Auto-mesh WireGuard tunnels between every node and site
Tophan builds encrypted WireGuard tunnels between nodes automatically. When a new node joins the cluster, it gets keys, establishes tunnels to every other node, and starts routing — no manual configuration. The same system handles site-to-site links between locations and client VPN access for remote users.
Every Tophan node generates a WireGuard keypair on first boot. The cluster coordinator distributes public keys and endpoint information to all peers, creating a full mesh where every node can reach every other node directly over an encrypted tunnel. Adding a node means adding a tunnel — Tophan handles the rest.
Site-to-site VPN connects separate Tophan clusters (or a Tophan cluster to a remote office) with persistent tunnels that carry routed traffic between sites. BGP peering over the tunnel means subnets at each site are reachable automatically.
Client VPN gives remote users access to internal networks. Users authenticate through Tophan’s identity system, receive a WireGuard configuration, and connect. Split tunneling sends only internal traffic through the tunnel — everything else goes direct. Time-limited access tokens expire automatically.
Key rotation happens through Vault integration. Keys are rotated on a configurable schedule without dropping connections — the old key remains valid briefly while peers transition to the new one.
| Feature | Description |
|---|---|
| Auto-Mesh | Full mesh tunnels created automatically when nodes join |
| Site-to-Site | Persistent tunnels between clusters with routed subnets |
| Client VPN | Remote user access with identity-based authentication |
| Split Tunneling | Route only internal traffic through the tunnel |
| Key Rotation | Automatic key rotation via Vault on configurable schedule |
| Kill Switch | Block all traffic if tunnel drops (optional per client) |
| Multi-WAN | Failover between WAN links with tunnel re-establishment |
| MTU Discovery | Automatic path MTU detection to avoid fragmentation |