Each node in the network is identified by its public key. The corresponding private key never leaves the node. We encrypt tunneled packets using the public key of the receiving node. This protects the packets from man-in-the-middle attacks.
For IP cameras, EV chargers and other devices that can't run a VPN we encrypt the traffic for the real node (i.e. the node that actually runs a VPN) to which these devices are directly attached via some local network. This means that the only way to tamper the traffic is to physically breach the device in the field.
If the device is breached we offer a way to ban the node through our license server.
The future version will include a way to tunnel Ethernet-based traffic.