FixCraft YUME stealth transport

YUME quick start

This path gets a local client and daemon running with the defaults YUME expects in normal operation.

Build

cmake -B build
cmake --build build -j$(nproc)

The build produces:

Full builds require OpenSSL, Argon2, liboqs, LZMA, Boost, spdlog, and nlohmann-json. Release CI fails if mandatory Argon2 or OQS support is missing.

Create a client key

YUME uses Ed25519 keys for client authentication.

openssl genpkey -algorithm Ed25519 -out ~/.yume/id_ed25519
openssl pkey -in ~/.yume/id_ed25519 -pubout -out ~/.yume/id_ed25519.pub

Install the public key on the server:

sudo install -d -m 0755 /etc/yume
sudo tee -a /etc/yume/authorized_keys < ~/.yume/id_ed25519.pub

Use auth_keys.meta only when a key needs extra permissions such as LAN bridging, admin attach, or exec. A key without a meta entry can connect but does not receive dangerous permissions.

Start the daemon

sudo ./build/bin/yumed \
  --listen 443 \
  --cert certs/server.crt \
  --key certs/server.key \
  --auth-keys /etc/yume/authorized_keys \
  --real \
  --real-index certs/index.html

Port 443 normally requires root or cap_net_bind_service on Linux. Cloudflare HTTP-mode proxies terminate TLS and will break the tunnel; use TCP passthrough if a proxy sits in front of yumed.

Connect a client

SOCKS mode:

./build/bin/yume \
  --server example.com \
  --auth ~/.yume/id_ed25519 \
  --socks 1080

Local forward:

./build/bin/yume \
  --server example.com \
  --auth ~/.yume/id_ed25519 \
  --lport 2222 \
  --rhost 127.0.0.1 \
  --rport 22

Reverse forward:

./build/bin/yume \
  --server example.com \
  --auth ~/.yume/id_ed25519 \
  -R 7437:127.0.0.1:22

Verify a release binary

sha256sum -c yume-amd64-linux.sha256
md5sum -c yume-amd64-linux.md5
gpg --verify yume-amd64-linux.sig yume-amd64-linux

Signatures are present when the release workflow has GPG signing secrets configured. Hash files and release-manifest.json are always generated by the release workflow.

Production checklist