openme sends one encrypted UDP packet to open a firewall port for 30 seconds. To every port scanner on the internet, nothing is ever open.
One 165-byte UDP packet. No round trips. No open ports. No traces.
A fresh Curve25519 keypair is created for this knock only. After sending, the private key is discarded. This gives you forward secrecy — old captures cannot be decrypted later.
ECDH with the server's public key derives a shared secret. The payload (timestamp, nonce, target IP) is encrypted with ChaCha20-Poly1305. The whole packet is signed with your Ed25519 key.
The server checks the signature, decrypts the payload, validates the timestamp, and checks the nonce is fresh. On success, a firewall rule opens for your IP. It closes automatically after 30 seconds.
Ports never appear open to scanners. The server doesn't even send an ICMP unreachable — the knock port is a black hole.
No handshake, no round trip, no session. A single 165-byte UDP datagram is all it takes.
Curve25519 ECDH, ChaCha20-Poly1305 AEAD, Ed25519 signatures. The same stack used by WireGuard and Signal.
Ephemeral keys per knock mean captured traffic cannot be decrypted, even if the server key is compromised later.
Full dual-stack support. Open rules for IPv4, IPv6, or both. Works with iptables and nftables.
QR-code provisioning for mobile clients. Scan once to configure. iOS and Android apps coming soon.
# Install
curl -Lo openme https://github.com/openme/openme/releases/latest/download/openme-linux-amd64
sudo install openme /usr/local/bin/
# Initialise
sudo openme init --server myserver.example.com
# Add a client
sudo openme add alice
# Start
sudo openme serve# Paste the config printed by 'openme add'
nano ~/.openme/config.yaml
# Check server is reachable
openme status
# Knock and SSH
openme connectServer on Linux. Client everywhere.