What is Sanctum?
Sanctum is a small, reviewable, capable, PQ-secure and fully privilege separated novel VPN daemon and protocol designed to run under OpenBSD, Linux and MacOS.
Sanctum is designed from the ground up with security in mind and will always be open and free, licensed under the ISC license.
Its unique privilege separation design in combination with strong modern sandboxing guarantee that all of its important assets are separated from processes that talk to the internet or handle non-cryptography related things.
Sanctum allows you to create different topologies, from traditional site-to-site L2/L3 tunnels, to more niche topologies such as one-way tunnels, full-mesh L2/L3 and even P2P tunnels between devices behind NAT using hole-punching and Sanctum's cathedrals for peer discovery.
A community driven cathedral network exists allowing you to test different setups or even freely use it, see The Reliquary.
Multi-process
Sanctum is built using a multi-process approach where each process is only doing one thing. This allows for more fine-grained sandboxing in relation to permissions or allowed system calls.
Packets flow between these processes in a well-defined manner making it impossible to move a packet straight from the red side to the black side without passing the encryption process and vice-versa.
Encryption
See our cryptography page for a detailed description of the cryptosystem in sanctum.
Why would I want to use this?
Well, you don't have to. I built Sanctum for me and my hacker friends with the over a decade of experience I have building this type of stuff at very high assurance levels. There are plenty of alternatives out there.
None of them have cool mythology nor provide you with the same type of post-quantum security or privilege separation as Sanctum does though.
Another benefit is the ability to setup your own entire cathedral network allowing you to build a distributed infrastructure so your devices can always discover and talk to each other no matter what.
Talks
Source?
Latest release: sanctum 0.9.36
A mirror of the repository is available on github.
A library that implements the Sanctum protocol can be found here.
I want to contribute!
mail diffs to joris snabel-a sanctorum punkt se