openme Documentation

Single Packet Authentication for Linux firewalls

Keywords

openme, single packet authentication, SPA, firewall knock, port knocking, Ed25519, ChaCha20, documentation

Welcome to the openme documentation. openme lets an authenticated client send a single encrypted UDP packet to temporarily open a firewall port. To any port scanner, the port is always closed — only valid clients can trigger a rule.

Clients are available for every major platform: Linux, macOS, Windows, iOS, watchOS, and Android — all sharing the same YAML profile format. Mobile apps support the QR-code provisioning flow.

Where to Start

🚀 New to openme?

Start with the Getting Started guide — you’ll have a server running and a client connecting in under five minutes.

🔐 Curious about the security?

Read the Protocol specification for a full breakdown of the cryptographic design, or the Security Model for the threat model.

⚙️ Configuring your deployment?

The Configuration reference covers every option for both server and client config files.

�️ Building an integration?

Browse the Developer section for SDKs across Go, Swift, Kotlin, C#, and C — each with a full API reference and integration guide.

At a Glance

# Server — one-time setup
sudo openme init --server myserver.example.com
sudo openme add alice                           # prints client config
sudo openme serve

# Client
openme status                                   # health check
openme knock                                    # knock + optional post-hook
openme knock home                               # named profile

Design Principles

openme is deliberately minimal in its attack surface:

• One binary — server daemon, client, and key management in one tool
• No PKI — keys are exchanged out-of-band (copy/paste or QR scan)
• No open ports — the knock port appears closed at all times
• Modern cryptography — Curve25519, ChaCha20-Poly1305, Ed25519
• Forward secrecy — ephemeral ECDH per knock; old captures cannot be decrypted later