Skip to content

Architecture Documentation

Welcome to the VPN Exit Controller architecture documentation. This section provides detailed technical information about the system design, components, and infrastructure.

Architecture Overview

  • System Overview

    High-level architecture and design principles

    System Overview

  • Network Design

    Network topology, routing, and security layers

    Network Design

  • Components

    Detailed component architecture and interactions

    Components

  • Security Model

    Security architecture and threat modeling

    Security Model

System Architecture Diagram

graph TB
    subgraph "Internet"
        Users[Users/Clients]
        Internet[Public Internet]
    end

    subgraph "Edge Layer"
        CF[Cloudflare DNS/CDN]
        PublicIP[Public IP: 135.181.60.45]
    end

    subgraph "Proxy Layer"
        Traefik[Traefik - SSL Termination]
        HAProxy[HAProxy - L4/L7 Load Balancer]
    end

    subgraph "Application Layer"
        API[FastAPI Application]
        Redis[(Redis Cache)]
        LB[Load Balancer Service]
    end

    subgraph "VPN Layer"
        Docker[Docker Engine]
        VPN1[VPN-US Container]
        VPN2[VPN-UK Container]
        VPN3[VPN-JP Container]
    end

    subgraph "Network Layer"
        Tailscale[Tailscale Mesh Network]
        NordVPN[NordVPN Servers]
    end

    Users --> Internet
    Internet --> CF
    CF --> PublicIP
    PublicIP --> Traefik
    Traefik --> HAProxy
    HAProxy --> API
    API --> Redis
    API --> LB
    LB --> Docker
    Docker --> VPN1
    Docker --> VPN2
    Docker --> VPN3
    VPN1 --> Tailscale
    VPN2 --> Tailscale
    VPN3 --> Tailscale
    Tailscale --> NordVPN

    style Users fill:#f9f,stroke:#333,stroke-width:2px
    style CF fill:#ff9,stroke:#333,stroke-width:2px
    style Traefik fill:#9ff,stroke:#333,stroke-width:2px
    style HAProxy fill:#9f9,stroke:#333,stroke-width:2px
    style API fill:#f99,stroke:#333,stroke-width:2px

Key Design Principles

1. Microservices Architecture

  • Loosely coupled services
  • Independent scaling
  • Technology agnostic
  • API-first design

2. Container-Based Infrastructure

  • Docker for service isolation
  • Immutable infrastructure
  • Easy deployment and rollback
  • Resource efficiency

3. High Availability

  • No single point of failure
  • Automatic failover
  • Health monitoring
  • Self-healing capabilities

4. Security by Design

  • Zero-trust networking
  • End-to-end encryption
  • Principle of least privilege
  • Regular security audits

Technology Stack

Layer Technology Purpose
Frontend React/Vue.js Web UI (optional)
API FastAPI REST API server
Proxy HAProxy Load balancing
SSL Traefik SSL termination
Cache Redis Metrics & sessions
Container Docker Service isolation
VPN NordVPN Exit nodes
Mesh Tailscale Secure networking
DNS Cloudflare DNS & CDN
OS Ubuntu 22.04 Host operating system

Performance Characteristics

Latency Targets

  • API Response: < 100ms (p95)
  • Proxy Overhead: < 10ms
  • Health Check: < 5s
  • Failover Time: < 30s

Throughput

  • API Requests: 10,000 req/s
  • Proxy Connections: 50,000 concurrent
  • VPN Bandwidth: 1 Gbps per node
  • Redis Operations: 100,000 ops/s

Scalability

  • Horizontal scaling for VPN nodes
  • API instances: 1-100
  • VPN nodes per country: 1-10
  • Total supported countries: 25+

Infrastructure Requirements

Minimum Deployment

┌─────────────────────────┐
│   Single VM/Server      │
│  - 4 CPU cores          │
│  - 8GB RAM              │
│  - 50GB SSD             │
│  - 1 Gbps network       │
└─────────────────────────┘

Production Deployment

┌─────────────────┐     ┌─────────────────┐     ┌─────────────────┐
│   API Servers   │     │  VPN Node Pool  │     │   Monitoring    │
│  - 3x instances │     │  - 5x servers   │     │  - Prometheus   │
│  - Load balanced│     │  - Geographic   │     │  - Grafana      │
│  - Auto-scaling │     │  - Auto-scaling │     │  - AlertManager │
└─────────────────┘     └─────────────────┘     └─────────────────┘

Component Communication

sequenceDiagram
    participant User
    participant Cloudflare
    participant Traefik
    participant HAProxy
    participant API
    participant Redis
    participant Docker
    participant VPN Node
    participant Tailscale
    participant NordVPN

    User->>Cloudflare: HTTPS Request
    Cloudflare->>Traefik: Forward Request
    Traefik->>HAProxy: Proxy Request
    HAProxy->>API: Load Balanced Request
    API->>Redis: Check Metrics
    Redis-->>API: Return Data
    API->>Docker: Start VPN Container
    Docker->>VPN Node: Create Container
    VPN Node->>Tailscale: Register Node
    VPN Node->>NordVPN: Connect VPN
    NordVPN-->>User: Proxy Traffic

Data Flow Architecture

Request Flow

  1. User connects to proxy URL (e.g., proxy-us.rbnk.uk)
  2. Cloudflare resolves DNS and forwards to server
  3. Traefik handles SSL termination
  4. HAProxy routes to appropriate backend
  5. Request proxied through VPN node
  6. Response returned through same path

Metrics Flow

  1. VPN nodes report health metrics
  2. API collects and stores in Redis
  3. Load balancer uses metrics for decisions
  4. Monitoring systems query metrics API
  5. Alerts triggered on thresholds

Next Steps

Architecture Decisions

For detailed architecture decision records (ADRs) and design rationale, see our ADR documentation.