Doc / Architecture

Architecture

We designed and developed OmniEdge based upon the following objectives:

Simple enough to use for both users and network administrators
Based on the Zero-trust security model
Users can establish a strictly secure network through authentication services such as Okta, Azure AD, etc.
Use peer-to-peer communication instead of relaying nodes to increase network speed and reduce single-point failure risks

Overview

OmniEdge v2.x is built entirely in Rust for memory safety, performance, and cross-platform compatibility. The core VPN transport is powered by OmniNervous, a WireGuard-based protocol implementation that provides:

Modern cryptographic primitives (Curve25519, ChaCha20-Poly1305, BLAKE2s)
Noise protocol framework for secure key exchange
NAT traversal with STUN/TURN support
Low-latency peer-to-peer connections

Architecture Diagram

┌─────────────────────────────────────────────────────────────────┐
│                    OmniEdge Application                         │
│  ┌───────────────────────────────────────────────────────────┐  │
│  │                    Plugin Layer (WASM)                     │  │
│  │   ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐      │  │
│  │   │  Event  │  │  Auth   │  │ Policy  │  │   QoS   │ ...  │  │
│  │   │ Plugin  │  │ Plugin  │  │ Plugin  │  │ Plugin  │      │  │
│  │   └────┬────┘  └────┬────┘  └────┬────┘  └────┬────┘      │  │
│  │        │            │            │            │            │  │
│  │   ┌────┴────────────┴────────────┴────────────┴────┐      │  │
│  │   │              WASM Runtime (wasmtime)            │      │  │
│  │   └─────────────────────────────────────────────────┘      │  │
│  └───────────────────────────────────────────────────────────┘  │
│                                                                  │
│  ════════════════════ PLUGIN-FREE BOUNDARY ════════════════════ │
│                                                                  │
│  ┌───────────────────────────────────────────────────────────┐  │
│  │              OmniNervous VPN Transport (No Plugins)        │  │
│  │                  WireGuard-based Protocol                   │  │
│  └───────────────────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────────────────┘

Security Note: Plugins run only in the application layer. The core VPN transport (OmniNervous) remains plugin-free for maximum security and performance.

Core Components

Super Node

Coordinates communication between nodes within the virtual network:

Facilitates NAT traversal and hole punching
Establishes direct peer-to-peer connections when possible
Relays traffic when direct connection is not possible (symmetric NAT, restrictive firewalls)
Supports STUN/TURN protocols for connection establishment

OmniNervous Transport

The VPN transport layer built on WireGuard protocol:

Encryption: ChaCha20-Poly1305 authenticated encryption
Key Exchange: Noise_IK handshake with Curve25519
Perfect Forward Secrecy: Session keys rotate automatically
Roaming: Seamless connection migration across networks
Keep-alive: Maintains connections through NAT

Node (Edge)

An entity within the virtual network that acts as a proxy for devices:

Maintains virtual network interface (TUN/TAP)
Manages encryption keys and peer public keys
Routes TCP and UDP traffic over the VPN tunnel
Provides local DNS resolution for network peers
Supports multiple simultaneous network connections

Manager (Backend)

The orchestrator of the virtual network:

Manages network configuration, device registration, and public keys
Authenticates nodes and distributes network topology
Coordinates network changes (join, leave, peer updates)
Maintains device lifecycle and session management
Integrates with identity providers (Okta, Azure AD, SAML)
Enforces access control lists (ACLs) and network policies

Client (CLI / Desktop / Mobile)

User-facing applications to access the virtual network:

CLI: Command-line interface for servers, containers, and automation
Desktop: Native applications (Windows, macOS, Linux) with system tray integration
Mobile: iOS and Android applications

Features:

User authentication and session management
Network selection and connection control
Peer discovery and status monitoring
Plugin management (Desktop and CLI)

Plugin System (v2.2.0+)

OmniEdge supports extensibility through WebAssembly plugins:

7 Plugin Types: Event hooks, authentication, network policy, QoS, data triage, PdM reporting, compliance
Sandbox Isolation: Plugins run in WASM sandboxes with memory limits
Hot Reload: Load/unload plugins without VPN restart
Cross-Platform: Same plugin binary works on Windows, macOS, Linux

See Plugin System for detailed documentation.

Security Model

Layer	Security Measure
Transport	WireGuard encryption (ChaCha20-Poly1305)
Key Exchange	Noise protocol with Curve25519
Authentication	OAuth2, SAML, hardware tokens
Authorization	Role-based access control (RBAC)
Plugins	WASM sandbox with capability-based access

Platform Support

Platform	CLI	Desktop	Notes
Windows	x64, ARM64	x64, ARM64	Windows 10/11
macOS	Intel, Apple Silicon	Intel, Apple Silicon	macOS 12+
Linux	x86_64, aarch64, riscv64	x86_64, aarch64	DEB/RPM/AppImage
Raspberry Pi	Yes	-	ARM64
Docker	Yes	-	Official images
GitHub Actions	Yes	-	CI/CD integration

If you have more questions, feel free to discuss.

On This Page

Docs