vula/vula

automatic local network encryption

Python 53.3%
Go 25.4%
TeX 10.8%
Shell 3.8%
Makefile 3.1%
Other 3.6%

Find a file

vula 9cdda07110 Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details Merge pull request 'suppress all pyright errors' (#176 ) from danyl_b/vula:pyright-errors into main Reviewed-on: #176		2026-05-13 16:32:08 +02:00
.github/workflows	adopt the NGIpkgs packaging and rebase	2025-05-12 23:59:09 +07:00
configs	Increase systemd constraints	2025-06-16 15:29:59 +02:00
contrib	Add Type-Checker-Selection.md	2026-05-11 06:47:05 -04:00
debian	Add typing_extensions to debian/control and pyproject.toml	2026-04-08 19:28:57 +02:00
misc	Add basic tamarin proof	2025-07-15 15:28:07 +02:00
nix	adopt the NGIpkgs packaging and rebase	2025-05-12 23:59:09 +07:00
podman	Add basic tamarin proof	2025-07-15 15:28:07 +02:00
test	suppress pyright type-checking diagnostics	2026-05-06 18:40:08 +02:00
vula	suppress pyright type-checking diagnostics	2026-05-06 18:40:08 +02:00
www-vula	feat(tests): add tests for descriptor expiration handling and update logic	2026-04-16 23:36:34 +02:00
.coveragerc	initial public release 0.1.2	2021-04-05 23:11:34 +02:00
.gitignore	adopt the NGIpkgs packaging and rebase	2025-05-12 23:59:09 +07:00
.gitlab-ci.yml	Update Pipfile and .gitlab-ci.yml	2025-04-03 15:23:35 +02:00
.pre-commit-config.yaml	Add type checking and fix all mypy --strict errors in vula and test	2025-06-13 13:31:30 +02:00
.woodpecker.yml	add pyright to woodpecker ci	2026-05-13 14:53:40 +02:00
flake.lock	adopt the NGIpkgs packaging and rebase	2025-05-12 23:59:09 +07:00
flake.nix	adopt the NGIpkgs packaging and rebase	2025-05-12 23:59:09 +07:00
INSTALL.md	Future-proofing package names	2025-04-04 16:12:30 -07:00
LICENSE	initial public release 0.1.2	2021-04-05 23:11:34 +02:00
Makefile	Add type checking and fix all mypy --strict errors in vula and test	2025-06-13 13:31:30 +02:00
Pipfile	upgrade pyright version to 1.1.409	2026-05-13 15:44:39 +02:00
Pipfile.lock	remove python3-hkdf dependency	2025-04-20 15:01:12 +02:00
pyproject.toml	upgrade pyright version to 1.1.409	2026-05-13 15:44:39 +02:00
pytest.ini	pytest: add --showlocals option	2025-04-05 20:57:36 +02:00
README-docs.md	Adding README-docs.md and revising the Makefile that runs hugo	2025-04-10 14:51:41 +00:00
README.md	New introduction, image source corrections, minor fixes	2025-03-31 10:14:48 -07:00
requirements.txt	move requirements to pipenv file.	2021-11-03 15:19:34 +01:00
setup.cfg	Add setup.cfg CI fix to ensure branch passes cleanly	2026-04-01 14:15:22 +02:00
setup.py	Add type checking and fix all mypy --strict errors in vula and test	2025-06-13 13:31:30 +02:00
STATUS.md	Files rearranged, some merged, links adjusted, edited, spell-checked	2025-03-28 23:07:32 +00:00
TODO.md	Add type checking and fix all mypy --strict errors in vula and test	2025-06-13 13:31:30 +02:00
tox.ini	initial public release 0.1.2	2021-04-05 23:11:34 +02:00

README.md

Vula: automatic local network encryption

Requiring zero configuration, vula automatically encrypts IP communications between hosts on a local area network. The encryption is forward-secret, transitionally post-quantum, and protective against passive eavesdropping.

Vula will additionally protect against interception by active adversaries with the addition of manual key verification and/or automatic key pinning, along with manual resolution of IP or hostname conflicts.

If the local gateway to the internet is a vula peer, internet-destined traffic will also be encrypted on the LAN.

How does it work?

Automatically.

Vula combines WireGuard for forward-secret point-to-point tunnels with mDNS and DNS-SD for local service announcements, and enhances the confidentiality of WireGuard tunnels by using CTIDH implemented by highctidh, a post-quantum non-interactive key exchange primitive, to generate a peer-wise pre-shared key for each tunnel configuration.

Vula's advantages over other solutions include:

The Vula design avoids single points of failure (SPOFs).
Vula uses existing IP addresses inside and outside of tunnels, allowing seamless integration into existing LAN environments using DHCP and/or manual addressing.
Vula avoids handshake attempts with non-participating hosts.
Vula does not require additional configuration to disrupt passive surveillance adversaries.
Vula provides simple verification with QR codes to disrupt active surveillance adversaries.

See Comparison of LAN tunneling tools for a detailed comparison of Vula to related projects.

Current status

Vula is functional today, although with issues documented in STATUS.md. It is ready for daily use by people who are proficient with Linux networking and the command line.

See INSTALL.md for installation and usage instructions.

See hacking.md for tips on opening the hood and dependency information about internal and external python modules.

Security contact

We consider this project to currently be alpha pre-release, experimental, research-quality code. It is not yet suitable for widespread deployment. It has not yet been audited by an independent third party and should be treated with caution.

If you or someone you know finds a security issue, please open an issue or feel free to send an email to the security at vula dot link.

Authors

The authors of vula are anonymous for now, while our paper is undergoing peer review.

Acknowledgements

operation-vula.md has some history about the name Vula.

Vula is not associated with or endorsed by the WireGuard project. WireGuard is a registered trademark of Jason A. Donenfeld.

This project is funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more on the NLnet project page.