Server and desktop
Dynamic and static Linux builds for common x86_64 hosts.
YUME carries TCP and UDP through real TLS 1.3 sessions shaped like ordinary browser HTTPS. It layers a Chrome-style HTTP/2 carrier handshake, a real HTML facade for browser probes, hybrid ML-KEM-768 + AES-GCM inner crypto, and optional live key hopping into one buildable client and daemon pair.
yume client and yumed daemon
Every target publishes both the client and daemon where that build is available. Hashes and optional detached signatures are listed on the hashes page.
Dynamic and static Linux builds for common x86_64 hosts.
Builds for small boards and ARM servers using the same release pipeline.
Router and minimal userspace builds, including static BusyBox variants.
arm64 binaries for client and daemon. Intel users can build from source.
Tarballs include the executable and runtime DLLs needed beside it.
The release workflow builds from this repository with a pinned BaseFWX commit, required Argon2/OQS guards, and post-build binary inspection before upload.
The release workflow publishes a machine-readable manifest plus per-artifact SHA256 and MD5 files. If GPG signing secrets are configured, detached signatures are uploaded and verified before release publication.
Use the per-artifact .sha256 files or the aggregate SHA256SUMS.txt release asset.
When signing keys are configured in CI, release assets include .sig sidecars.
release-manifest.json records component, OS, arch, size, SHA256, MD5, and signature sidecar names.
If the release workflow is configured with a VirusTotal API key, the latest scan report appears here and links to the official file report pages.
| File | Malicious | Suspicious | Undetected | Report |
|---|---|---|---|---|
| Waiting for results... | ||||
YUME keeps the normal path small: build, authorize a key, start the daemon, connect a client. The dangerous controls stay behind compile-time, runtime, and per-key gates.
Full builds require BaseFWX, Argon2, OQS, OpenSSL, and LZMA. Minimal builds keep the router path small.
authorized_keys controls who can connect. auth_keys.meta controls what each key can do.
yumed can share port 443 with a real HTML facade while YUME clients use the HTTP/2 carrier.
Clients use SOCKS, local forward, reverse forward, or command wrapping depending on the job.
cmake -B build
cmake --build build -j$(nproc)sudo ./build/bin/yumed --listen 443 --cert certs/server.crt --key certs/server.key --auth-keys /etc/yume/authorized_keys --real --real-index certs/index.html./build/bin/yume --server example.com --auth ~/.yume/id_ed25519 --socks 1080FixCraft plans to run public yumed endpoints that use the same daemon release published here. Hostnames, public keys, and fingerprints will be published before the fleet goes live.
Bring your own Ed25519 key. Endpoint policy will be published with the same auth-key fingerprint format used by the daemon.
Endpoints run release builds from this tree so operators and users can audit the exact code path.
A normal browser sees a normal page on the same hostname and port that YUME clients tunnel through.
YUME's row is based on the live measurement documented in the performance page. Other rows are conservative and intentionally avoid provider-specific claims.
| YUME | WireGuard | OpenVPN | Tor bridges | Shadowsocks | |
|---|---|---|---|---|---|
| Hybrid post-quantum | ML-KEM-768 | no | no | no | no |
| Live key hopping | 1-4 Hz | no | no | no | no |
| Looks like HTTPS to DPI | browser TLS + H2 carrier | UDP signature | protocol signature | obfs4 bridge | random prefix |
| Embedded hardware | yes | yes | yes | partial | yes |
| Steady-state overhead | < 1% typical | near zero | a few percent | high | low |
| License | GPL-v3 | GPL-v2 | GPL-v2 | BSD-3 | Apache-2 |
Build, authorize keys, start yumed, and connect with SOCKS or forwarding.
TLS profiles, HTTP/2 carrier handshake, and real-page facade limits.
Authorized keys, per-key metadata, and the three-layer dangerous-feature gate.
Release verification, public endpoint policy, service deployment, and troubleshooting.
Measured overhead and fair comparisons against the relay path.
Full project overview, config snippets, and mode examples.