The CWX Backbone Transport Network interconnects all CWX sites using dedicated site-to-site WireGuard tunnels.
Each transport link is implemented as a point-to-point WireGuard interface with a unique /31 subnet, static routing, and per-tunnel UDP ports.
Persistent Keepalive is set to 15 seconds on all tunnels to ensure fast failover and stable NAT traversal.
Tunnel metadata and addressing are centrally documented in the shared Excel workbook:
CWX WireGuard Transport Inventory
This page describes how the backbone is structured, named, routed, monitored, and troubleshot.
Each tunnel receives one dedicated /31:
10.100.X.Y/31
Where:
X = transport group / regionY = unique tunnel identifierTunnel: LOK3 ↔ LOK8
LOK3 IP: 10.100.10.0/31
LOK8 IP: 10.100.10.1/31
To ensure clear traceroutes, each WireGuard transport interface has an A-record:
<site>-wg<id>-transport.ip-net.cwx.hr
Examples:
lok6-wg8-transport.ip-net.cwx.hr
lok3-wg2-transport.ip-net.cwx.hr
Traceroute interpretation example:
lok6-wg8-transport.ip-net.cwx.hr
Meaning:
wg show wgX
ip route get <destination>
dig -x 10.100.X.Y
traceroute <remote-site>
Readable hops confirm backbone forwarding.
The CWX WireGuard Backbone Transport Network is designed for high performance, deterministic routing, and clear visibility during troubleshooting.
Standardized tunnels, /31 addressing, DNS integration, and strict design rules ensure a reliable and scalable transport architecture.