CONCEPT Cited by 2 sources
WireGuard mesh topology¶
WireGuard mesh topology is the architectural pattern of connecting WireGuard peers to each other rather than through a central hub/concentrator. Each peer can (subject to policy) reach any other peer directly; reachability is a per-peer permission matrix, not a single-point gateway decision.
Why it matters¶
Two architectural consequences — distinct from the hub-and-spoke topology most SSL-VPN products default to:
- No single point of failure on the data plane. A hub VPN concentrator serving N clients fails-closed for all N clients when it goes down; a mesh distributes load across peers, and client↔server reachability survives individual peer outages provided alternate paths exist.
- HA becomes a routing-time concern, not a client-reconnect
concern. The classic VPN-concentrator-failover story is
"VPN drops, client notices, client reconnects to the other
concentrator, user re-logs-in, session lost." On a mesh with
multiple egress peers available to a client, a failure is
masked by rerouting without involving the client:
"a router peer that was actively handling traffic for a given peer could suddenly halt operation, and the client would experience a sub 2 second connectivity interruption while their traffic was rerouted to another host." (Source: sources/2025-04-15-yelp-journey-to-zero-trust-access)
WireGuard's fit for mesh¶
The mesh shape is a natural consequence of WireGuard's underlying point-to-point protocol model — per Jason Donenfeld's design, "peers connect to each other when they have traffic to send", and WireGuard has no concept of a central server or session controller. (See systems/wireguard.) A mesh is just what you get when the per-peer reachability matrix is non-degenerate. Overlay systems like Netbird manage the matrix + distribute public keys + enforce per-peer ACLs on top.
Role of router peers in the mesh¶
Netbird's canonical mesh shape introduces a distinguished router peer role: router peers accept and egress traffic on behalf of other peers to internal resources. A regular client peer has a one-to-many binding to router peers it is permitted to use; when one router peer fails, the client's traffic drains to another. This is the concrete mechanism behind the <2s failover Yelp measured.
Seen in¶
- sources/2025-04-15-yelp-journey-to-zero-trust-access — Yelp's 2025 ZTA migration; mesh + router-peer HA named as a first-class selection pillar with measured <2s failover.
- sources/2024-03-12-flyio-jit-wireguard-peers — Fly.io's JIT-provisioned mesh for the external gateway at ~550k peers. Different altitude (per-peer scaling limit of the Linux kernel WireGuard module) from Yelp's use case, but the same topology primitive.
Related¶
- systems/wireguard — the protocol this topology composes.
- systems/netbird — enterprise mesh overlay + policy engine.
- concepts/router-peer — the distinguished egress-peer role that makes per-client multi-path routing possible.
- concepts/zero-trust-authorization — the broader doctrine this topology supports (per-peer policies, not per-segment policies).