Skip to main content

Connectivity and Data Plane

Netsody separates control from data transport.

The controller manages administrative state: users, devices, networks, groups, resources, and policies. The agent runs on each device and handles packet processing, local routing, access enforcement, and encrypted connectivity to peers.

Direct encrypted paths

Netsody encrypts data traffic between devices. Data traffic does not need to pass through the web controller. Agents establish end-to-end secured QUIC connections between peers. When direct connectivity is not available, MASQUE over HTTP/3 is used for relaying so peers can still establish an end-to-end secured QUIC connection.

Direct and relayed connectivity use different transport paths:

  • QUIC for end-to-end secured peer connectivity.
  • MASQUE over HTTP/3 for relaying end-to-end secured QUIC connections when direct connectivity is not available.
  • HTTP/2 over TLS as an encrypted relay fallback when UDP or QUIC is blocked.

These transport paths keep connections usable when networks block VPN protocols such as WireGuard or force traffic through central gateways.

Super peers

The discovery and relay paths above run through super peers — publicly reachable helper nodes that let devices find each other by their public-key identity, traverse NATs and firewalls to establish a direct connection, and relay the end-to-end encrypted connection when no direct path is available. Relaying through a super peer is only a fallback; direct connectivity is always preferred. A super peer forwards encrypted traffic only and cannot read it. See Super Peers.

Relationship to policies

Policies determine which peer connections are established. The agent uses the network state it receives from the controller to decide which peers are allowed to communicate. If no policy allows communication between two peers, the agents do not establish a peer connection.