6.6 KiB
Iroh: Overview & Architecture
Version: 0.98.1
Repository: https://github.com/n0-computer/iroh
License: MIT OR Apache-2.0
Rust Edition: 2024
MSRV: 1.89
What is Iroh?
Iroh is a Rust library for establishing peer-to-peer QUIC connections dialed by public key. You provide an EndpointAddr (which identifies a peer), and iroh finds and maintains the fastest connection route — whether direct (hole-punched) or relayed through a server.
Core value propositions:
- Dial by public key — no IP addresses or hostnames needed at the application layer
- Hole-punching — automatically attempts direct P2P connectivity
- Relay fallback — encrypted relay servers ensure connectivity even behind NATs
- Built on QUIC — uses the
noqQUIC implementation for multiplexed, encrypted streams - Address Lookup — pluggable discovery system to resolve
EndpointId → addressing info
Workspace Structure
iroh/ # Core library (p2p QUIC connections)
├── iroh-base/ # Fundamental types: SecretKey, PublicKey, EndpointId, RelayUrl, EndpointAddr
├── iroh-dns/ # DNS resolver + endpoint info serialization (pkarr)
├── iroh-dns-server/ # DNS server implementation (powers dns.iroh.link)
├── iroh-relay/ # Relay server + client implementation
└── iroh/bench/ # Benchmarks
Dependency Graph
iroh depends on:
├── iroh-base (key types, EndpointAddr, RelayUrl)
├── iroh-dns (DNS resolution, EndpointInfo serialization)
├── iroh-relay (RelayMap, RelayConfig, relay client/server, QUIC client)
├── noq (QUIC implementation)
├── noq-proto (QUIC protocol types)
├── noq-udp (UDP socket abstraction)
├── netwatch (network interface monitoring)
├── portmapper (UPnP/PCP/NAT-PMP port mapping, optional)
├── n0-future (async utilities)
├── n0-watcher (watch/subscribe primitives)
└── iroh-metrics (metrics collection)
Key Concepts
EndpointId / PublicKey
Every iroh endpoint has a unique Ed25519 cryptographic key pair. The public key doubles as the endpoint identifier (EndpointId). It's used for both:
- Identity — unique addressing in the network
- Encryption — TLS authentication (via RFC 7250 Raw Public Keys, no X.509 certificates)
EndpointAddr
The addressing structure that combines identity with network paths:
pub struct EndpointAddr {
pub id: EndpointId, // Who to connect to
pub addrs: BTreeSet<TransportAddr>, // How to reach them
}
pub enum TransportAddr {
Relay(RelayUrl), // Via relay server
Ip(SocketAddr), // Direct IP address
Custom(CustomAddr), // Via custom transport
}
Relay Servers
Relay servers provide:
- Reliable connectivity — always reachable, forward encrypted traffic to the correct endpoint by
EndpointId - Hole-punching assistance — QUIC Address Discovery (QAD), STUN-like services
- Traffic relay — fallback when direct connections are impossible
Connections to relays use HTTP/1.1 with TLS, then upgrade to a custom protocol. The relay only sees encrypted traffic.
Connection Flow
- Endpoint binds, connects to a "home relay"
- To connect to peer: resolve
EndpointId→EndpointAddrvia Address Lookup - Establish initial connection via relay
- Attempt direct connection (hole-punching if needed)
- Migrate to direct connection when available (relay becomes backup)
Crate: iroh (Core Library)
Main Types
| Type | Module | Purpose |
|---|---|---|
Endpoint |
endpoint |
Central API — connect, accept, manage connections |
Builder |
endpoint |
Configure and construct an Endpoint |
Router |
protocol |
Accept loop that dispatches to ProtocolHandlers |
ProtocolHandler |
protocol |
Trait for handling incoming connections by ALPN |
Connection |
endpoint::connection |
QUIC connection wrapper |
Incoming |
endpoint::connection |
Pre-handshake incoming connection |
Accepting |
endpoint::connection |
Post-accept, pre-handshake state |
Feature Flags
default=["metrics", "fast-apple-datapath", "portmapper", "tls-ring"]metrics— Prometheus-style metrics collectionportmapper— UPnP/PCP/NAT-PMP supporttest-utils— Testing utilitiesplatform-verifier— Use OS TLS trust anchorsqlog— QUIC event loggingfast-apple-datapath— Private Apple APIs for batched sendstls-ring/tls-aws-lc-rs— Choose TLS crypto backendunstable-custom-transports— Custom transport API (unstable)
WASM Support
The crate compiles to wasm32-unknown-unknown for browser targets. Browser builds:
- Use
PkarrResolverinstead ofDnsAddressLookup(DNS-over-HTTPS) - Cannot bind IP sockets (no direct connectivity)
- Use
wasm-bindgen-futuresfor async runtime
Presets
The presets module provides common configurations:
| Preset | Description |
|---|---|
Empty |
No defaults — you must set all required options yourself |
Minimal |
Sets only the crypto provider (ring or aws-lc-rs) |
N0 |
Full n0 defaults: crypto provider, Pkarr publisher, DNS resolver, n0 relay servers |
N0DisableRelay |
N0 defaults but with RelayMode::Disabled |
// Quick start with full n0 infrastructure
let endpoint = Endpoint::bind(presets::N0).await?;
// Minimal — just crypto, no relay or address lookup
let endpoint = Endpoint::bind(presets::Minimal).await?;
Encryption & Authentication
Iroh uses RFC 7250 Raw Public Keys for TLS — no X.509 certificates. Each endpoint has:
SecretKey(Ed25519) — used for TLS authentication and signingPublicKey/EndpointId— derived fromSecretKey, used as identity
The TLS server name is encoded as <base32-dnssec-encoded-public-key>.iroh.invalid to ensure 0-RTT session ticket separation per endpoint.
0-RTT Support
Iroh supports QUIC 0-RTT connections:
Connecting::into_0rtt()on the client sideAccepting::into_0rtt()on the server side- TLS session tickets cached per remote endpoint (default 256 tickets = ~150 KiB)
max_tls_tickets()builder option to tune cache size
Default Infrastructure (n0)
Production relay servers (4 regions):
| Region | Hostname |
|---|---|
| NA East | use1-1.relay.n0.iroh-canary.iroh.link |
| NA West | usw1-1.relay.n0.iroh-canary.iroh.link |
| EU | euc1-1.relay.n0.iroh-canary.iroh.link |
| AP | aps1-1.relay.n0.iroh-canary.iroh.link |
DNS Address Lookup origin: dns.iroh.link