Multi-transport
One identity. Many wires.
Beacons is not WireGuard with policy. WireGuard is the preferred default, but seven other transports are first-class. The transport is what the peer and the coordinator negotiate at enrollment — and the policy engine is transport-agnostic.
| Transport | Default for | Why |
|---|---|---|
| Kernel WireGuard | Linux servers · Windows (WireGuardNT) · Synology, QNAP, TrueNAS | Best performance, smallest CPU footprint, lowest jitter. |
| Userspace WireGuard (boringtun) | macOS · iOS · Android · FreeBSD · sandboxed hosts | Sandbox-friendly. Uses OS-mediated VPN APIs (NetworkExtension, VpnService). |
| WebRTC datachannels | Browser tabs (no extension) · Electron apps without native bridge | The only transport browsers natively support for arbitrary peer-to-peer. |
| MQTT-over-TLS broker | ESP32 · RP2040 · Nordic nRF52 · constrained MCUs | Brokered peer model — a parent peer mediates a fleet of MCUs. |
| CoAP | LoRaWAN gateways · low-bandwidth IoT | When even MQTT is too heavy. |
| Cellular IP | Field devices with private-APN SIMs | Telnyx · Twilio · Soracom · Hologram · 1NCE · Particle — all first-class. |
| LoRa / Meshtastic | Off-grid devices reachable only over long-range radio | Border peer pattern — a gateway translates Beacons signaling to LoRa packets. |
| Iridium / Starlink IP | Maritime · aviation · polar · remote field | Just IP. Works on top of any of the above. |
How negotiation works
The coordinator picks one. The peer never has to.
At enrollment the peer publishes its transport capability: the set of transports it can speak, plus any constraints (battery budget, MTU, jitter tolerance). The coordinator compares that to the fleet's transport policy and picks one. The peer receives a configuration that names exactly the right wire — and the policy engine continues recomputing ACLs against the abstract identity, not the chosen wire.
A peer can advertise multiple capabilities and the coordinator can switch transports without re-enrolling. If a laptop loses Wi-Fi and falls back to a Telnyx SIM, its routes follow it. If a Hives flight is migrated from a North America region to a Tokyo region, its tunnel is rebuilt against the nearer relay.
Direct first
STUN-assisted hole punching. Relay only when needed.
Beacons attempts direct peer-to-peer first, every time. The `beacons-stun` server is RFC 8489 compliant. `beacons-signal` handles the candidate exchange. If hole-punching fails — symmetric NATs, hostile carrier-grade NAT, restricted firewalls — the connection drops to a relay.
The relay is the custom Rust component, not a coturn fork. It enforces fleet policy at the packet level: even if a peer discovers a peer in another fleet's overlay IP space, the relay refuses to forward the traffic. Encrypted payloads are not decrypted by the relay — only metadata is observable, and that metadata is itself logged into the audit chain.