services/node-agent/deploy/wireguard-node.conf.template

# WireGuard tunnel for a FlatRender render node.
#
# The render node only ever dials OUT to the control plane — it never needs a
# public IP or any inbound firewall rule. All traffic to the gateway / MinIO
# rides this encrypted tunnel, so nodes can live behind NAT, on home ADSL, or
# in any datacenter.
#
# Fill in the four <PLACEHOLDERS> below, save as `wg-flatrender.conf`, then run
# setup-wireguard.ps1 (or import it in the WireGuard GUI).

[Interface]
# This node's private key (generate on the node: `wg genkey`).
PrivateKey = <NODE_PRIVATE_KEY>
# This node's address inside the mesh. Pick a unique 10.66.0.x per node.
Address = 10.66.0.<NODE_NUMBER>/32
# Optional: keep DNS on the LAN; the tunnel only carries mesh traffic (see AllowedIPs).
# DNS = 1.1.1.1

[Peer]
# Control plane (gateway + MinIO host) public key (from the server: `wg show`).
PublicKey = <SERVER_PUBLIC_KEY>
# Public endpoint of the control plane: <public-ip-or-host>:51820
Endpoint = <SERVER_PUBLIC_ENDPOINT>:51820
# Only route the mesh subnet through the tunnel — everything else uses the normal
# internet path. 10.66.0.0/24 = the FlatRender control + render mesh.
AllowedIPs = 10.66.0.0/24
# Hold the NAT mapping open so the orchestrator can reach the node's :7777 health
# port and so long-poll claims stay alive behind home routers / CGNAT.
PersistentKeepalive = 25
feat(node-agent): production ops kit — Windows service + WireGuard mesh 2026-06-05 12:20:48 +03:30			`# WireGuard tunnel for a FlatRender render node.`
			`#`
			`# The render node only ever dials OUT to the control plane — it never needs a`
			`# public IP or any inbound firewall rule. All traffic to the gateway / MinIO`
			`# rides this encrypted tunnel, so nodes can live behind NAT, on home ADSL, or`
			`# in any datacenter.`
			`#`
			# Fill in the four <PLACEHOLDERS> below, save as `wg-flatrender.conf`, then run
			`# setup-wireguard.ps1 (or import it in the WireGuard GUI).`

			`[Interface]`
			# This node's private key (generate on the node: `wg genkey`).
			`PrivateKey = <NODE_PRIVATE_KEY>`
			`# This node's address inside the mesh. Pick a unique 10.66.0.x per node.`
			`Address = 10.66.0.<NODE_NUMBER>/32`
			`# Optional: keep DNS on the LAN; the tunnel only carries mesh traffic (see AllowedIPs).`
			`# DNS = 1.1.1.1`

			`[Peer]`
			# Control plane (gateway + MinIO host) public key (from the server: `wg show`).
			`PublicKey = <SERVER_PUBLIC_KEY>`
			`# Public endpoint of the control plane: <public-ip-or-host>:51820`
			`Endpoint = <SERVER_PUBLIC_ENDPOINT>:51820`
			`# Only route the mesh subnet through the tunnel — everything else uses the normal`
			`# internet path. 10.66.0.0/24 = the FlatRender control + render mesh.`
			`AllowedIPs = 10.66.0.0/24`
			`# Hold the NAT mapping open so the orchestrator can reach the node's :7777 health`
			`# port and so long-poll claims stay alive behind home routers / CGNAT.`
			`PersistentKeepalive = 25`