VeilNet does not use WireGuard because WireGuard’s architecture creates fundamental incompatibilities with modern distributed systems, especially cloud-native and AI-driven environments. WireGuard enforces a fixed MTU that often conflicts with the encapsulation layers used by Kubernetes CNIs such as Flannel, Cilium or Calico. When a WireGuard tunnel overlays container networks, packet fragmentation, dropped packets, or silent performance degradation occur because the WireGuard MTU cannot adapt to varying overlay depths or VXLAN encapsulation. This becomes unacceptable when AI workloads rely on high-throughput data transfer and low-latency coordination across nodes.
WireGuard also uses a static public key as the peer identity. This design assumes a direct, stable, one-to-one relationship between devices. It is fundamentally incompatible with multi-hop routing or any network that requires dynamic path selection. WireGuard cannot forward packets on behalf of another peer without breaking identity assumptions, making sophisticated routing models impossible. In contrast, VeilNet uses Dilithium signatures and cryptographically derived identity hashes that allow secure, verifiable packet forwarding across multiple hops without binding routing to a static public key.
Another major limitation is WireGuard’s dependence on fwmarks and modifications to host routing tables. It injects rules and routing decisions directly into the operating system, which can interfere with existing network stacks, cluster networking, NAT rules and eBPF-based systems. In Kubernetes, Cilium’s eBPF datapath or Flannel’s VXLAN routing can be overridden or disrupted when WireGuard rewrites routing entries or applies fwmarks to enforce its single encrypted tunnel. This often causes nodes to become unreachable, breaks pod-to-pod traffic or forces administrators to maintain fragile custom routes. VeilNet does not modify the host routing table at all and operates independently of CNIs, allowing Kubernetes networks to function normally while VeilNet provides secure connectivity across clusters and clouds.
Finally, WireGuard’s static tunnels and configuration-driven topology are unsuitable for environments where IPs, pods, instances or entire regions change frequently. Every configuration change requires regenerating keys, redistributing peer lists or synchronising configurations, which is slow and operationally complex. VeilNet avoids all of these constraints through ephemeral WebRTC data channels aggregated into high-performance tethers. These channels adapt in real time, support multi-path and multi-hop forwarding and are secured with Kyber KEM, Dilithium signatures and AES-GCM-256. The result is a transport layer that scales with the dynamic nature of modern compute environments, maintains strong post-quantum security and operates without interfering with host networking.