Terminology

A computer running an operating system with a network stack, such as a server, laptop, virtual machine, mobile phone, tablet, or Internet-of-Things (IoT) device.

A host running WireGuard. When WireGuard is run inside a Docker container, the WireGuard host is the container itself, not the container’s host.

When we use the general term “host” in the context of Pro Custodibus, we typically mean a WireGuard host.

The Pro Custodibus UI uses this icon for WireGuard hosts:

A host running the Pro Custodibus agent software. When the agent is run inside a Docker container, the monitored host is the container itself, not the container’s host.

A lightweight service that runs on each monitored host and sends WireGuard usage and audit logs to the Pro Custodibus servers. If configured to do so, it can also update the host’s WireGuard and network configuration.

When we use the general term “agent” in the context of Pro Custodibus, we typically mean the Pro Custodibus agent.

The Pro Custodibus UI uses this icon for agents:

A software device that connects a host to a network. It may represent a physical connection through a wired or wireless network card on the computer (such interfaces typically would be given names like eth0 or wl0), or it may represent an entirely virtual connection (such as the connection to a WireGuard network).

A WireGuard network interface running on a host. The same host may have many different interfaces.

A host sends traffic to a WireGuard network through its interface to the network. From the perspective of a host, an interface is the local side of its connection to a network.

The convention for naming WireGuard interfaces is to prefix them with the lowercase letters wg, and use a digit (usually starting with 0) to distinguish among multiple interfaces of the same type on a host (so on a host with two interfaces, the interfaces typically would be named wg0 and wg1).

When we use the general term “interface” in the context of Pro Custodibus, we typically mean a WireGuard interface.

The Pro Custodibus UI uses this icon for WireGuard interfaces:

The combination of IP address and port (such as 192.0.2.1:51820) to which traffic for a member of a WireGuard network is sent. From the perspective of a host, an endpoint is the remote side of its connection to another member.

When we use the general term “endpoint” in the context of Pro Custodibus, we typically mean a WireGuard endpoint.

The Pro Custodibus UI uses this icon for WireGuard endpoints:

The identity of a member of a WireGuard network. The same host may be a member of many distinct networks, appearing as a different peer to each.

Each peer uses a unique X25519 key pair to authenticate itself to other peers. The public part of this key pair, its “public key” (typically represented as a 44-character base64-encoded string like O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=), uniquely identifies the peer.

The Pro Custodibus UI uses this icon for WireGuard peers:

From the perspective of a host, one of the identities the host itself uses to connect to one or more of its WireGuard networks.

From the perspective of a host, the identity of a different member of one or more of the host’s WireGuard networks.

When we use the general term “peer” in the context of Pro Custodibus, we typically mean a remote peer.

A virtual private network, using private IP addresses (such as in the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 blocks), to connect two or more peers via a secure tunnel through other physical public and private networks.

The same host may be part of many different, overlapping networks. From the perspective of a host, a network consists of the peers to which it can connect via a specific interface.