Sanctum: A Secure and Auditable VPN Daemon
2025-05-04
Sanctum is a small, reviewable, capable, pq-safe, and fully privilege-separated VPN daemon for OpenBSD, Linux, and macOS. Its privilege separation design ensures that critical assets are isolated from processes interacting with the internet or handling non-cryptographic tasks. Sanctum also offers peer-to-peer tunnels that traverse NAT, enabling direct device communication without needing to open firewall ports or configure forwarding rules. The system uses multiple processes, each sandboxed and running as a separate user for enhanced security. Sanctum supports various ciphers and uses a hybrid key exchange for post-quantum security.
Development
Post-Quantum Cryptography