WireGuard Mesh

Updated Jan 21, 2026 Edit this page

WireGuard Mesh Networking

ACT establishes a private, full-mesh peer-to-peer network between all your servers using WireGuard. This allows secure, low-latency communication between services running on different servers without exposing ports to the public internet.

Architecture

The ACT WireGuard implementation uses a Full Mesh topology.

       [Server A]
      /    |     \
     /     |      \
[Server B]----[Server C]
     \     |      /
      \    |     /
       [Server D]

Every line represents a secure, p2p WireGuard tunnel.
  • Every commissioned server automatically becomes a peer to every other server in the same Organization.
  • Traffic within the mesh is encrypted and routed directly between servers (p2p), not through the control plane.
  • The control plane acts only as the coordinator, distributing public keys and endpoint information.

Network Configuration

  • Interface: wg0
  • Subnet: 10.200.0.0/24 (Default)
  • Port: 51820/udp
  • MTU: Standard (configurable via future updates)

Limits

Currently, the default subnet acts as a limitation:

  • Maximum Peers: 254 servers per Organization (due to /24 CIDR).

Security & Firewall

When you commission a server, ACT automatically:

  1. Generates a WireGuard private/public key pair securely on the server.
  2. Configures the wg0 interface.
  3. Updates ufw to allow traffic on UDP port 51820.

Note: For the mesh to work, your servers’ cloud provider firewall (Security Group) must allow inbound traffic on UDP port 51820 from the other servers’ public IPs.

Automatic Reconciliation

ACT includes an automatic reconciliation process that runs periodically. If a new server is added, or if a server’s IP changes, the scheduler ensures specifically that:

  1. Examples sync to the new peer.
  2. The new peer syncs to all existing peers.
  3. Any “zombie” peers (decommissioned servers) are removed from the mesh.

This process ensures the mesh remains healthy even in the face of temporary network partitions or API downtime.

Service Discovery & High Availability

ACT provides seamless service discovery and failover capabilities over the mesh network.

Internal DNS

Every service in the cluster is addressable via its service name. This allows services to communicate with each other securely over the private mesh network.

http://<service-name>

For example, if you have a service named api and a database named postgres, the API can connect to the database securely using postgres as the hostname.

Mesh Failover

ACT supports Weighted Load Balancing and Failover across mesh peers. By enabling enable_mesh_failover on a resource, ACT configures Traefik to route traffic to available healthy instances across the mesh.

  • Load Balancing: Traffic is distributed across all healthy instances of a service running on different servers.
  • Failover: If a server goes down, traffic is automatically rerouted to remaining healthy instances on other servers.

To enable this feature, set enable_mesh_failover: true in your resource configuration.