Baseguard

Glossary

Terminology and definitions

A

ACL (Access Control List)

Rules that define what network traffic is allowed between nodes. Baseguard uses tag-based ACLs.

Auth Key

A pre-authorized key that allows devices to authenticate without user interaction. Used for automated deployments. See Node Auth Keys.

C

Control Plane

The central coordination service that handles authentication, node list distribution, and ACL distribution. It never sees or handles user traffic. See Architecture.

D

Daemon

The background service that runs on each device, managing connections and WireGuard tunnels.

Data Plane

The actual traffic between your devices — encrypted WireGuard tunnels running peer-to-peer. See Architecture.

Device Key

A permanent cryptographic key pair generated on first run. Used for NCP authentication with the control plane. The private key never leaves the device. See Key Management.

DNS

Automatic hostname resolution for nodes using node names instead of overlay IPs. See DNS.

E

Ephemeral Node

A node that is automatically removed when it disconnects. Ideal for CI/CD runners and temporary environments. See Ephemeral Nodes.

I

ICE (Interactive Connectivity Establishment)

Protocol used to establish P2P connections through NATs and firewalls. Defined in RFC 8445. See NAT Traversal.

N

NAT (Network Address Translation)

Router functionality that maps private IP addresses to public ones. Baseguard handles NAT traversal automatically. See NAT Traversal.

NCP (Node Control Protocol)

The signaling protocol between clients and the control plane, built on the Noise protocol. Uses the IK handshake pattern for mutual authentication, and provides encryption using Curve25519, ChaCha20-Poly1305, and BLAKE2s. Carries the node list, ACL distribution, and ICE signaling — never user traffic. See Control Plane Connection.

Node

A device running Baseguard that is registered with an organization. See Nodes.

Node Key

A per-organization WireGuard key pair used for data plane encryption. Periodically rotated. The private key never leaves the device. See Key Management.

O

Organization

A top-level container in Baseguard that provides complete network isolation. Each organization has its own IP space, ACLs, and users. See Organizations.

Overlay Network

The virtual network created by Baseguard where nodes communicate using private IP addresses (100.64.x.x).

P

P2P (Peer-to-Peer)

Direct connection between two nodes without intermediary servers. See P2P Connections.

R

Relay

A server that forwards encrypted WireGuard packets between nodes when direct P2P isn't possible. The relay cannot decrypt the traffic. See Relay.

T

Tag

A label assigned to nodes for grouping and access control. See Tags.

W

WireGuard

The encryption protocol used by Baseguard for all data plane traffic. See Encryption.

Z

Zero Trust

Security model where no device or connection is implicitly trusted and all access must be explicitly authorized through ACLs. See Zero Trust.

See Also

Troubleshooting

Diagnose and resolve common Baseguard issues

FAQ

Frequently asked questions

On this page

AACL (Access Control List)Auth KeyCControl PlaneDDaemonData PlaneDevice KeyDNSEEphemeral NodeIICE (Interactive Connectivity Establishment)NNAT (Network Address Translation)NCP (Node Control Protocol)NodeNode KeyOOrganizationOverlay NetworkPP2P (Peer-to-Peer)RRelayTTagWWireGuardZZero TrustSee Also