Private Mesh Networking
Knaix treats your CLI machine as a first-class peer in an isolated, end-to-end encrypted intelligence mesh.
Connection Architectures
Managed Node
CONNECTION
Cloud Proxy (HTTPS)
Cloud Proxy (HTTPS)
ADDRESS
api.kovalentai.comREQUIREMENTS
• No VPN required
• Accessible from anywhere
• No VPN required
• Accessible from anywhere
Sovereign Node (BYOT)
CONNECTION
Direct P2P (MagicDNS)
Direct P2P (MagicDNS)
ADDRESS
http://<node-name>:8080REQUIREMENTS
• Tailscale VPN Required
• Zero Vendor Access
• Tailscale VPN Required
• Zero Vendor Access
The Zero-Trust Model
Unlike traditional cloud APIs, Knaix does not expose your AI nodes to the public internet. Instead, it creates a private WireGuard-based tunnel between your device and your instances using Tailscale.
Identity-Based Isolation
Every user is assigned a unique cryptographic tag. Your nodes will only accept traffic from devices carrying your specific identity signature.
Bring Your Own Network (BYOT)
For maximum sovereignty, Kovalent allows you to provision AI nodes directly into your personal Tailscale network. You maintain full control over the cryptographic keys and access policies.
How it works
1. Generate a Reusable Auth Key in your Tailscale Admin Console.
2. Select "BYOT Enabled" when deploying a new node in the Dashboard.
3. Provide your key. The node will join your network immediately upon boot.
2. Select "BYOT Enabled" when deploying a new node in the Dashboard.
3. Provide your key. The node will join your network immediately upon boot.
Migration from Managed Nodes
It is not possible to convert an existing Managed Node to BYOT. You must terminate the existing instance and provision a new one to ensure a clean cryptographic identity on your private network.
CLI Access for BYOT Nodes
When using BYOT, your CLI machine must simpler be connected to the same Tailscale network as your node. The Kovalent CLI will detect the direct path and communicate peer-to-peer.
Onboarding your Machine
To join the mesh, follow the instructions provided by the CLI after running the login command.
Run Login
knaix login
Mesh Synchronization
The API generates a temporary join key for your device.
Join Mesh
Run the sudo tailscale up command provided in the output.
Verifying Connectivity
Once connected, you can verify your device status:
knaix statusThis should show your username and the active mesh status.
Network Requirements
The mesh requires outbound access to port 443 (HTTPS) and port 41641 (UDP) for optimal peer-to-peer performance.