Built for engineers who care about the details

Auditable crypto, open-source daemon, no forced relay.

Noise IK encryption

Ed25519 identity keys establish trust on first contact. X25519 ephemeral keys negotiate each session for forward secrecy. ChaCha20-Poly1305 encrypts every packet on the data plane.

The coordination server only ever sees public keys and IP addresses — it is structurally incapable of performing a man-in-the-middle attack because it never touches session key material.

Protocol: Noise_IK_25519_ChaChaPoly_BLAKE2s

NAT traversal

UDP hole-punching succeeds for roughly 85% of real-world NAT configurations, covering symmetric NAT, full-cone NAT, and port-restricted NAT.

For the remaining 15%, Veld relays traffic through a mesh peer — never through the coord server. Your data stays off our infrastructure.

No coord-server relay. Ever.

Subnet routing

Advertise a LAN prefix from a single gateway machine. All peers on the network gain access to that subnet automatically — no configuration changes on the LAN devices.

Perfect for the IoT gateway pattern: install Veld on a Raspberry Pi, advertise 192.168.1.0/24, and reach every device on that segment from anywhere.

Available on Teams and above.

Self-hosting

The CE coordination server is released under BSL (Business Source License), which converts to Apache 2.0 four years after each release. Run it anywhere — bare metal, VPS, or Kubernetes.

Single static binary with embedded SQLite. Docker image available. OpenWrt packages built for MIPS and ARMv6. The daemon is MIT licensed — fork it, audit it, embed it.

docker run veld/coord