The WireGuard mesh uses a structured addressing scheme managed by HydraGuard. All addresses are within the 10.10.0.0/16 supernet, with each peer type allocated a specific range.
| Peer Type | Tunnel Address Range | LAN Range | Purpose |
|---|---|---|---|
| Hub | 10.10.0.1/24 |
None | Central WireGuard hub (district server) |
| Venues | 10.10.1-49.1/32 |
10.0.1-49.0/24 |
Fixed venue gateways (partner, Omada, Linux VM) |
| NeckAir | 10.10.50-99.1/32 |
10.0.50-99.0/24 |
Mobile venue-in-a-box (MikroTik router) |
| Air | 10.10.100.1-254/32 |
None (no LAN) | Standalone Bodies (direct tunnel, no gateway) |
| Field | Value |
|---|---|
| Tunnel address | 10.10.0.1/24 |
| WireGuard port | 51820/udp |
| Endpoint | hydraguard.experiencenet.com |
| Role | Routes all inter-peer traffic |
The hub has AllowedIPs entries for every peer in the mesh. IP forwarding is enabled so traffic between spokes routes through the hub.
Each venue gets:
10.10.N.1/32 (N = 1-49)10.0.N.0/24Bodies and Heads behind the venue gateway use addresses within the venue's LAN subnet.
Custom LAN subnets can be specified with --lan when adding a venue, but the default scheme is recommended for consistency.
At partner-managed locations, the CIDR allocation is wider (/20 blocks) to accommodate their VLAN structure:
| VLAN | Purpose | CIDR Pattern |
|---|---|---|
| Management | Switches, APs, infrastructure | 10.10X.0.0/20 |
| Body | Render nodes | Subset of management range |
| Head / Wireless | Display devices, user devices | 10.10X.4.0/20 |
The exact allocation depends on the site requirements and is coordinated between HYDRA and the partner during venue onboarding.
| Port | Protocol | Purpose |
|---|---|---|
51820 |
UDP | WireGuard tunnel (hub) |
| Port | Protocol | Purpose |
|---|---|---|
47990 |
TCP | Sunshine API (health, pairing, app management) |
47991 |
TCP | HydraBody API (experience launch/stop) |
47994 |
UDP | HydraVoice (microphone relay) |
47995 |
UDP | RTP audio (browser mic to virtual audio device) |
| Port | Protocol | Purpose |
|---|---|---|
3478 |
TCP/UDP | TURN relay (coturn) |
40000-40300 |
UDP | WebRTC media (20 ports per session) |
49152-65535 |
UDP | TURN media relay (coturn) |
Addresses are auto-assigned when adding peers to HydraGuard:
hydraguard venue add site-name --location city --guard partner
# Assigns next available 10.10.N.1/32 + 10.0.N.0/24
hydraguard air add 042
# Assigns 10.10.100.42/32
Removed addresses are recycled. The mesh state lives in mesh.yaml, the single source of truth for the entire WireGuard topology.