Sovereign Post-Quantum Mesh Networking

A self-hosted, zero-trust mesh VPN built from scratch. Rooted in hardware entropy and protected by ML-KEM-1024 post-quantum cryptography.

View on GitHub Technical Overview

Features

01 — Post-Quantum

Protected by NIST-standardized ML-KEM-1024 (FIPS 203) layered over WireGuard. Secure against "harvest now, decrypt later" threats.

02 — Hardware Entropy

Key exchange seeded by physical random numbers from an ESP32-S3 TRNG. No reliance on software PRNGs or system jitter.

03 — Zero-Trust Mesh

Peers negotiate keys directly. The Lighthouse relays ciphertext but remains blind to your shared secrets.

04 — NAT Traversal

Advanced hole punching and smart NAT pairing ensures connectivity across restricted environments, including native IPv6.

05 — Automatic Key Rotation

Client PSKs rotate every 4 hours via HKDF-SHA256 with per-peer binding. Mesh tunnel PSKs rotate every 24 hours directly peer-to-peer.

06 — Deterministic IPv6 Identity

The Cobra-Dicyanin layer gives every node a predictable globally-routable IPv6 address, enabling direct dialing with no NAT traversal required.

Hardware-Tiered Isolation

Level 01

The Tongue

ESP32-S3 Physical TRNG

→

Level 02

The Vault

Isolated Raspberry Pi Zero 2 W

→

Level 03

The Lighthouse

Raspberry Pi Coordinator

Two-Interface Network Model

Each client runs two distinct WireGuard interfaces so the coordination plane and the data plane never touch.

`wg_quantum` — 10.100.0.0/24

The post-quantum coordination tunnel to the Lighthouse. Used only for negotiating mesh connections and exchanging KEM ciphertext. The Lighthouse is not a WireGuard endpoint — it runs only the HTTPS coordination API.

`wg_mesh` — 10.200.0.0/24

The peer-to-peer data plane. All real traffic flows here. Each peer holds a direct WireGuard tunnel to every other peer, bound by a fresh ML-KEM-derived preshared key.

Threat Model

Being honest about what a VPN can and cannot protect against matters — especially one that calls itself "quantum-resistant."

✅ Protects Against

Harvest-now-decrypt-later. Encrypted traffic captured today cannot be retroactively decrypted once quantum computers mature. ML-KEM guarantees past session keys stay safe.
Compromised Lighthouse. The coordination server never sees shared secrets. A full compromise can deny service or add rogue peers, but cannot decrypt existing traffic.
MITM on coordination channel. TLS with pinned certificate fingerprints stops rogue CAs and compromised upstream networks from inserting themselves into enrollment or rotation.
Passive network observation. Standard WireGuard properties apply — tunnel contents are encrypted and authenticated with ChaCha20-Poly1305.
Local-network identity leaks. Full-stack spoofing (MAC, hostname, DHCP fingerprint, SLAAC token, TTL) prevents observers from fingerprinting your device.

❌ Does NOT Protect Against

A compromised endpoint. Malware running as root on your client reads tunnel traffic directly. No VPN can help here — use endpoint security hygiene.
A malicious Vault operator. The Vault holds the ML-KEM private key. If you don't physically control the hardware, you don't control your keys.
Traffic analysis. Packet sizes and timing are still observable. Cobra Tail does not implement padding or cover traffic — use Tor or a mixnet if that's your threat.
Physical attacks on hardware. No side-channel resistance, no HSM. A stolen Vault exposes at most ~4 hours of traffic before automatic keypair rotation invalidates it.
Legal compulsion. A court order served to a Lighthouse operator is a policy problem, not a cryptographic one.

Trust But Verify

All code and build scripts are in the repository. The pre-built binaries on GitHub Releases are a convenience — if you have any reason to distrust them, build your own. SHA256SUMS files are published with every release so you can verify that your build matches ours.

# Clone the repo
git clone https://github.com/CobraTechLLC/Cobra_Tail.git
cd Cobra_Tail

# Build the Lighthouse .deb
sudo ./build_lighthouse_deb.sh 1.0.0 arm64

# Build the client .deb (amd64 or arm64)
sudo ./build_client_deb.sh 1.0.0 arm64

# Build the Vault .deb (run on the Pi Zero 2 W itself)
./build_vault_deb.sh 1.0.0 arm64

Technical Overview

Cobra Tail is designed for users who refuse to trust third-party cloud brokers. By running your own Lighthouse, you control the mesh. By using a Vault (Pi Zero 2 W), you isolate the crypto path from the host machine.

— Status: v1.0.0 — Current Release
— Core: ML-KEM-1024 + HKDF-SHA256 over WireGuard
— Entropy: ESP32-S3 hardware TRNG
— Rotation: Client PSK 4h · Mesh PSK 24h
— Binaries: Windows (.exe), Linux (.deb arm64/amd64)
— Dependencies: liboqs · WireGuard · pyca/cryptography

Roadmap

v1.0.0 — Shipped

✅ Post-quantum tunnel stack (ML-KEM-1024)
✅ HKDF-SHA256 PSK derivation with domain separation
✅ Zero-trust mesh with peer-to-peer KEM exchange
✅ Full NAT traversal (STUN, UPnP, IPv6, self-healing)
✅ Deterministic IPv6 identity (Cobra-Dicyanin)
✅ Lighthouse, Client, and Vault .deb packages
✅ Windows .exe installer

Planned

🔲 Full-tunnel exit node support
🔲 GUI client (currently CLI/TUI only)
🔲 Android client
🔲 TURN-style relay for the most restrictive NATs
🔲 Signed Windows binaries via SignPath Foundation