Topologies

Sanctum out of the box, supports different modes that can be used to build different types of topologies.

Modes

• Tunnel mode (classic site-to-site, or roadwarrior setup).
• Pilgrim-shrine mode (one-way tunnels, in case of diodes).
• Liturgy mode (auto discovery of peers and tunnel management).
• Cathedral mode (relay, discovery and key distribution).

Tunnel mode

This mode supports the classic site-to-site and client-to-site setups. Sanctum is configured with the IP address of its peer (if known) and its local address.

This mode is also used when configuring sanctum as a cathedral client. In this case a cathedral endpoint is configured instead of an IP address for our peer. The discovery of our peer and the establishment of a P2P E2EE tunnel happens automatically.

Pilgrim-shrine mode

Use this mode when you have a diode in your network path that enforces unidirectional traffic. The pilgrim mode is the sender while the shrine is the receiver. Because of how the privilege seperation works in sanctum, no return traffic is possible. This is a great choice for implementing sofware diodes.

Liturgy mode

Liturgy mode allows sanctum to use cathedrals to autodiscover multiple peers belonging to the same flock. When peers are discovered a tunnel is automatically established to them, if the peers go offline the tunnel goes offline automatically.

Because it uses cathedrals, both peers may live behind NAT or firewalls. The cathedrals will help in establishing a P2P connection between the two peers if possible, otherwise traffic is relayed over a cathedral.

Note: cathedrals can never read any traffic, they are only able to relay traffic.

Cathedral mode

In this mode sanctum only acts as a cathedral. A cathedral is a peer discovery, traffic relay and key distribution point. Cathedrals can federate with each other to create a resilient network that becomes hard to take down.

Roaming

Roaming just works in sanctum, tunnels update their peer endpoints automatically.