creative.space VPN and Reverse Proxy Architecture: Technical Deep Dive

A detailed exploration of the creative.space platform's secure architecture, including Backstage CP, Backstage PoP, Spaceline Nodes, and Spaceline Client components that form the backbone of its robust media security solution.

Platform Overview: The Backbone of creative.space Security

The creative.space platform employs a centralized control plane architecture, orchestrated by the Backstage CP component. This self-hosted system acts as a sophisticated tunneled reverse proxy and identity/access management hub, enabling the secure exposure and managed access of private resources across distributed networks. It integrates tightly with the Backstage PoP node, which serves as the dedicated WireGuard interface manager and networking back-end, handling the creation and maintenance of secure tunnels, dynamic routing, and enforcing security policies through middleware.

Connectivity from remote sites or edge locations is managed by the Spaceline Nodes (Site Agents). These agents run on the remote networks, establish persistent outbound-only WireGuard tunnels to the Backstage PoP for data, and maintain WebSocket control channels with the Backstage CP for instructions, proxying local services securely back to the central infrastructure without requiring open inbound ports. For individual user access, the Spaceline Client is a VPN client installed on workstations, enabling secure point-to-site connections through the central platform to resources behind specific Spaceline Nodes.

Crucially, this entire backend architecture - comprising the CP, PoP, Spaceline Nodes, and Spaceline Client VPN setup - operates transparently to the typical end-user. Users interact solely with the user-friendly creative.space web and desktop applications, which are designed for a frictionless experience. These applications interface with the underlying platform exclusively via a comprehensive API; all configurations, connections, and management tasks performed by users are done through these apps, translating user actions into API calls to the sophisticated backend infrastructure.

Backstage CP (Control Plane): The Central Hub

Backstage CP is the central control plane of the creative.space system. It is a self-hosted tunneled reverse proxy server with integrated identity and access management. In practice, Backstage CP is the “hub” that securely connects distributed networks and remote sites, similar to a self-hosted Cloudflare Tunnel service. It exposes private resources (web applications or internal services) through encrypted tunnels without requiring traditional VPNs or inbound open ports. Backstage CP provides a web-based dashboard UI for administrators to manage sites, resources, users, and access policies, making it the nerve center for configuration and monitoring the entire creative.space VPN and reverse proxy deployment.

Architecture and Technical Specifications

• Built with a modular architecture
• Utilizes reverse proxy to route HTTP(S) and TCP traffic
• Employs a middleware plugin to enforce per-request authentication/authorization
• Supports single sign-on (SSO) and role-based access controls
• Docker-based containerized deployment
• Integrates closely with Backstage PoP for WireGuard tunnel setup

Backstage PoP (Point of Presence Node): Network Security Core

Backstage PoP is the creative.space Point-of-Presence (PoP) node service. Backstage PoP runs alongside Backstage CP and is a WireGuard interface management server. It handles the low-level VPN/tunneling operations required by Backstage CP, including provisioning and managing WireGuard peers and interfaces that form secure tunnels to remote Backstage SA agents.

Backstage PoP also integrates with a modern reverse proxy that enables dynamic service discovery and load balancing for network traffic. Additionally, it works in conjunction with a middleware plugin that enforces per-request authentication and authorization policies for all tunneled traffic.

Architecture and Integration

• Manages WireGuard interfaces and tunnels for encrypted communication
• Handles networking back-end functionality for the creative.space VPN platform
• Routes traffic securely and efficiently
• Implements authentication and authorization for tunneled traffic
• It does not include a user interface but communicates directly with the Backstage CP

Spaceline Node (Site Agent): Secure Edge Connectivity

Spaceline is the creative.space site agent, designed to run on remote networks/sites. Its primary responsibility is establishing secure tunnels from remote locations (edge locations) to the central Backstage CP control plane. Spaceline creates outbound secure tunnels using WireGuard without needing kernel-level privileges or dedicated VPN software.

Technical Details

• Establishes user-space WireGuard tunnels
• Proxies local services securely to the Backstage CP control plane
• Maintains persistent WebSocket control channels for instructions and tunnel configurations
• Supports reconnection and keep-alive mechanisms for tunnel resilience

Spaceline Client (Workstation VPN Client): End-User Access

The Spaceline Client is the end-user VPN client application within the creative.space system. Installed on a user’s workstation (e.g., laptop or desktop), its primary role is establishing a secure point-to-site VPN connection. This allows individual users to gain direct network-level access to private resources on remote networks connected via Spaceline Node agents. The connection is typically routed securely through the central Backstage CP/PoP infrastructure, effectively extending the remote private network securely to the user’s machine.

Technical Details

• Installs as native client software on end-user workstations (supporting common operating systems)
• Establishes secure VPN tunnels, leveraging protocols consistent with the platform’s core (e.g., WireGuard), initiated from the user’s device
• Authenticates the user, typically integrating with the Backstage CP’s identity and access management system, before granting connection
• Routes traffic destined for the configured remote private networks through the established VPN tunnel via the central platform infrastructure
• Provides network-level access to services behind the Spaceline Node, distinct from application-specific access via the reverse proxy

Advantages of the Integrated Architecture

The creative.space platform’s architectural approach offers several significant advantages for media operations:

1. End-to-End Security: The entire communication path is secured with WireGuard encryption, from end-user workstations through to remote edge locations.

2. No Exposed Ports: Since connections are established outbound from the remote sites, there’s no need to expose vulnerable services directly to the internet.

3. Zero Trust Security Model: Every access request is authenticated and authorized individually, regardless of the network source.

4. Simplified Administration: The centralized control plane allows administrators to manage all connections, permissions, and monitoring from a single interface.

5. Transparent User Experience: Despite the sophisticated security infrastructure, end users interact with a simple, intuitive interface that abstracts away the complexity.

Conclusion: Enterprise-Grade Security with User-Friendly Experience

The creative.space VPN and reverse proxy architecture embodies a sophisticated approach to securing distributed media workflows while maintaining simplicity for end users. By combining the strengths of WireGuard-based VPN technology with a centralized control plane and distributed edge agents, the platform delivers enterprise-grade security without the traditional complexity associated with such robust protection.

This architecture is particularly valuable in media production environments, where the need to securely access large media assets from distributed locations must be balanced with ease of use for creative professionals. The seamless integration of all components, from the central Backstage CP and PoP to the edge Spaceline Nodes and end-user Spaceline Clients, creates a comprehensive security solution specifically tailored for the unique demands of media workflows.