'%20filter='url(%23b)'%20transform='translate(0%20-286)'/%3e%3cpath%20d='M1636.5%20147c-123.436%200-223.5%20102.975-223.5%20230s100.064%20230%20223.5%20230S1860%20504.025%201860%20377c-.143-126.964-100.124-229.853-223.5-230Zm107.16%20308.341c-1.892%202.323-4.973%203.231-7.78%202.295l-98.896-32.908-98.896%2032.908c-2.807.933-5.884.022-7.774-2.3-1.89-2.32-2.212-5.587-.815-8.25l101.128-192.49c1.376-2.238%203.776-3.596%206.357-3.596%202.58%200%204.981%201.358%206.357%203.596l101.128%20192.49c1.401%202.663%201.08%205.932-.81%208.255Z'%20fill='url(%23c)'%20filter='url(%23d)'%20transform='translate(0%20-286)'/%3e%3c/g%3e%3c/svg%3e)
WireGuard mesh and agents
Loopback implements private host-to-host connectivity using WireGuard. The control plane computes who should peer with whom; the agent on each Linux host materializes host-level WireGuard configuration and manages the service lifecycle.
This page explains behavior customers and operators care about during diligence.
End state: every host in the network sees every other
For a given Loopback network, automation builds a full mesh:
- Each host receives a stable overlay address inside the allocated CIDR.
- Each host’s config lists every other host in that network as a peer with public key, endpoint address, and AllowedIPs scoped to the peer overlay address.
- Bridged networks contribute extra peers pulled from other meshes (see Bridges).
The agent merges per-network configuration fragments into one operational WireGuard interface, enforcing a single private key across merged material for consistency.
Configuration delivery path
- Control plane stages configuration documents per network and host (keys, addresses, peer lists).
- Agent-driven apply rewrites live configuration, validates key consistency, and applies conservative tunnel defaults (MTU/keepalive tuned for nested encapsulation in typical deployments).
- Service restart applies changes; failures roll back to the last known good config where implemented.
Treat mesh apply like any other in-place network change: brief session impact is possible while interfaces bounce.
Keys and rotation
Key generation and assignment occur during network bring-up in the worker tier. The agent assumes one logical private key for the combined mesh bundle on a host. Rotation today is effectively re-run network workflows after operational key changes; confirm your operator’s runbook for compliance-driven rotation frequency.
Debugging checklist (human-oriented)
- Agent offline: Peers stay unreachable; reconciliation may flag hosts and monitoring sources.
- Asymmetric routes: Rare, but security groups or provider firewalls outside Loopback can block the WireGuard UDP port; the mesh never converges.
- MTU issues: Defaults favor tunnel compatibility; adjust upstream PMTUD education for your team if you encapsulate further.
- Stuck after membership change: Use the host network re-apply API to schedule mesh refresh for all relevant networks.
Relationship to Kubernetes networking
The WireGuard mesh is underlay connectivity between servers. Kubernetes CNI, Services, and Ingress still operate on top once nodes join the cluster. Loopback does not replace CNI; it helps your nodes reach each other securely across untrusted networks.