AegisRay is a production-grade, cryptographically secure P2P mesh VPN designed to operate in hostile network environments. It leverages multi-hop routing and SNI masquerading to traverse deep packet inspection (DPI) firewalls while maintaining absolute zero-trust privacy between peers.
- 👻 Invisible to DPI: Traffic disguises itself as standard HTTPS web browsing (e.g., to
cloudflare.comorgoogle.com) using SNI Masquerading. - 🕸️ True Decentralization: No central coordination server. Steps are fully autonomous using Distributed Hash Table (DHT) principles and gossip protocols.
- 🔒 Military-Grade Crypto:
- Identity: RSA-2048 identity keys bound to SHA-256 Node IDs.
- Transport: AES-256-GCM session keys, rotated automatically every hour.
- Integrity: RSA signatures on every Route Advertisement and Handshake.
For deep dives into specific topics, check out our detailed documentation:
- 📖 Configuration Guide: Templates for Peering, Gateways, and Exit Nodes.
- 🏗️ System Architecture: How MeshNode, Router, and P2P layers interact.
- 🔐 Security Model: Cryptographic audits, Handshake flows, and Threat models.
- 🚀 Deployment & Tuning: Docker, Systemd, and Kernel optimizations.
AegisRay creates a virtual overlay network.
- Self-Healing: Nodes monitor peer latency and packet loss. If a direct link fails, the mesh automatically re-routes traffic through healthy neighbors.
- NAT Traversal: Built-in RFC 5389 STUN client and multi-burst UDP hole punching allow connections to pierce through strict corporate/residential NATs.
- Split Horizon: Routing logic explicitly prevents loops by filtering route advertisements based on their source.
- Transitive Routing:
Node A <-> Node B <-> Node C. If A cannot reach C directly, B acts as a transparent, encrypted relay.
- Docker (Recommended for testing)
- Go 1.21+ (For building from source)
- Linux (Kernel 5.6+ with WireGuard modules for TUN support)
Verify the mesh logic in a safe, isolated container environment:
# 1. Clone the repo
git clone https://github.com/surya-d-naidu/AegisRay.git
cd AegisRay
# 2. Start a 2-node mesh cluster
docker compose -f docker-compose.test.yml up --build
# 3. Watch the magic in logs# Build the binary
make build
# Run with a template config
sudo ./bin/aegisray-mesh -config=configs/templates/basic-peer.yamlCurrent Status: 🟢 Release Candidate 1.0
- Mobile SDK: Port core Mesh logic to
gomobile(Android/iOS bindings). - Desktop GUI: Electron or Gio UI for Windows/Mac/Linux.
- Systray Agent: Lightweight background daemon for status monitoring.
- Multipath Routing: Allow using multiple paths simultaneously for higher throughput.
- Traffic Obfuscation V2: Implement stronger padding to resist entropy analysis (e.g., mimic DTLS 1.3).
- IPv6 Support: Full IPv6 mesh overlay and transport.
- Post-Quantum KEM: Replace RSA Handshake with Kyber/Dilithium algorithms.
- Hardware Token Support: Store Identity Keys on YubiKeys (PKCS#11).
- Audit Logging: Tamper-evident local audit logs for regulated environments.
- Kubernetes Operator: Custom Resource Definition (CRD) for auto-meshing K8s pods.
- Terraform Provider: Automate cloud gateway provisioning on AWS/GCP/DigitalOcean.
AegisRay follows a Zero-Trust model.
- Join Request: A new node sends a signed request.
- Verification: The receiving peer verifies the signature against the public key
ID. - Key Exchange: An ephemeral AES session key is generated, encrypted with the target's RSA Public Key, and sent back.
- Session-Lock: All subsequent data packets use this unique AES key.
Contributions are welcome! Please check out the internal directory to understand the core logic before submitting PRs.
This project is licensed under the MIT License.
Maintained with ❤️ by the AegisRay Team at https://github.com/surya-d-naidu/AegisRay