Skip to main content

Crate zlayer_overlay

Crate zlayer_overlay 

Source
Expand description

ZLayer Overlay - Encrypted overlay networking via boringtun

Provides encrypted overlay networks using boringtun (Cloudflare’s Rust userspace WireGuard implementation) with DNS service discovery, automatic bootstrap on node init/join, IP allocation, and health checking.

No kernel WireGuard module or wireguard-tools required – uses TUN devices (Linux /dev/net/tun, macOS utun) and configures peers via the UAPI protocol.

§Modules

  • allocator - IP address allocation for overlay networks
  • bootstrap - Overlay network initialization and joining
  • config - Configuration types for overlay networks
  • dns - DNS server for service discovery
  • error - Error types for overlay operations
  • firewall - Inbound firewall-rule management (Windows; stub on other OSes)
  • health - Health checking for peer connectivity
  • transport - Overlay transport (boringtun device management via UAPI)

§Example

§Initialize as cluster leader

use zlayer_overlay::bootstrap::OverlayBootstrap;
use std::path::Path;

let bootstrap = OverlayBootstrap::init_leader(
    "10.200.0.0/16",
    51820,
    Path::new("/var/lib/zlayer"),
).await?;

// Start the overlay network (creates boringtun TUN device)
bootstrap.start().await?;

println!("Overlay IP: {}", bootstrap.node_ip());
println!("Public key: {}", bootstrap.public_key());

§Join an existing overlay

use zlayer_overlay::bootstrap::OverlayBootstrap;
use std::path::Path;

let bootstrap = OverlayBootstrap::join(
    "10.200.0.0/16",           // Leader's CIDR
    "192.168.1.100:51820",     // Leader's endpoint
    "leader_public_key",       // Leader's public key
    "10.200.0.1".parse()?,     // Leader's overlay IP
    "10.200.0.5".parse()?,     // Our allocated IP
    51820,                      // Our listen port
    Path::new("/var/lib/zlayer"),
).await?;

bootstrap.start().await?;

§With DNS service discovery

use zlayer_overlay::OverlayBootstrap;
use std::path::Path;

// Enable DNS service discovery on the overlay
let mut bootstrap = OverlayBootstrap::init_leader(
    "10.200.0.0/16",
    51820,
    Path::new("/var/lib/zlayer"),
)
.await?
.with_dns("overlay.local.", 15353)?;  // Zone and port

bootstrap.start().await?;

// Peers are auto-registered:
// - node-0-1.overlay.local -> 10.200.0.1 (leader)
// - leader.overlay.local -> 10.200.0.1 (alias)

// Query DNS from another machine:
// dig @10.200.0.1 -p 15353 node-0-1.overlay.local

§Health checking

use zlayer_overlay::health::OverlayHealthChecker;
use std::time::Duration;

let checker = OverlayHealthChecker::new("zl-overlay0", Duration::from_secs(30));

// Check all peers
let health = checker.check_all().await?;
println!("Healthy: {}/{}", health.healthy_peers, health.total_peers);

// Start continuous monitoring
checker.run(|public_key, healthy| {
    println!("Peer {} is now {}", public_key, if healthy { "UP" } else { "DOWN" });
}).await;

Re-exports§

pub use allocator::IpAllocator;
pub use allocator::NodeSliceAllocator;
pub use allocator::NodeSliceAllocatorSnapshot;
pub use bootstrap::BootstrapConfig;
pub use bootstrap::BootstrapState;
pub use bootstrap::OverlayBootstrap;
pub use bootstrap::PeerConfig;
pub use bootstrap::DEFAULT_INTERFACE_NAME;
pub use bootstrap::DEFAULT_KEEPALIVE_SECS;
pub use bootstrap::DEFAULT_OVERLAY_CIDR;
pub use bootstrap::DEFAULT_SLICE_PREFIX;
pub use egress::bind_to_device;
pub use egress::detect_physical_egress;
pub use egress::is_virtual_interface;
pub use egress::PhysicalEgress;
pub use error::OverlayError;
pub use error::Result;
pub use gossip::GossipConfig;
pub use gossip::GossipPool;
pub use gossip::TopologyEvent;
pub use health::OverlayHealth;
pub use health::OverlayHealthChecker;
pub use health::PeerStatus;
pub use ipnet;
pub use config::*;
pub use dns::*;
pub use transport::*;

Modules§

allocator
IP address allocation for overlay networks
bootstrap
Overlay network bootstrap functionality
config
Overlay network configuration
dns
DNS server for service discovery over overlay networks
edge_cache
Edge-cache eligibility registry.
egress
Physical-egress resolver: find the real NIC the box uses to reach the outside world, ignoring VPN-mesh interfaces.
error
Error types for overlay network operations
firewall
Inbound firewall-rule management for the overlay + API + Raft ports.
gossip
Serf/SWIM-style gossip pool for worker-tier overlay peer discovery.
health
Health checking for overlay network peers
transport
Encrypted overlay transport layer

Constants§

DEFAULT_WG_PORT
Default overlay listen port (re-exported from zlayer-core). Default overlay listen port (WireGuard protocol).