Skip to main content
Mole inspecting security

Security Overview

Your traffic stays private even when it passes through transit nodes you don't control. Only the ingress and exit see your data - everything in between sees encrypted bytes they cannot decrypt.

What this means for you:

  • Compromise a transit node? They see nothing useful
  • Network tapped between agents? Traffic is encrypted
  • Unauthorized client tries to connect? Rejected by authentication

Security Model

End-to-End Encryption

Transit nodes relay your traffic without being able to read it:

  • Your data is encrypted before leaving the ingress
  • Only the exit node can decrypt it
  • Even if a transit is compromised, your data stays private

See End-to-End Encryption for details.

Transport Security

All peer connections use TLS 1.3:

  • Encryption: All traffic encrypted in transit
  • Authentication: Server certificates validated
  • Mutual TLS: Optional client certificate authentication
  • Perfect Forward Secrecy: Session keys derived per connection

Authentication Layers

LayerMechanismPurpose
E2EX25519 + ChaCha20-Poly1305Stream data encryption
TLSCertificatesPeer authentication
mTLSClient certsMutual authentication
SOCKS5Username/passwordClient authentication
Shellbcrypt passwordCommand authorization
File Transferbcrypt passwordTransfer authorization
Sleep/WakeEd25519 signaturesCommand authentication

Authorization

  • Route-based ACL: Exit only allows configured CIDRs
  • Shell whitelist: Only whitelisted commands allowed
  • File path restrictions: Only allowed paths accessible

What You're Protected Against

If This Happens...You're Protected Because...
Someone captures traffic between agentsIt's encrypted - they see random bytes
Transit node is compromisedE2E encryption - transit can't decrypt your data
Someone replays captured trafficNonce-based encryption detects replays
Someone modifies traffic in transitAuthenticated encryption detects tampering
Unauthorized peer tries to connectmTLS rejects unknown certificates
Unauthorized client tries to use proxySOCKS5 authentication blocks them
Someone tries to run unauthorized commandsShell whitelist blocks unapproved commands
Someone tries to hibernate your meshSigning keys verify sleep/wake commands

What You Need to Protect Yourself

RiskYour Responsibility
CA private key stolenStore it securely (HSM, vault, encrypted disk)
Ingress or exit host compromisedHarden your endpoints - they see your data
Traffic pattern analysisDisable protocol identifiers, use standard ports. See Traffic Patterns
Insider with valid credentialsMonitor logs, rotate credentials

Security Checklist

Minimum Security

  • TLS certificates generated and deployed
  • Certificate CA key secured
  • SOCKS5 bound to localhost or authenticated
  • Exit routes restricted to needed CIDRs
  • Mutual TLS enabled
  • SOCKS5 authentication enabled
  • Shell disabled or password-protected
  • File transfer disabled or restricted
  • Monitoring and alerting configured
  • Regular certificate rotation

Production Security

  • All of the above
  • CA key in HSM or secure vault
  • Network segmentation
  • Intrusion detection
  • Audit logging
  • Incident response plan

Quick Hardening

Apply these four changes for immediate security improvement:

  1. Disable unused features - Shell and file transfer are disabled by default. Keep them disabled unless needed. See Shell and File Transfer configuration.

  2. Restrict SOCKS5 access - Bind to localhost and enable authentication. See SOCKS5 Configuration.

  3. Restrict exit routes - Only advertise specific CIDRs, not 0.0.0.0/0. See Exit Configuration.

  4. Enable mTLS - Require valid client certificates for peer connections. See TLS Configuration.

For detailed hardening guidance, see Best Practices.

Security Topics

TopicDescription
E2E EncryptionStream payload encryption
TLS/mTLSCertificate-based security
AuthenticationClient and shell authentication
Access ControlRoute and command restrictions
Best PracticesProduction hardening guide
Traffic PatternsNetwork detection and analysis

Reporting Security Issues

If you discover a security vulnerability:

  1. Do NOT open a public issue
  2. Contact the maintainers privately
  3. Provide detailed reproduction steps
  4. Allow reasonable time for fix before disclosure

Next Steps