PharosVPN
§04 · for individuals

one operator · a handful of nodes · same binaries

Your own VPN, in one evening.

You don't need a team, a cluster, or a budget. The --personal preset trims the controller down to one operator, sensible defaults, and a single nearest region. The engine is the engine: the same binaries an enterprise runs.

what you get

A controller on your laptop, a node in the cloud.

  • One controller (helm) running on your laptop, a home server, or a tiny private box — wherever you keep your other things.
  • One or two VPN nodes (buoy) on cloud VMs you create yourself. Any provider; helm doesn't call a cloud API on your behalf.
  • The caravel mobile client on your phone, fed by account sync, a QR code, or a .pharos file. Pick whichever source you prefer; the engine doesn't care.
  • The embedded beacon relay running inside helm, on by default. If your controller can already reach the internet, you don't need a remote relay.

defaults of --personal

What the preset sets for you.

Regions1, nearest
Idle nodesnone
ProtocolsAmneziaWG by default; XRay optional
Relayembedded in helm
Account syncon
Adminsone (you)
Audit retention30 days
Metrics retention7 days

how this differs from --enterprise →

threat model · be honest

What PharosVPN protects against — and what it doesn't.

It protects

  • Network-level surveillance and DPI on the path between you and your nodes — AmneziaWG and XRay/REALITY are both designed to resist active probing.
  • Compromise of a single VPN node. A breached buoy cannot mint certs, impersonate helm, or read other nodes' configs.
  • Compromise of the relay. A breached remote beacon sees only ciphertext profile bundles and traffic metadata.
  • Loss of the controller. Tunnels keep serving from disk. You can rebuild later from a backup of helm's SQLite + CA.

It doesn't protect

  • Compromise of your laptop while helm is unlocked. The CA key lives there. Treat it like an SSH key.
  • Your cloud provider learning that you run a VPN endpoint. A node on a public IP is, by definition, public.
  • Application-layer fingerprinting. The protocols obfuscate the transport, not the apps you run over it.

one VM, one command

The shortest path.

# on your laptop or a small private box
git clone https://github.com/PharosVPN/helm
cd helm && make
./helm init --personal

# create a VM on any cloud provider, then:
./helm ssh-key                      # prints helm's SSH public key
# add that key to the VM's authorized_keys

./helm nodes add [email protected]
# helm SSHes in, installs buoy, signs a CSR, starts the service.
# every operation after this is mTLS gRPC — SSH was install-only.

commands are the design target · binaries not yet shipped

install guide →

for enterprises → side-by-side → read the design →