2. Requirements
2. Requirements
← Introduction | Index | Next →
2.1 Design Goals
| Goal | Description |
|---|---|
| Private connectivity | Services communicate over a private network rather than public IPs |
| Host-level simplicity | Minimal dependencies on each host |
| Deterministic routing | Stable WG IPs for each host |
| Security boundaries | Explicit separation between public/LAN and WG |
2.2 Non-Goals
| Non-Goal | Rationale |
|---|---|
| Service-specific configs | Owned by service maintainers |
| App-level encryption | WG provides network encryption; app TLS is optional |
| Orchestrator overlays | Out of scope for this architecture |
2.3 Invariants
Invariant 1 — WG-Only Service Access
Internal services MUST be reachable only via the WireGuard interface. Public/LAN interfaces MUST NOT provide access to internal service ports.
Invariant 2 — Stable Host Identity
Each host MUST have a stable WireGuard IP that uniquely identifies it within the VPN subnet.
Invariant 3 — Encrypted Transport
All inter-host traffic for internal services MUST traverse WireGuard.
2.4 Success Criteria
| Criterion | Measurement |
|---|---|
| WG reachability | All hosts can reach each other via WG IPs |
| Public isolation | Internal services are unreachable via public/LAN IPs |
| Operational stability | Peer handshakes remain active during normal operation |
End of Requirements — RFC-WG-0002