The Reliquary
VPN for the hackers and the truly paranoid.

We are a community driven service for the hackers and the truly paranoid that want to establish multiple peer-to-peer and end-to-end encrypted VPN tunnels between their devices, no matter where they are located. Even when both devices are behind NAT.

We provide the encrypted transport, you bring everything else.

+ Getting started

Please refer to our guide on how to get an account and how to get your first two devices connected. Accounts are free, limited to 24-hours. If you like the service ask us to convert your 24-hours account into an indefinite one.

+ Technology

To provide the encrypted transport we use the fully privilege seperated VPN daemon called sanctum. This daemon was designed from the ground up to separate all important assets using a multi-process approach.

This approach allows sanctum to strongly sandbox and separate its different processes. Because of this, sanctum only runs on POSIX based platforms such as OpenBSD, Linux but also MacOS.

The sanctum daemon uses strong symmetrical cryptography and lacks any ability for the usage of public key encryption providing strong post-quantum guarantees for the confidentiality and integrity of your traffic, given you protect your secrets correctly.

A more detailed cryptographic description can be found in the sanctum repository inside of the docs/crypto.md file.

+ The Cathedrals

We use the cathedral mode of sanctum to provide an authenticated relay and a key distribution point. The authenticated relay is used for peer discovery and will facilitate the peer-to-peer connections if possible.

As a key distrubtion point, the cathedral allows you to update your shared secrets for your devices. Note: these are always wrapped with your per-device unique KEK and we do not see the plaintext keys.

The reliquary provides multiple cathedrals to provide resilience in the case of an outage or if cathedrals drop offline unexpectedly.

+ The Reliquary

The API we provide (the reliquary) interacts with our cathedrals and allows you to easily manage your devices and wrapped shared secrets using a handful of very simple shell scripts.

You may download the cli tools here. Extract these somewhere and make sure that directory exists in your $PATH.

+ Do you have access to my encrypted traffic?

No.

The authenticated relay (cathedral) does not have the encryption keys to be able to decrypt your traffic.

Here is a list what we can see (not read):

Here is what we can actually read:

+ Can I just build this myself?

Sanctum is fully open source and ISC licensed, so yes you can build and setup something similar to this completely on your own.

+ Who runs this?

Reliquary is run by the creator of sanctum with the help of a few volunteers from across the globe.

The reliquary was started so that he and his Protokol0x41 hacker friends had an easier way of setting up and maintaining multiple sanctum tunnels between their devices.

+ Disclaimer

This is a free-of-charge, community driven service, with zero warranty. It may shutdown at any given point without any prior notice.

We take no responsibility for any data that is transmitted over this service as we cannot read nor filter said data. When using this service you as the user accept that reliquary may not be used for illegal activities or to distribute illegal content and that you and you alone are responsible for the data you are transmitting.

If one of your devices is behind a NAT type that prevents falling over to peer-to-peer, your traffic will instead be relayed over one of our cathedrals (remember, we cannot read your traffic) and will be capped at 25mbit/sec.

This cap can be increased but only for people who contribute to the project. We are always looking for people who want to donate cathedrals.

+ Contact

You can reach us at help@reliquary.se or find us on discord.