Tunnels

Every Staex tunnel is an individually encrypted communication channel. Network traffic flows exclusively through explicitly configured tunnels -- all other traffic is blocked by default. Unlike traditional VPNs that create a shared network surface between all connected devices, MCC ensures complete isolation: each tunnel is a separate encrypted pipe with no lateral movement possible between them.

Each tunnel explicitly specifies a client endpoint, a server endpoint, a range of ports, and a protocol. Any packet that does not match an active tunnel specification is dropped. Deactivating a single tunnel affects only the specific traffic it carried -- all other tunnels remain unaffected. There is no implicit trust between any two nodes unless a tunnel has been deliberately created between them.

Applications address remote endpoints using public keys rather than IP addresses. The dynamic IP addresses visible within the MCC overlay are generated internally by Staex and bear no relation to the node's real network address. Because real IPs are never exposed, attackers cannot perform geolocation tracking, port scanning, or IP-based reconnaissance.

Tunnels replace complex layers of firewall rules, DNAT configurations, and port-forwarding setups. Instead of maintaining dozens of iptables rules or router configurations, you define a collection of named tunnel specifications. The network operates on a default-deny basis: any packet not matching a configured tunnel is silently discarded.

Many industrial and infrastructure protocols were designed without encryption: DNS, NTP, RTSP, ModBus, MAVLink2, and others. Staex tunnels wrap these protocols in end-to-end encryption transparently, without requiring any modification to the protocols themselves. This enables secure internet-grade usage of legacy protocols that were originally designed for trusted local networks.

Staex provides a shared address space across all nodes in the network. Tunnels work seamlessly across LAN boundaries, between data centers, cloud providers, and edge devices. Nodes can roam between physical networks without losing connectivity. NAT traversal is handled automatically -- two devices behind separate NATs can communicate as easily as two devices on the same local network.