Single Packet Authentication

Your firewall port,
always closed.
Until you knock.

openme sends one encrypted UDP packet to open a firewall port for 30 seconds. To every port scanner on the internet, nothing is ever open.

~
$ openme connect home
Knocking home.example.com:7777 ...
Knock sent.
Running post-knock: ssh user@home.example.com
user@home:~$

How it works

One 165-byte UDP packet. No round trips. No open ports. No traces.

1

Generate ephemeral keys

A fresh Curve25519 keypair is created for this knock only. After sending, the private key is discarded. This gives you forward secrecy — old captures cannot be decrypted later.

2

Encrypt and sign

ECDH with the server's public key derives a shared secret. The payload (timestamp, nonce, target IP) is encrypted with ChaCha20-Poly1305. The whole packet is signed with your Ed25519 key.

3

Server verifies and opens

The server checks the signature, decrypts the payload, validates the timestamp, and checks the nonce is fresh. On success, a firewall rule opens for your IP. It closes automatically after 30 seconds.

Why openme

🔒

Always closed

Ports never appear open to scanners. The server doesn't even send an ICMP unreachable — the knock port is a black hole.

One packet

No handshake, no round trip, no session. A single 165-byte UDP datagram is all it takes.

🔐

Modern crypto

Curve25519 ECDH, ChaCha20-Poly1305 AEAD, Ed25519 signatures. The same stack used by WireGuard and Signal.

Forward secrecy

Ephemeral keys per knock mean captured traffic cannot be decrypted, even if the server key is compromised later.

🌐

IPv4 + IPv6

Full dual-stack support. Open rules for IPv4, IPv6, or both. Works with iptables and nftables.

📱

Mobile ready

QR-code provisioning for mobile clients. Scan once to configure. iOS and Android apps coming soon.

Up and running in 5 minutes

Server

Linux server
# Install
curl -Lo openme https://github.com/openme/openme/releases/latest/download/openme-linux-amd64
sudo install openme /usr/local/bin/

# Initialise
sudo openme init --server myserver.example.com

# Add a client
sudo openme add alice

# Start
sudo openme serve

Client

macOS / Linux / Windows
# Paste the config printed by 'openme add'
nano ~/.openme/config.yaml

# Check server is reachable
openme status

# Knock and SSH
openme connect

Every platform

Server on Linux. Client everywhere.

🐧
Linux
Available
🍎
macOS
Available
🪟
Windows
Available
🤖
Android
Coming soon
📱
iOS
Coming soon