YUME quick start
This path gets a local client and daemon running with the defaults YUME expects in normal operation.
Build
cmake -B build
cmake --build build -j$(nproc)
The build produces:
build/bin/yume: clientbuild/bin/yumed: daemon
Full builds require OpenSSL, Argon2, liboqs, LZMA, Boost, spdlog, and nlohmann-json. Release CI fails if mandatory Argon2 or OQS support is missing.
Create a client key
YUME uses Ed25519 keys for client authentication.
openssl genpkey -algorithm Ed25519 -out ~/.yume/id_ed25519
openssl pkey -in ~/.yume/id_ed25519 -pubout -out ~/.yume/id_ed25519.pub
Install the public key on the server:
sudo install -d -m 0755 /etc/yume
sudo tee -a /etc/yume/authorized_keys < ~/.yume/id_ed25519.pub
Use auth_keys.meta only when a key needs extra permissions such as LAN bridging, admin attach, or exec. A key without a meta entry can connect but does not receive dangerous permissions.
Start the daemon
sudo ./build/bin/yumed \
--listen 443 \
--cert certs/server.crt \
--key certs/server.key \
--auth-keys /etc/yume/authorized_keys \
--real \
--real-index certs/index.html
Port 443 normally requires root or cap_net_bind_service on Linux. Cloudflare HTTP-mode proxies terminate TLS and will break the tunnel; use TCP passthrough if a proxy sits in front of yumed.
Public-facing daemon
For a yumed reachable from the open internet, add --public-node to bundle the hardening preset (rejects --allow-exec, --allow-local-ip, --control-full, --no-inner; requires --auth-keys; defaults the HTTP disguise to nginx):
sudo ./build/bin/yumed \
--listen 443 \
--cert certs/server.crt --key certs/server.key \
--auth-keys /etc/yume/authorized_keys \
--public-node # hardening bundle
--hide-in-the-crowd nginx # implicit under --public-node
A probe (curl https://your-host/) gets a real-looking nginx 404 — header order, charset, body all match upstream nginx’s defaults captured from source. See STEALTH.md § Layer 3 for the full profile list.
Federation cluster
Multiple yumed instances can join one cluster. Bootstrap node:
sudo yumed --listen 443 --cluster-bootstrap \
--federation-auth-key /etc/yume/fed.key \
--federation-anonym-ca /etc/yume/fed-ca.pem \
--auth-keys /etc/yume/authorized_keys --public-node
Joining node (dials out to the bootstrap):
sudo yumed --listen 443 \
--cluster-join alice@bootstrap.example.com:443 \
--federation-auth-key /etc/yume/fed.key \
--federation-anonym-ca /etc/yume/fed-ca.pem \
--auth-keys /etc/yume/authorized_keys --public-node
ASCII view of the cluster from any node: yume-net-map.
Connect a client
SOCKS mode:
./build/bin/yume \
--server example.com \
--auth ~/.yume/id_ed25519 \
--socks 1080
Local forward:
./build/bin/yume \
--server example.com \
--auth ~/.yume/id_ed25519 \
--lport 2222 \
--rhost 127.0.0.1 \
--rport 22
Reverse forward:
./build/bin/yume \
--server example.com \
--auth ~/.yume/id_ed25519 \
-R 7437:127.0.0.1:22
Verify a release binary
sha256sum -c yume-amd64-linux.sha256
md5sum -c yume-amd64-linux.md5
gpg --verify yume-amd64-linux.sig yume-amd64-linux
Signatures are present when the release workflow has GPG signing secrets configured. Hash files and release-manifest.json are always generated by the release workflow.
Production checklist
- Use your own TLS certificate and private key.
- Set
--obfs-secreton both ends when you want strict carrier token pinning. - Use your own PQ key files for inner crypto;
--use-embedded-masteris only for explicit test/dev use. - Keep
YUME_FEATURE_EXEC,YUME_FEATURE_LAN_BRIDGE, andYUME_FEATURE_FULL_CONTROLoff unless that server truly needs them. - Restart
yumedafter changingauthorized_keysorauth_keys.meta.