Network Security
All HYDRA traffic that crosses network boundaries is encrypted using WireGuard, an industry-standard VPN protocol. HydraGuard, our WireGuard management layer, establishes encrypted tunnels between routers or between individual machines and routers. Traffic within a local network segment (e.g. between devices on the same VLAN) does not go through WireGuard.
Specifications
| Attribute |
Detail |
| Protocol |
WireGuard (encrypted tunnel) |
| Tunnel Topology |
Router-to-router or machine-to-router |
| Encryption |
ChaCha20-Poly1305 (WireGuard default) |
| Applies To |
All deployment combinations |
| Key Management |
Centrally managed by HYDRA; venue IT does not need to handle keys |
Firewall Requirements
- All management connections are established outbound over standard HTTPS/UDP. No inbound ports are required for management traffic.
- Depending on the selected streaming solution and kiosk configuration, additional inbound ports may be required on the local network for VR streaming between compute and display devices. These requirements are confirmed during planning and documented in the deployment checklist.
- Traffic crossing network boundaries (e.g. venue to HYDRA District, venue to management infrastructure) is fully encrypted in transit
- Local traffic between HYDRA devices on the same network segment stays on the local network
- The venue does not need to manage any encryption keys or certificates