openme Documentation

Single Packet Authentication for Linux firewalls

Welcome to the openme documentation. openme lets an authenticated client send a single encrypted UDP packet to temporarily open a firewall port. To any port scanner, the port is always closed — only valid clients can trigger a rule.

Where to Start

🚀 New to openme?

Start with the Getting Started guide — you’ll have a server running and a client connecting in under five minutes.

🔐 Curious about the security?

Read the Protocol specification for a full breakdown of the cryptographic design, or the Security Model for the threat model.

⚙️ Configuring your deployment?

The Configuration reference covers every option for both server and client config files.

📖 Looking for the API?

The API Reference is auto-generated from Go source comments using pkgsite.

At a Glance

# Server — one-time setup
sudo openme init --server myserver.example.com
sudo openme add alice                           # prints client config
sudo openme serve

# Client
openme status                                   # health check
openme connect                                  # knock + optional post-hook
openme connect home                             # named profile

Design Principles

openme is deliberately minimal in its attack surface:

• One binary — server daemon, client, and key management in one tool
• No PKI — keys are exchanged out-of-band (copy/paste or QR scan)
• No open ports — the knock port appears closed at all times
• Modern cryptography — Curve25519, ChaCha20-Poly1305, Ed25519
• Forward secrecy — ephemeral ECDH per knock; old captures cannot be decrypted later