Deployment Modes and Configuration

Larktun is delivered as a SaaS service for both individual users and teams. Deployment planning is usually a combination of tenant boundaries, ACL strategy, and relay model rather than one fixed topology.

Target users and common scenarios

Individual users: remote access to home devices, personal servers, and development machines with low operational overhead.
Team users: collaborative access to internal resources with centralized ACL and audit controls.

SaaS relay capabilities

Under the same SaaS control plane, you can choose among three relay options:

Free relay (shared): available by default, ideal for fast onboarding and lightweight validation.
Dedicated relay: for paid teams that need tighter latency, capacity, isolation, and stability.
User-managed relay: customer-operated DERP nodes for custom geography, network boundaries, or compliance.

Recommended progression:

Start with free shared relay for initial rollout and path verification.
Move to dedicated relay when traffic volume or SLA requirements grow.
Add user-managed relay when compliance or strict network boundaries are required.

Recommended deployment models

SaaS control plane

Best for fast onboarding for both individuals and teams, with managed account/tenant, policy, audit, and operations capabilities.

SaaS + dedicated relay

Best for paid users (individuals or teams) that require tighter latency, capacity, and fault-isolation control while keeping SaaS control-plane operations.

SaaS + user-managed relay

Best for users who need custom geography, network boundaries, or compliance placement.

Planning checklist

Tenant partitioning: separate by customer, business unit, or environment
ACL model: define least-privilege access by role and device tags
Relay placement: decide shared, dedicated, or user-managed with region layout
Stability controls: reconnect behavior, health checks, and path monitoring
Endpoint experience: ensure low footprint and non-intrusive runtime

User-managed relay guidance

Start with one relay close to primary user regions.
Add health checks and alerting to maintain availability.
Add redundancy and failover drills for higher concurrency.
Apply minimal exposure and regular security patching.

Configuration example

Example DERP JSON for tenant t01:

{
  "omitDefaultRegions": false,
  "regions": {
    "903": {
      "regionID": 903,
      "avoid": false,
      "regionCode": "t01",
      "regionName": "Tenant t01 DERP",
      "nodes": [
        {
          "ipv4": "18.138.241.18",
          "name": "t01-903a",
          "hostName": "derper.example.com",
          "regionID": 903,
          "derpport": 8088,
          "stunport": 3478
        }
      ]
    }
  }
}

Rollout guidance

For individual users, start with one tenant, one relay region, and one validated ACL path
For teams, template one tenant first, then replicate safely
Standardize ACL and audit before scaling device count
Validate failover for user-managed relay before production

Target users and common scenarios​

SaaS relay capabilities​

Recommended deployment models​

SaaS control plane​

SaaS + dedicated relay​

SaaS + user-managed relay​

Planning checklist​

User-managed relay guidance​

Configuration example​

Rollout guidance​