Direct Connection and Relay Data Privacy Clarification

Hi everyone,

I have installed a Twingate connector in my home LAN where I run my labs, and everything is working smoothly. I just need some clarification regarding the peer-to-peer (P2P) tunnel between the client and the connector. Based on what I’ve read in the documentation, there are two ways of establishing this tunnel:

a) Direct P2P connection: No “actual” data passes through the relay.
b) Through a relay: If something is wrong with the direct P2P tunnel, the connection is routed through a relay.

Am I missing anything here?

There are a few points in the documentation that confuse me a little, such as the following:

  • “Data-carrying traffic may pass through Relays on a transient basis, and Relays do not store any traffic or network-identifiable information. Traffic that passes through a Relay has already been encrypted since the Relay is essentially a hop along the end-to-end encrypted TLS tunnel between the Client and Connector. No data-carrying connections are terminated at the Relay.”
  • “When necessary, the encrypted tunnel may also be routed through the Relay.”

Any insights you can provide on these matters would be greatly appreciated.
Thank you, guys, for your time and assistance.

Have a great day!

Hey gvast,

I recommend you have a look at our Trust Center if you haven’t already, as we go through a lot of the privacy and connectivity stuff in a lot more depth.

To address your question specifically (while also retreading some info I’m sure you’ve gleaned from the docs already):

If a direct p2p tunnel between the client and the connector cannot be established because of NAT traversal issues, the encrypted tunnel will instead travel through the closest applicable relays in our network. That tunnel never stops on the relay and the relays themselves have absolutely no way of inspecting or storing the data as it passes through.

Basically, the “data may pass through relays on a transient basis” line as well as the “when necessary, the encrypted etc” line are essentially talking about the same thing.

To put it another way, imagine you have a letter in a theoretically uncrackable lockbox you want to hand to a friend. Only you and your friend know the combination to the lockbox.

In a perfect world, you (client) would just hand the lockbox (data) to that friend (connector) directly (peer to peer) and they would open it using the combination previously agreed upon.

Now imagine there’s something between you and your friend. Say a vast ocean which your arms are too short to reach across (NAT Traversal/Network issues). You could instead use Fedex (the relay network) to ship the lockbox to your friend.

In this instance, the lockbox has passed through FedEx’s hands on a transient basis, but ultimately there is no way anyone at FedEx could access the letter inside the lockbox because only you and your friend know the combination.

I hope the Trust center, or my silly example help clarify things, but if all I’ve done is muddy the waters, please feel free to call me names and I’ll be more than happy to try again.