A self-hostable, open-source, dual-protocol VPN fleet platform.
Run your own VPN — for yourself, your family, or a whole organization.
Named for the Lighthouse of Alexandria — a trusted beacon that guided travellers safely past hazards. PharosVPN does the same for network traffic: a guide, not a wall.
A private controller drives a fleet of public VPN nodes over outbound mTLS, optionally hides itself behind relays, and serves end-users native clients. The control plane has no inbound ports and assumes it will be attacked; the nodes act only on cryptographically validated instructions and keep carrying traffic even if the controller goes away.
The controller stays up and continuously keeps the fleet correct: it reconciles every node on an interval and heals drift and stalled data planes, pushes config to the affected nodes when a profile or device changes, and re-reconciles after a restart. It also runs the management plane — a token-authenticated API, a hash-chained audit log, live session monitoring over a gRPC stream with persisted history, a session-history anomaly engine (leaked-profile, impossible-travel, and more), and a self-hosted dashboard for all of it.
Each user has devices, and each device holds named profiles — pick where you exit (a single node, or a multi-hop cascade entry → mid → exit) and how you get there: AmneziaWG (obfuscated WireGuard), XRay (VLESS + REALITY), or both, chosen at connect.
| Repo | Role |
|---|---|
| coxswain | Controller / management plane — always-on reconcile + auto-provision, seals per-device profiles, scoped API tokens, hash-chained audit log, live monitoring + anomaly alerts, dashboard |
| node | VPN node agent — the data plane (AmneziaWG + XRay/REALITY), including multi-hop cascades |
| relay | Control-plane relay — fixed egress hops that hide the controller's origin |
| Repo | Role |
|---|---|
| caravel | Shared client core (Go) — profile parsing, account sync, the tunnel engine |
| caravel-mac | macOS app |
| caravel-linux | Linux desktop app (Wails) — AppImage, x86_64 + aarch64 |
| caravel-ios | iOS app |
| caravel-android | Android app |
| caravel-opnsense | OPNsense plugin — client mode shipped; server mode planned |
| caravel-openwrt | OpenWRT package — client mode shipped; server mode planned |
| Repo | Role |
|---|---|
| docs | Platform design, the sync / profile contracts, and build conventions |
First public builds — v0.1.0, pre-alpha. You connect them to your own
controller; there are no PharosVPN servers.
| Platform | Build | Get it |
|---|---|---|
| macOS | Signed + notarized .dmg (Developer ID — opens cleanly) |
caravel-mac releases |
| Linux | .AppImage — x86_64 + aarch64 |
caravel-linux releases |
| Android | Debug .apk (sideload; not Play-signed) |
caravel-android releases |
| iOS | TestFlight — coming | — |
Every repo carries a VERSION file and ships under semantic-version git tags
(vX.Y.Z); scripts/bump-version.sh walks you through a patch/minor/major bump.
- Self-hostable first. Your controller, your nodes, your keys — no PharosVPN servers in the path.
- Unlinkability as posture. The controller hides behind relays; per-server keys, endpoint-pool rotation, and onion routing aim to keep a node from tracing back to the controller or to other nodes. Shown as guidance, not enforced for you.
- Always-on, hideable controller. It stays up to continuously keep the fleet correct and healthy, dials out with zero inbound ports, and hides behind relays — and the data plane keeps running if it's briefly down.
- End-to-end sealed profiles. The controller only ever stores ciphertext; profiles are decrypted on your device.
Every PharosVPN repo is Apache-2.0. Use it, run it, fork it, build on it. Contributions are accepted under the DCO; no CLA.