Documentation

Your Cameras. Anywhere. Instantly.
Back
Home Documentation WireGuard & SRT Encryption

WireGuard & SRT Encryption

WireGuard & SRT Encryption

TheRelay uses dual-layer encryption with WireGuard for the control tunnel and SRT (Secure Reliable Transport) for media streams. This provides military-grade security while maintaining high performance and low latency for your camera streams.

Two-Layer Security

  • Layer 1: WireGuard VPN tunnel (control & metadata)
  • Layer 2: SRT encryption (media streams)
  • AES-256 encryption on both layers
  • Perfect forward secrecy
  • No key compromise impact on past communications

Key Benefits

  • Industry-standard encryption protocols
  • Minimal latency overhead (WireGuard optimized)
  • Automatic encryption with no manual setup
  • Hardware acceleration support
  • Transparent to applications

Security Architecture Explained

WireGuard Control Tunnel

TheRelay Agent establishes an encrypted WireGuard VPN tunnel to the TheRelay cloud:

  • Encrypts all control messages and metadata
  • Protects camera credentials in transit
  • Prevents eavesdropping on configuration changes
  • Uses elliptic curve cryptography for key exchange
  • Minimal overhead - WireGuard is highly optimized

SRT Media Encryption

Camera streams are transmitted using SRT protocol with AES-256 encryption:

  • Encrypts video and audio data before transmission
  • Provides reliable transport with forward error correction
  • Adaptive bitrate to handle network variance
  • Low latency compared to other encrypted protocols
  • Compatible with all TheRelay stream formats

Key Management

TheRelay handles all encryption key management automatically:

  • Keys generated securely on first agent registration
  • Keys rotated periodically for added security
  • No manual key distribution or management needed
  • Keys stored securely on agent and cloud servers
  • Compromised keys isolated to single agent only

6-Step WireGuard Configuration

Step 1: Generate WireGuard Keys

TheRelay automatically generates WireGuard keys when you:

  1. Log into TheRelay Dashboard
  2. Go to Account Settings > Security
  3. Click "Generate WireGuard Keys"
  4. System generates public and private key pairs

Step 2: Download Agent Configuration

Download the WireGuard configuration file for your agent:

  • In Agents section, click your agent
  • Click "Download WireGuard Config"
  • File contains all necessary keys and endpoints
  • Keep this file secure - it contains sensitive keys

Step 3: Configure Agent

Install the configuration on your TheRelay Agent:

  1. Copy WireGuard config to agent host
  2. Place in agent configuration directory
  3. Restart agent service to apply settings
  4. Agent automatically establishes WireGuard tunnel

Step 4: Verify Tunnel Status

Confirm WireGuard tunnel is active:

  • Check dashboard - agent should show "Connected"
  • Green status indicator confirms tunnel active
  • View tunnel statistics in agent details
  • Monitor encryption overhead in performance metrics

Step 5: Enable SRT for Streams

Enable SRT encryption for your camera streams:

  1. Go to dashboard Cameras section
  2. Select camera to configure
  3. Enable "SRT Encryption" toggle
  4. Choose encryption level if options available
  5. Save and streams will use encrypted SRT transport

Step 6: Monitor Encryption Health

Continuously monitor your encryption setup:

  • Check tunnel reconnection statistics
  • Monitor encryption overhead and performance
  • Review security logs for any issues
  • Set up alerts for tunnel disconnections

Encryption Options and Configuration

WireGuard Settings

  • Tunnel Mode: Always enabled for control traffic
  • Key Rotation: Automatic every 24 hours (configurable)
  • Keepalive: Enabled to maintain tunnel through NAT
  • MTU: Auto-detected for optimal performance

SRT Encryption Levels

  • Standard (AES-128): Fast, suitable for most deployments
  • Strong (AES-256): Maximum security (default)
  • Disabled: Only use on completely trusted networks

Performance Considerations

  • WireGuard encryption overhead: 1-3%
  • SRT encryption overhead: 2-5%
  • Modern CPUs have AES acceleration (minimal impact)
  • GPU acceleration available for high-bitrate scenarios
  • Most users notice no performance degradation

Troubleshooting Encryption Issues

WireGuard Tunnel Not Connecting

  • Verify WireGuard configuration file is correct
  • Check if agent can reach WireGuard server endpoint
  • Ensure firewall allows UDP access to tunnel port
  • Review agent logs for WireGuard errors
  • Try regenerating keys and redownloading config

High Encryption Overhead

  • Check if CPU has AES acceleration: grep aes /proc/cpuinfo
  • Verify no other high-load processes on agent host
  • Consider using SRT instead of WireGuard for high bitrates
  • Enable hardware acceleration if available

Streams Disconnecting

  • Check WireGuard tunnel stability
  • Monitor network packet loss
  • Review SRT timeout settings
  • Try disabling encryption temporarily to isolate issue

Key Rotation Issues

  • Ensure agent stays connected during key rotation
  • Check if agent requires manual key installation
  • Review agent logs during rotation time
  • Disable auto-rotation if causing issues, rotate manually