Networking

How traffic flows between users, the control plane, and worker hosts — and why each hop looks the way it does.

WiseHosting has three distinct traffic planes. Keeping them straight is the easiest way to reason about firewalls, TLS, and what is allowed to talk to what.

Plane	Who talks	Where	Encrypted by
User → Dashboard	Browser ↔ control plane	Public internet → Cloudflare → CP `:8081`	Cloudflare TLS (HTTPS)
End user → App	Browser ↔ proxy server → worker container	Public internet → proxy server `192.99.14.173` (Traefik `:443`) → WireGuard → worker container port	Let's Encrypt TLS on proxy server; WireGuard between proxy and worker
Control plane ↔ Worker	CP ↔ worker agent	Private WireGuard mesh `10.50.0.0/24` over UDP `51821`	WireGuard (Curve25519 + ChaCha20-Poly1305)
Proxy ↔ Control plane	Proxy Traefik ↔ CP HTTP provider	WireGuard mesh `10.50.0.0/24`	WireGuard

The third and fourth planes never cross the public internet as plaintext — they ride the self-hosted WireGuard tunnel. That includes worker registration, JWT refresh, the WSS hub, the proxy Traefik config polls, and the actual forwarded app traffic between proxy and worker containers.

Why these planes?

Each plane has a different threat model. User-facing dashboard TLS lives at Cloudflare's edge. End-user app TLS is handled by Let's Encrypt on the proxy server — apps get real certificates automatically, including for user-supplied custom domains. Worker control traffic and app forwarding live on a private WireGuard mesh, so /v1/workers/* and /v1/traefik/* never need to be publicly reachable. Cloudflare WAF still drops public hits to those paths as belt-and-braces.

Where to read next

WireGuard mesh, end to end

Big-picture architecture

Provision a worker

Set up the proxy server

On this page