add doc for how mtls/e2ee/packet encap works etc

[dovholuknf]

question came in :

How does the tunneler encapsulate the dataplane packets?
I only see the used “mtls” support but in which layer are the dataplane packets encapsulated? ( e.g Vxlan encapsulated ethernet-frames in UDP, wireguard encapsulates layer3 packets in new layer3 packets on UDP layer).
I can nothing find regarding openzit encapsulations, and I though that the dataplane packet payload is encrypted in a https packet, but perhaps I am wrong.

my adhoc reply was:

assuming he exclusively refers to a tunneler -- NOT an app embedded approach:

shortest answer is "persistent TCP connections from client to router and router to router".

slightly longer answer is UDP and TCP packets are captured by the local operating system and directed towards our software via varying os-specific mechanisms (ip routes, search domains, nrpt vpn plugins etc), all ending in our software.

Once the packets arrive at our software, we extract the payloads and send them over the overlay to the destination. Once at the destination the payloads are sent to the destination specified over a separate underlay connection established at that destination (if they are exiting the openziti overlay).

The packets traverse openziti encapsulated inside persistent mTLS TCP connections from tunneler to edge router/fabric (and from router to router).

The initial part of the openziti overlay that initiates the traffic will perform the e2ee negotiation/implementation.

at some point, find a place to put this somewhere on the doc site