node B — even when traffic passes through a relay server, the relay only forwards encrypted WireGuard packets without any ability to decrypt them.

Connectivity

Why is my connection using relay instead of P2P?

Relay is used when direct P2P can't be established, typically due to:

  • Strict firewalls
  • Symmetric NAT
  • Corporate network restrictions

This is normal — all traffic is end-to-end encrypted between your devices, so relay servers cannot see or decrypt any of your data.

How do I improve P2P success rate?

  1. Open UDP port 42273 in your firewall
  2. Use a router with less restrictive NAT
  3. Ensure outbound UDP isn't blocked

Can nodes in different organizations communicate?

No. Organizations are completely isolated. Nodes can only communicate with other nodes in the same organization.

Security

Who can see my traffic?

No one other than the communicating devices. Each pair of nodes establishes a unique encrypted tunnel with its own key pair. No third party — including the control plane, relay servers, or your ISP — can access the contents of your traffic.

What happens if I lose my device?

  1. Remove the device from the console immediately
  2. The device loses network access instantly

Are my private keys transmitted?

No. Private keys never leave your device.

Configuration

How do I connect to multiple organizations?

You can only connect to one organization at a time. To switch:

baseguard disconnect
baseguard switch-organization <org-id>
baseguard connect

Administration

How do I add a device without user interaction?

Use node auth keys:

  1. Create key in console
  2. Run: baseguard login --auth-key <key>

Can I control which devices can join?

Yes. Enable "Require node approval" in organization settings. New devices must be approved by an admin.

How do I see what changes were made?

Check Audit Logs in the console. All administrative actions are logged.

Can I self-host Baseguard?

Contact sales for self-hosted deployment options.

Getting Help

If you can't resolve an issue, contact support.

See Also

Glossary

Terminology and definitions

Public API

Baseguard REST API documentation

On this page

GeneralWhat is Baseguard?How is Baseguard different from traditional VPNs?Is my traffic encrypted?ConnectivityWhy is my connection using relay instead of P2P?How do I improve P2P success rate?Can nodes in different organizations communicate?SecurityWho can see my traffic?What happens if I lose my device?Are my private keys transmitted?ConfigurationHow do I connect to multiple organizations?AdministrationHow do I add a device without user interaction?Can I control which devices can join?How do I see what changes were made?Can I self-host Baseguard?Getting HelpSee Also