The Reliquary
VPN for the hackers and the truely paranoid.

We are an invitation-only service for the hackers and the truely paranoid who want to establish multiple peer-to-peer and end-to-end encrypted VPN tunnels between their devices.

We only provide the end-to-end encrypted transport between your devices, you bring everything else yourself.

+ How do I get invited?

Mail apply@reliquary.se and we can have a conversation. Once you have an account key, you can follow the guide.

+ Tech

To provide the encrypted transport we use the fully privilege seperated VPN daemon called sanctum. This daemon was designed from the ground up to separate all important assets using a multi-process approach.

This approach allows sanctum to strongly sandbox and separate its different processes. Because of this, sanctum only runs on POSIX based platforms such as OpenBSD, Linux but also MacOS.

The sanctum daemon uses strong symmetrical cryptography and lacks any ability for the usage of public key encryption providing strong post-quantum guarantees for the confidentiality and integrity of your traffic, given you protect your secrets correctly.

A cryptographic description can be found in the sanctum repository under docs/crypto.md.

+ The Cathedral

We use the cathedral mode of sanctum to provide an authenticated relay and a key distribution point. The authenticated relay is used for peer discovery and will facilitate the peer-to-peer connections if possible.

As a key distrubtion point, the cathedral allows you to update your shared secrets for your devices. Note: these are always wrapped with your per-device unique KEK and we do not see the plaintext keys.

+ The Reliquary

The API we provide (the reliquary) interacts with our cathedrals and allows you to easily manage your devices and wrapped shared secrets using a handful of very simple shell scripts.

You may download the management scripts here. Extract these somewhere and make sure that directory exists in your $PATH.

+ Do you have access to my encrypted traffic?

Nope, the authenticated relay (cathedral) does not have the encryption keys to be able to decrypt your traffic.

Here is what we can see:

• Anything related to the ESP packets your devices are sending, unavoidable, the cathedral relays initial traffic or all traffic if one of your devices is behind symmetric NAT.
• Api requests made to the reliquary, unavoidable.
• Your mail when you send a mail to apply@reliquary.se, use a throw-away if you don't want to use your main address.

Here is what we can read:

• Any request to the reliquary, unavoidable, we have to act on them.
• The sanctum cathedral update messages, unavoidable, these are used to authenticate your sanctum instance to the cathedral and to provide connectivity information (these do not carry traffic).
• Contents of mails you sent us at apply@reliquary.se, obviously.

+ Can I host this myself?

Sanctum is fully open source and ISC licensed, so yes you can setup something similar to this completely on your own.

+ Who runs this?

Reliquary is run by the creator of sanctum together with some Protokol0x41 hackers.

The reliquary was started so that he and his hacker buddies had an easier way of setting up and maintaining multiple sanctum tunnels between their devices.

+ Disclaimers

This is a community driven service and comes with zero warranty. It may be shutdown at any given point without any prior notice.

If one of your devices is behind a NAT type that prevents hole-punching so that peer-to-peer does not work, your traffic will instead be relayed over our cathedral (remember, we cannot read your traffic) and will be capped at 25mbit/sec.

This cap can be increased but only for people who contribute to the project.