# wireguard-client

VPN client running at each edge. **Edge-only stack.**

- **Networks**: `app` + `mgmt` (so other edge containers can route through the tunnel)
- **No published port** — initiates outbound to the cloud `wireguard-server` on `udp/51820`
- **Config**: `config/wg0.conf` (per-site, contains the site's private key + cloud peer pubkey + AllowedIPs)
- **Routing**: edge containers reach cloud-side services by routing destined-for-cloud-subnet traffic via this client
- **TODO**: routing strategy (split-tunnel vs full), keepalive interval, MTU tuning per WAN type