Architecture

In Runetale, you can create a user-specific VPN environment associated with IdPs such as Okta, Microsoft Active Directory, and Google Workspaces. For instance, if ACME Corporation uses Runetale, logging in with the @acme.com domain (email address) automatically sets up a network for the company.

After logging in, the User Management Server managed by Runetale authenticates and automatically builds a mesh network.

Runetale client (Mobile & Desktop app)

Runetale client is an agent application that needs to be installed on the source and destination of communication, such as devices and servers. In environments where you cannot install the client application (e.g. AWS Private VPC, printers, IoT devices), you can use the "Subnet Connector" feature to relay communication and achieve communication under a subnet.

Runetale Client plays three main roles as an app resident on the user's device.

Device registration and authentication request
Runetale Client installed on the device executes login via SSO or CLI.
During this process, User Management Server handles device and SSO login information (domain) association and authentication.
Generate WireGuard's secret and public keys
Generates public and secret keys required for peer-to-peer networking using the communication protocol WireGuard. It is called "Cryptokey Routing" in WireGuard. The generated public key is sent to User Management Server at the same time as the first SSO login, enabling automatic metadata distribution. (The secret key is always managed by the device and never leaves it)
Receive and manage node metadata
Each device/server receives a list of devices with authenticated node public keys and IP addresses. The following is an example, where Peer represents a node on Runetale. Also, the Private IP address associated with the domain generated during authentication is attached as part of the node metadata at the same time.
```
[Peer]
PublicKey = HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=
Endpoint = 192.95.5.69:51820
```

User Management Server

The User Management Server is a server that realizes user authentication, access rights, and automatic distribution of WireGuard public keys. While manual updates are required for the OSS version of WireGuard, Runetale automates the management of all settings information.

Some features are available as a closed beta version for corporate customers.

In order for a Node to accept a packet, it must first share metadata such as public keys with other Nodes. Without sharing this information in real-time with other Nodes, the client cannot find any potential communication partners.

Therefore, the User Management Server plays a role in automating the sharing of metadata (such as public keys and IP addresses used to identify Nodes) for multiple Nodes at the same time. (Since it only handles metadata processing, traffic is always peer-to-peer.)

WireGuard Public Key Management and Automatic Distribution
The Runetale client generates and automates the distribution of WireGuard public keys for devices/servers associated with domains via SSO accounts or CLI. By automating this process, each node can maintain an up-to-date mesh network environment.

WireGuard public keys are shared and managed on the User Management Server, but the private key required for packet decryption is never removed from the local environment.

Management and Automatic Distribution of Metadata
All metadata related to the construction of the network (such as IP addresses and port numbers) associated with each node is centrally managed and automatically distributed. Access control list (ACLs) information, such as which node has access rights to other nodes, is also managed and automated in the same way.

Your runetale network is only accessible by users and resources within the same domain. We support Carrier-grade NAT.

Signal Server

The Signal Server acts as an intermediary (streaming server) for devices/servers participating in the network (Runet) to establish P2P connections and perform handshakes.

Communication from each Agent to the Signal Server is encrypted using P2P, and no management of traffic data is performed. Once a P2P connection is established, the Signal Server disconnects the stream connection (communication to establish a P2P state between two nodes).

Relay Server

The Relay Server plays a role in relaying traffic when P2P connections cannot be established due to the network environment. It has the same function as the TURN server for WebRTC, and routes packets through the Runetale server to reach the communication destination.

In this case, it is strictly not P2P communication but a Hub-and-Spoke type of communication. However, since the private key is always managed locally, packet decryption is impossible.

Relay Server is typically used in cases where NAT (Network Address Translation) is involved. For example, in cases where users do not manage their own network, such as cafes or airports with free WiFi, there may be cases where P2P communication cannot be established.