VeilNet
DownloadLogin

Portal vs Rift Mode

Understand the difference between Portal mode and Rift mode for VeilNet Conflux

Overview

VeilNet Conflux operates in two distinct modes: Portal mode and Rift mode. The mode you choose determines how your Conflux node handles network traffic and what resources it can access.

Portal Mode

Portal mode enables your Conflux node to act as a gateway that provides access to networks and resources accessible from the host machine.

What Portal Mode Does

  • Dual network access: Has access to both VeilNet and regular networks (local network, internet, etc.) simultaneously
  • Exposes local networks: Makes the host machine, container networks, local network, VPC networks, and internet accessible to other VeilNet devices
  • Acts as a bridge: Allows VeilNet devices to reach resources that are only accessible from the Conflux host
  • Bidirectional access: Other devices on VeilNet can access resources behind the Portal, and the Portal can access both VeilNet resources and regular network resources

When to Use Portal Mode

Portal mode is ideal when you need a gateway or mini-router that can:

  • Expose services running on the host (web servers, databases, APIs)
  • Provide access to container networks (Docker, Kubernetes pods)
  • Share local network resources (NAS, printers, IoT devices)
  • Create a gateway to VPC or cloud resources
  • Allow remote access to on-premises infrastructure

Example Use Cases

  • Home server: Expose your home media server, NAS, or smart home devices to VeilNet
  • Cloud VPC gateway: Provide secure access to resources in a private cloud VPC
  • Container gateway: Allow VeilNet devices to access services running in Docker containers or Kubernetes clusters
  • Development environment: Share local development servers with team members

How to Enable Portal Mode

Using environment variable:

export VEILNET_PORTAL=true
./veilnet-conflux register -t "your-registration-token"

Using command flag:

./veilnet-conflux register -t "your-registration-token" -p

Rift Mode

Rift mode provides an entry point to VeilNet with absolute isolation. It captures all traffic from the host machine and routes it through VeilNet, while ensuring complete isolation from local networks.

What Rift Mode Does

  • Entry point to VeilNet: Acts as a secure entry point that connects the host to VeilNet
  • Captures host traffic: All network traffic from the host is routed through VeilNet
  • Loses regular network access: The host loses direct connection to regular networks (local network, internet, etc.)—all traffic must go through VeilNet
  • No network exposure: Does not forward or expose any networks accessible from the host to other VeilNet devices
  • Absolute isolation: Unlike Portal mode, Rift mode does not have simultaneous access to both VeilNet and regular networks

When to Use Rift Mode

Rift mode is ideal when you need an entry point to VeilNet with absolute isolation:

  • Connect devices to VeilNet without exposing local networks
  • Ensure complete isolation between VeilNet and local network resources
  • Route all device traffic through VeilNet as a secure entry point
  • Maintain absolute separation between the device's local network and VeilNet

Example Use Cases

  • Laptop/desktop entry point: Connect your personal computer to VeilNet with absolute isolation from your local network
  • Mobile device: Provide an isolated entry point to VeilNet from a mobile device
  • Secure isolated access: Use VeilNet as a secure, isolated entry point for all internet traffic
  • Remote worker: Connect to corporate resources via VeilNet while maintaining absolute isolation from home network

How to Enable Rift Mode

Using environment variable:

export VEILNET_PORTAL=false
./veilnet-conflux register -t "your-registration-token"

Or simply omit the flag:

./veilnet-conflux register -t "your-registration-token"

(Rift mode is the default when Portal mode is not explicitly enabled)

Key Differences

FeaturePortal ModeRift Mode
PurposeGateway/Mini-routerEntry Point with Isolation
Exposes local networks✅ Yes❌ No
Captures host traffic❌ No✅ Yes
Use caseGateway/RouterEntry Point
Access to regular networks✅ Yes (simultaneous access to both VeilNet and regular networks)❌ No (only VeilNet, loses regular network connection)
Access to host resources✅ Other devices can access❌ Not exposed
Access to container networks✅ Yes❌ No
Access to local network✅ Yes❌ No

Choosing the Right Mode

Choose Portal Mode if:

  • You need a gateway or mini-router to provide network access
  • You want to expose services or resources to VeilNet
  • You need to provide access to container networks or local networks
  • You're setting up a network gateway that bridges VeilNet with local networks

Choose Rift Mode if:

  • You need an entry point to VeilNet with absolute isolation
  • You want to connect a device to VeilNet without exposing local networks
  • You're okay with losing direct access to regular networks (all traffic goes through VeilNet)
  • You want to route all device traffic exclusively through VeilNet

Common Deployment Scenarios

Understanding how Portal and Rift modes work together in different deployment scenarios helps you design the right network architecture for your needs.

Scenario 1: All Portal Mode - Service Mesh & Multi-Region Clustering

Configuration: All Conflux instances run in Portal mode

Use Cases:

  • Service mesh architectures: Connect microservices across different environments, data centers, or cloud regions
  • Multi-region clustering: Create a unified network fabric across geographically distributed infrastructure
  • Hybrid cloud connectivity: Bridge on-premises data centers with multiple cloud providers
  • Container orchestration: Connect Kubernetes clusters across different regions or cloud providers

Benefits:

  • Full bidirectional connectivity between all nodes
  • Each node can access both VeilNet and its local network simultaneously
  • Ideal for infrastructure-to-infrastructure communication
  • Enables seamless service discovery and communication across regions

Example Architecture:

Region A (Portal) ←→ VeilNet ←→ Region B (Portal) ←→ VeilNet ←→ Region C (Portal)
     ↓                    ↓                    ↓
Local Services      Local Services      Local Services

Scenario 2: Portal + Rift Mode - Securing Enterprise Access

Configuration: Portal mode for infrastructure, Rift mode for client devices

Use Cases:

  • DevOps access: Provide secure, isolated access for DevOps teams to enterprise infrastructure
  • Employee remote access: Enable employees to securely connect to corporate resources without exposing their local networks
  • Contractor access: Grant temporary, isolated access to specific enterprise resources
  • Secure development environments: Allow developers to access development infrastructure while maintaining isolation

Benefits:

  • Portal nodes expose enterprise resources to VeilNet
  • Rift nodes provide isolated entry points for users/devices
  • Complete isolation between user devices and their local networks
  • Enterprise resources remain accessible only through VeilNet with proper access control

Example Architecture:

Enterprise Network
     ↓ (Portal)
  VeilNet
     ↓
Employee Laptop (Rift)    DevOps Workstation (Rift)    Contractor Device (Rift)

Security Considerations:

  • Use Access Control to restrict which Rift nodes can access which Portal resources
  • Implement team-based policies to segment access by role (DevOps, employees, contractors)
  • Portal nodes should be properly secured and monitored

Scenario 3: All Rift Mode - Super Air Gap

Configuration: All Conflux instances run in Rift mode

Use Cases:

  • Maximum security isolation: Create a completely isolated network where all nodes lose connection to regular networks
  • Air-gapped environments: Connect devices that must remain isolated from any external network
  • High-security research: Network environments requiring absolute isolation from regular networks
  • Compliance requirements: Scenarios where regulatory requirements mandate complete network separation

Benefits:

  • Absolute isolation from regular networks
  • All communication happens exclusively through VeilNet
  • No risk of accidental exposure to regular networks
  • Maximum security through complete network separation

Example Architecture:

Device A (Rift) ←→ VeilNet ←→ Device B (Rift) ←→ VeilNet ←→ Device C (Rift)
(No regular      (Isolated      (No regular      (Isolated      (No regular
 network)        Network)        network)         Network)        network)

Important Considerations:

  • All devices lose direct access to regular networks (internet, local networks)
  • All communication must go through VeilNet
  • Requires careful planning for services that need external connectivity
  • Ideal for environments where security isolation is the primary concern

Important Notes

Warning: Portal mode exposes networks accessible from the host. We strongly recommend reading the Access Control documentation to understand how VeilNet's Packet Level Authentication (PLA) and team-based access control can help secure your Portal deployments.

Note: You can change the mode by unregistering and re-registering the Conflux with the desired mode setting. The mode is determined at registration time and stored in the configuration.

Quickstart Guide

Learn how to connect your first device with a single command

Docker

Deploying VeilNet with Docker is a simple and easy way to get started.