Skip to content

Tobogganing Overview

🛷 What is Tobogganing?

Tobogganing is an Open Source Secure Access Service Edge (SASE) solution implementing Zero Trust Network Architecture (ZTNA) principles. Built with modern technologies like WireGuard, Go, and Python, it provides enterprise-grade network security with the flexibility of open source.

🏗️ System Architecture

Tobogganing consists of three main components working together to provide comprehensive secure access:

┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
│   Clients       │    │   Headend        │    │   Manager       │
│                 │    │   Server         │    │   Service       │
│ • Native Apps   │◄──►│ • WireGuard      │◄──►│ • Orchestration │
│ • Docker        │    │ • Go Proxy       │    │ • Certificates  │
│ • Mobile Apps   │    │ • Authentication │    │ • Web Interface │
└─────────────────┘    └──────────────────┘    └─────────────────┘

🎛️ Manager Service (Python 3.12)

Central orchestration and certificate management

  • Technology: Python 3.12 + py4web + asyncio + PyDAL
  • Database: MySQL (production), SQLite (development) with read replica support
  • Features:
  • Multi-datacenter orchestration
  • Certificate lifecycle management (Root CA, Intermediate CA)
  • Client registration and configuration
  • API key generation for initial client setup
  • Web-based management interface with role-based access
  • Prometheus metrics endpoint
  • JWT token management
  • Redis caching for performance
  • Backup and restore functionality with S3 support

🌐 Headend Server (Go 1.23)

WireGuard termination and intelligent proxy

  • Technology: Go 1.23 + WireGuard kernel module + goroutines
  • Features:
  • WireGuard VPN tunnel termination
  • Multi-protocol proxy (HTTP/HTTPS, TCP, UDP, WebSocket)
  • Dual authentication (X.509 certificates + JWT tokens)
  • Traffic routing between clients and internet
  • SAML2 and OAuth2 integration with external IdPs
  • Traffic mirroring for IDS/IPS integration (VXLAN/GRE/ERSPAN)
  • FRR-based VRFs for IP space segmentation
  • OSPF routing across WireGuard tunnels
  • Comprehensive firewall system
  • Syslog logging for user resource access
  • Rate limiting and DDoS protection
  • Security feeds integration (Blackweb, SpamHaus, ipvoid, STIX/TAXII)

👤 Client Applications

Cross-platform secure access clients

Native Golang Clients

  • Platforms: Mac Universal, Linux x64/ARM, Windows
  • Features:
  • Embedded WireGuard client (no separate installation required)
  • System tray integration for easy control
  • GUI and CLI interfaces
  • Auto-update capabilities
  • Certificate management
  • Connection profiles
  • Status monitoring

Docker Container Client

  • Technology: Docker + WireGuard
  • Features:
  • Containerized deployment for easy scaling
  • Pulls configuration from Manager using temporary API keys
  • Automatic key rotation and certificate management
  • Health monitoring and auto-restart

Mobile Applications (React Native)

  • Platforms: Android, iOS (planned)
  • Features:
  • React Native based mobile client
  • WireGuard VPN integration
  • Secure credential storage
  • Connection management
  • Real-time status monitoring
  • Biometric authentication support

🔒 Security Features

Zero Trust Architecture

  • Never Trust, Always Verify: Every connection authenticated and authorized
  • Dual Authentication: X.509 certificates + JWT/SSO integration
  • Certificate Management: Automated certificate lifecycle management
  • Multi-Factor Authentication: Support for various authentication methods

Defense in Depth

  • Layer 1: WireGuard encryption (ChaCha20Poly1305)
  • Layer 2: X.509 certificate authentication
  • Layer 3: JWT token validation
  • Layer 4: Application-level authorization
  • Layer 5: Traffic analysis and mirroring

Advanced Security

  • Traffic Mirroring: Optional traffic duplication to external security tools
  • Firewall Integration: Domain, IP, protocol, and port control
  • Threat Intelligence: Integration with security feeds for known bad domains/IPs
  • Audit Logging: Comprehensive audit logging and compliance reporting
  • Rate Limiting: Protection against DDoS and abuse

🚀 Key Features

High Performance

  • Concurrent Architecture: Go-based headend with goroutines for high throughput
  • Async Python: Manager service built with asyncio for high concurrency
  • Optimized Protocols: Support for HTTP/HTTPS, TCP, UDP, and WebSocket traffic
  • Zero-Copy Operations: Memory-efficient packet processing

Enterprise Ready

  • Multi-Platform: Native clients for all major operating systems
  • Cloud Native: Kubernetes-ready with auto-scaling and monitoring
  • High Availability: Multi-datacenter orchestration with failover
  • Compliance: Audit logging and compliance-ready features
  • Scalability: Horizontal scaling support for large deployments

Easy Deployment

  • Infrastructure as Code: Complete Terraform, Kubernetes, and Docker Compose configurations
  • Multiple Options: Kubernetes, Docker, cloud providers, or bare metal
  • Automated CI/CD: GitHub Actions for testing, building, and releasing
  • Monitoring: Built-in Prometheus metrics and Grafana dashboards

📊 Monitoring & Observability

Metrics Collection

  • Prometheus Integration: Native metrics endpoints
  • Grafana Dashboards: Pre-built dashboards for monitoring
  • Health Endpoints: Kubernetes-style health checks
  • Performance Metrics: Real-time performance monitoring

Analytics Dashboards

  • OS Analytics: Operating system distribution and usage
  • Traffic Monitoring: Real-time traffic analysis and patterns
  • Agent/Headend Search: Advanced search and filtering capabilities
  • Security Analytics: Threat detection and security event analysis

🌍 Deployment Options

Small Office/Home Office (SOHO)

  • Docker Compose: Simple single-server deployment
  • Capacity: 1-50 users
  • Resources: 2 CPU, 4GB RAM

Medium Enterprise

  • Kubernetes: Small cluster deployment
  • Capacity: 50-500 users
  • Resources: 4-8 CPU, 8-16GB RAM

Large Enterprise

  • Multi-region Kubernetes: Distributed deployment
  • Capacity: 500-5000 users
  • Resources: 16+ CPU, 32+ GB RAM

Hyperscale

  • Auto-scaling Cloud: Multi-region cloud deployment
  • Capacity: 5000+ users
  • Resources: Auto-scaling based on demand

🔄 Traffic Flow

  1. Client Authentication: Dual authentication with certificates and JWT tokens
  2. VPN Tunnel: Secure WireGuard tunnel establishment
  3. Traffic Routing: Intelligent routing based on policies
  4. Security Analysis: Optional traffic mirroring to security tools
  5. Internet Access: Secure access to internet resources
  6. Monitoring: Real-time monitoring and logging

📚 Getting Started

  1. Quick Start: Use Docker Compose for rapid deployment
  2. Production: Deploy with Kubernetes for scalability
  3. Mobile Development: Set up Android Studio for mobile app testing
  4. Client Installation: Install native clients on user devices

🎯 Use Cases

  • Remote Work: Secure access for distributed teams
  • Branch Offices: Site-to-site connectivity
  • Cloud Migration: Secure cloud resource access
  • Contractor Access: Temporary secure access
  • IoT Security: Secure device connectivity
  • Compliance: Meeting security and compliance requirements

🛠️ Development & Integration

Build System

  • React Native Mobile: Automated build and deployment scripts
  • Android Studio: Complete development environment setup
  • GitHub Actions: Automated CI/CD pipelines
  • Cross-platform: Support for all major platforms

API Integration

  • RESTful APIs: Complete API documentation
  • SDK Support: Native SDKs for integration
  • Webhook Support: Event-driven integrations
  • SSO Integration: SAML2/OAuth2 support

Tobogganing provides a complete, modern SASE solution that scales from small office deployments to enterprise-grade multi-region installations, all while maintaining the flexibility and transparency of open source software.