INTRO
DEVELOPMENT
* 2026-06-07 VPN Dataplane operational
* 2026-06-07 PKI identity operational
* 2026-06-07 CA trust validation operational
* 2026-06-07 Certificate/key ownership verification operational
* 2026-06-07 Cowboy HTTP/HTML admin dashboard operational
* 2026-06-07 N2O/Nitro interactive dashboard operational
ARCHITECTURE
Zencrypted VPN is a decentralized peer-to-peer overlay network dataplane that uses TUN/TAP virtual network devices, ChaCha20-Poly1305 AEAD authenticated encryption, and X.509 PKI trust verification.
- ● TUN/TAP Wrapper — Thin abstraction around tuncer/utun
- ● vpn_peer — Supervised worker representing a connection to a peer
- ● vpn_link — Operational bridge connecting TUN/TAP packet streams with UDP sockets
- ● vpn_crypto — AEAD chacha20_poly1305 encryption of UDP payload frames
- ● vpn_identity — Certificate and private key load, validation, and metadata extraction
- ● vpn_trust_store — Dev CA fixture X.509 signature verification
PACKET PIPELINE
The virtual interface intercepts IPv4/IPv6 packets, which are encapsulated into VPN frames, encrypted with the peer's pre-shared key (PSK) using ChaCha20-Poly1305, and transmitted over UDP to the remote peer. The remote peer decrypts the frame, validates it, and writes the raw packet to its local TUN/TAP interface.
SECURITY & IDENTITY
While the dataplane is encrypted using a temporary symmetric PSK, peers prove their identity during startup using X.509 certificates. The vpn_identity module validates that the peer's certificate is signed by the configured CA, verifies that it hasn't expired, and proves local ownership of the private key by comparing its public component with the public key inside the certificate. This trust-store foundation ensures that only authenticated peers can boot and initialize the dataplane link.