RFC-WG-0002                                                     Section 3
Category: Architecture                                     Architecture

3. Architecture

← Requirements | Index | Next →

3.1 System Overview

The system is a host-level WireGuard mesh. Each host is assigned a WireGuard IP in a private subnet. Services bind to the host’s WireGuard interface for inter-host access. Public/LAN interfaces are restricted by host firewall policy.

3.2 Authority Domains

3.3 Trust Boundaries

Traffic entering via public/LAN interfaces is treated as untrusted. Traffic entering via wg0 is trusted for internal services only. This boundary is enforced by host firewall policy and service bindings.

3.4 Data Flow

1. Service on Host A connects to Host B using Host B’s WG IP.
2. Traffic enters Host B via wg0 and is accepted by firewall policy.
3. Service on Host B receives traffic on a WG-bound port.

End of Architecture — RFC-WG-0002