Nanami DocsGuide
Search docsFilter pages by title

Control plane vs data plane

Nanami separates configuration control from packet transport.

Control plane

The control plane is responsible for:

  • identity and access workflows,
  • tenant/group/network object management,
  • desired-state generation,
  • gateway and node inventory,
  • API and WebUI workflows.

It does not carry encrypted workload payload itself.

Data plane

The data plane is responsible for:

  • encrypted WireGuard packets between peers,
  • gateway-assisted forwarding when direct path is unavailable,
  • runtime handshake and transfer behavior.

Diagram (text)

Operator -> Control plane (desired state) -> Gateway manager/daemon + peers -> WireGuard data plane

Why this split matters

  • Control-plane outages and data-plane traffic are different failure domains.
  • Existing tunnels can continue while control APIs are unavailable, until new policy/state changes are required.
  • Operators can reason about configuration and traffic separately during incidents.

Relation to gateways and gateways

  • Gateway manager/gateway daemon are orchestration components between control and runtime state.
  • Gateway selection is decided in control-plane policy and enforced in data-plane routing behavior.

NAT traversal model (high level)

  1. Nodes attempt to establish connectivity according to current policy.
  2. If direct paths are unavailable or unstable, gateway paths are used.
  3. Gateway state and health are reported back as observed state.

This keeps gateway use explicit and operationally visible.

Edit this page