One of the most unique features of VeilNet is the ephemeral link. In conventional VPNs and overlay networks, the connection between peers is static and always up. This not only constantly offers an attacking surface (VPN protocols such as WireGuard are based on UDP, which will always accept packets) but also introduces resource issues.
Such issues are especially challenging in conventional overlay networks, where a thousand devices means a million connections. Therefore, Netbird attempts to solve this by “lazy connection”, which is an inferior solution compared to VeilNet’s ephemeral link, relying on constant polling and a coordination server to re-establish the connection.
Our Solution #
VeilNet has a unique global control channel that allows Conflux instances to work together as “agents”, automatically optimising the entire network that includes creating and dissolving ephemeral links:
- Step 1: When a packet is created and needs to be transmitted. VeilNet Conflux first creates a coroutine and a queue for the destination.
- Step 2: VeilNet Conflux searches for an optimal path via control channel messages and Reinforcement Learning algorithm, while continuing to queue packets to the same destination.
- Step 3: VeilNet Conflux found an optimal path and established an independent stream with a unique shared secret via Kyber KEM.
- Step 4: VeilNet Conflux establish multiple WebRTC data channels to the first hop of the path, while bundling IP packets into an Anchor data frame and encrypting them for transmission.
- Step 5: All IP packets are transmitted. VeilNet Conflux terminates the stream and closes WebRTC data channels.
Therefore, VeilNet Conflux not only natively support “lazy connection”, but also dramatically increases the security level that each destination has its own dedicated secure stream and queue. This also allows VeilNet Conflux to have better performance by conducting load balancing internally on a routine level. One destination that is slow to receive will not slow down packets for others.
Stream #
The secure stream is unidirectional, so return packets must be sent via a different stream initiated from the destination. This allows egress and ingress traffic to potentially take on different paths, further increasing the adaptability and performance.
Route #
Stream defines the logic P2P secure channel between source and destination, but it does not define the actual data path. VeilNet Conflux supports multi-hop transmission natively without the configurations that are required by Tailscale Peer Relay. This multi-hop path is defined by the route, similar to “circuit” in the TOR network. Each VeilNet Conflux instance on the path only knows the next hop and the previous hop, but not the entire path. Additionally, the stream is not tied to a route. The route can change at any time, while the same stream is used.