Shireguard

Get Started

Install Shireguard and join your private network

Install via Homebrew

Requires macOS with Homebrew installed.

brew install doppiscantsleep/shireguard/shireguard

Opens your browser for Sign in with Apple, Google, or GitHub. Returns to the terminal when done.

shireguard login

Generates a WireGuard key pair and assigns this machine an IP on your private network.

shireguard register-device

Start the tunnel

Connects to your network. Run this on every machine — they'll find each other automatically.

shireguard up

Install via the installer script

Supports amd64 and arm64 (including Raspberry Pi). Downloads the latest release, installs to /usr/local/bin, and sets the required capability.

curl -sSL https://shireguard.com/install.sh | bash

The installer requires curl, tar, and libcap2-bin. On Debian/Ubuntu: sudo apt install curl tar libcap2-bin

Opens your browser for Sign in with Apple, Google, or GitHub. Returns to the terminal when done.

shireguard login

Generates a WireGuard key pair and assigns this machine an IP on your private network.

shireguard register-device

Start the tunnel

Connects to your network. Run this on every machine — they'll find each other automatically.

shireguard up

Devices

Manage registered devices in your network

Name	Platform	IP Address	Status	Last Seen	Version

⌂

No devices registered yet

Networks

Virtual networks connecting your devices

◇

No networks found

Users

Members across your networks

Network

Members

◇

No members yet

◇

Select a network to view its members

Gatekeeper

Network access control between peers

Network

Default Policy read only

Unmatched traffic

Presets

Rules

Action

Protocol

Source

Destination

Ports

Description

No rules — all traffic follows the default policy above

Unsaved changes

⚔

Select a network to manage its access policy

Metrics

Connection quality and performance data

Network

Peer Connections

Device	Quality	Latency	Jitter	Loss	Type

∿

No metrics data available

Account

Your Shire settings and linked sign-in providers

Profile

Email —

Member since —

Sign-in Providers

Apple —

Google —

GitHub —

API Keys

Manage programmatic access to your account

Name	Prefix	Created	Last Used	Expires

⚿

No API keys created

Activity

Audit log of account and network events

When	Who	Action	Detail

No activity recorded yet

Billing

Plans and pricing

Questions? Email hello@shireguard.com

How It Works

A complete technical reference for every layer of Shireguard

Shireguard is a private mesh VPN built on WireGuard. When you run shireguard up, your device creates an encrypted tunnel directly to every other device in your network — or, when a direct path is blocked by NAT, via a relay server. The control plane (this dashboard) manages identities, device registration, and peer discovery. Nothing in the data path touches Cloudflare or the relay unless it has to.

🔐 WireGuard — The Tunnel Protocol Layer 3 / UDP

WireGuard is a modern VPN protocol designed to be simpler, faster, and more auditable than IPsec or OpenVPN. It operates at Layer 3 (network layer), wrapping IP packets inside encrypted UDP datagrams. There is no TCP, no handshake overhead at the transport layer — every WireGuard packet is a self-contained, authenticated UDP frame.

Plaintext IP packet

→

WireGuard (encrypt + auth)

→

UDP datagram

→

Internet

→

UDP datagram

→

WireGuard (verify + decrypt)

→

Plaintext IP packet

Handshake (key exchange)

Noise Protocol IKpsk2 pattern using Curve25519 ECDH. Each device holds a 32-byte private key and publishes a corresponding public key. A handshake derives session keys; it completes in a single round-trip.

Data encryption

ChaCha20-Poly1305 AEAD. Fast on any CPU — no AES-NI required. Every packet is encrypted with a unique nonce, preventing replay attacks. The Poly1305 tag authenticates the entire datagram.

Hashing & identity

BLAKE2s for hashing and key derivation. SipHash-2-4 for hashtable protection inside the implementation. Public keys are the identity — there are no usernames or passwords inside WireGuard itself.

Session management

Sessions are fully stateless from the network's point of view. A peer is allowed through if — and only if — it possesses the correct private key. Silence is authentication: peers with wrong keys receive no response whatsoever.

Why UDP? TCP connections carry retransmission and ordering state. If you tunnel TCP-over-TCP and either layer drops a packet, you get a "TCP meltdown" where both layers fight over retransmission. UDP avoids this entirely. Applications running inside the tunnel use their own TCP/UDP as normal — WireGuard's UDP is just the carrier.

Userspace WireGuard: Shireguard uses wireguard-go, a pure Go implementation. On macOS it creates a utun interface assigned by the kernel (e.g. utun8). On Linux it creates a tun device and requires cap_net_admin (set via setcap — no root needed at runtime).

🪪 Authentication — Who Are You? OAuth 2.0 / JWT

Shireguard uses federated identity — no passwords are stored. You prove who you are to Apple, Google, or GitHub, and they vouch for you to the control plane. The control plane then issues its own short-lived JWT access token that clients present on every API call.

Browser login flow (web dashboard)

Browser → /v1/auth/apple

→

Redirect to provider

→

User consents

→

Provider → /callback

→

JWT written to localStorage

→

Dashboard loads

CLI login flow (polling)

shireguard login

→

Generate session ID

→

Open browser

→

OAuth completes

→

Tokens stored in KV

→

CLI polls /poll every 2s

→

Tokens returned to CLI

Why polling? Apple Sign-In uses response_mode=form_post, meaning the callback arrives as an HTTP POST. Browsers block HTTPS→HTTP redirects (localhost), so the usual "open a local callback server" trick doesn't work. Polling a shared KV key avoids that restriction entirely — the browser never needs to reach back to the CLI process.

Access token

HS256 JWT, signed with JWT_SECRET. Contains sub (user ID), email, iat, exp. Expires in 15 minutes. Algorithm is validated on verify — no alg:none attacks.

Refresh token

32 bytes of CSPRNG output, hex-encoded. Stored in Cloudflare KV with a 7-day TTL. On use, exchanges for a new access token. Rate-limited to 10 requests/minute per IP to prevent brute-force.

Apple id_token

RS256 JWT. Verified against Apple's JWKS endpoint. Claims checked: iss = appleid.apple.com, aud = service ID, exp > now. Apple sends user info (email) only on first login via form_post.

Google / GitHub tokens

Google: RS256 id_token, verified against JWKS. Issuer is either accounts.google.com or https://accounts.google.com. GitHub: no id_token — exchanges code for access token, then calls api.github.com/user directly.

Rate limiting is applied to all auth endpoints using a fixed-window counter stored in Cloudflare KV. Keys are epoch-scoped — rl:<action>:<ip>:<epoch> — so counters naturally expire without a separate cleanup pass. Every key is written with a TTL of 2× the window size.

☁️ Control Plane — Cloudflare Workers Edge / Serverless

The control plane runs on Cloudflare Workers — a V8 isolate runtime that executes at Cloudflare's edge (200+ locations). There are no traditional servers. Requests are handled by the nearest PoP, cold-start time is measured in milliseconds, and there is no infrastructure to manage.

Cloudflare D1 (SQLite)

Persistent relational data: users, devices, networks, api_keys, peer_metrics. D1 is a globally-distributed SQLite-compatible database available directly inside the Worker runtime via a typed API.

Cloudflare KV

Ephemeral key-value data: refresh tokens (7-day TTL), CLI session tokens (5-min TTL), OAuth state parameters (10-min TTL), rate-limit counters (2× window TTL). KV is eventually consistent with typical read-after-write latency under 100 ms within a region.

Durable Objects (signaling)

SignalingRoom is a Durable Object that holds a WebSocket connection per device. When a device connects, the DO broadcasts its endpoint and public key to all other peers in the same network — enabling real-time peer discovery without polling D1.

Hono framework

All routing is handled by Hono, a TypeScript-native, zero-dependency framework built for edge runtimes. Routes live under /v1/auth, /v1/devices, /v1/networks, /v1/metrics, and /v1/relays.

Table	What it stores	Key fields
users	One row per account. Identity linked from OAuth providers.	id, email, apple_sub, google_sub, github_id
devices	Every registered machine — its WireGuard public key and assigned IP.	id, user_id, network_id, public_key, assigned_ip, endpoint, last_seen_at
networks	Private networks (default: one per user, CIDR 100.65.0.0/16).	id, user_id, name, cidr
api_keys	Programmatic access credentials. Key is stored as SHA-256 hash only.	key_hash, prefix, expires_at, last_used_at
peer_metrics	Latency, jitter, packet loss, connection type per device-pair.	device_id, peer_device_id, latency_ms, connection_type

🖥️ Client Daemon — Go + wireguard-go macOS · Linux

The shireguard binary is a Go application that manages the local WireGuard interface and maintains a live connection to the control plane. It runs in the foreground (shireguard up) and exits cleanly on interrupt, tearing down the TUN interface.

shireguard up

→

Load saved credentials

→

Create TUN device (utun / tun)

→

Fetch device + peers from API

→

Configure WireGuard interface

→

WebSocket signaling

→

Tunnel running

Key storage

A Curve25519 key pair is generated on first register-device and saved to ~/.config/shireguard/privatekey. The public key is uploaded to the control plane. The private key never leaves the device.

IP assignment

The control plane assigns an IP from the network CIDR (100.65.0.0/16). Addresses are sequential starting at .1. The client adds a /32 route for each peer so only VPN-destined traffic enters the tunnel — not all internet traffic.

Endpoint discovery

On startup the client fetches its own public IP via the control plane heartbeat endpoint. This external endpoint is advertised to peers via the signaling channel. WireGuard then attempts to reach the peer directly at that IP + port.

Heartbeat

Every 60 seconds the daemon posts to POST /v1/devices/:id/heartbeat with its current external endpoint. This keeps last_seen_at fresh and updates the endpoint if the device's public IP has changed (roaming).

TUN vs TAP: Shireguard uses a TUN (tunnel) device, not TAP. TUN operates at Layer 3 — it carries IP packets only. TAP operates at Layer 2 and carries Ethernet frames. WireGuard is a Layer 3 protocol so a TUN device is the correct fit; it also has significantly less overhead because there are no MAC address lookups or ARP broadcasts.

📡 Peer Discovery — WebSocket Signaling Durable Objects / WebSocket

WireGuard itself has no built-in discovery mechanism — you must tell it where each peer is. Shireguard solves this with a real-time WebSocket signaling channel backed by a Cloudflare Durable Object (a single-instance actor with strong consistency).

Device A connects

→

WS → SignalingRoom DO

→

Broadcasts A's pubkey + endpoint to all peers

→

Device B updates its WG config

→

WireGuard handshake begins

One Durable Object instance exists per network ID. All devices in a network share the same DO instance, so messages delivered there are immediately visible to all connected peers. When a new device joins, it receives the current state of all existing peers in its first message.

Fallback: If the WebSocket connection drops, the client reconnects with exponential backoff. If signaling is unavailable entirely, the tunnel continues to function using the last-known peer endpoints cached in the local WireGuard configuration — peers just won't discover each other's new endpoints until signaling recovers.

🔀 NAT Traversal & Relay Fallback UDP Hole Punching / AWS Relay

Most devices sit behind NAT (Network Address Translation) — their router rewrites the source IP and port on outbound packets and maps inbound packets back. This works fine for outbound connections, but two NATted devices cannot directly reach each other without help.

Direct path — UDP hole punching

Device A (NAT A)

→

Sends UDP to B's external endpoint

→

NAT A opens a mapping for B's IP:port

→

B sends UDP to A's external endpoint simultaneously

→

Both NATs now have mappings → packets flow directly

WireGuard's built-in keepalive packets (sent every ~25 s by default) maintain these NAT mappings. As long as at least one side sends traffic regularly, the mapping stays open and the direct tunnel survives indefinitely.

Relay path — when direct fails

Some NAT implementations (symmetric NAT, carrier-grade NAT) assign a different external port for each destination, making hole punching unreliable. In those cases Shireguard falls back to a relay server hosted on AWS Lightsail.

Device A

→

UDP keepalive → Relay

→

Relay registers A's external IP:port in a slot

same for B →

Relay forwards A's packets to B's slot

→

Device B

Relay architecture

A single Go UDP server listens on port 51821. Each device registers via HTTP on port 8080 and receives a slot assignment. The relay forwards raw UDP datagrams between the two slots — it sees only ciphertext and never decrypts anything.

Local proxy (home device)

The device with the lower WireGuard IP (the "home" side) runs a local UDP proxy on 127.0.0.1:<random>. WireGuard sends to this proxy; the proxy forwards via a single persistent socket to the relay. This ensures keepalives and WireGuard data share one NAT mapping.

Why one socket matters

Without the proxy, keepalives and WireGuard data would use different sockets — creating two separate NAT mappings. The relay would see keepalives from one port and WireGuard packets from another, and route them incorrectly. The single-socket proxy eliminates this split.

Protocol: always WireGuard

Whether the path is direct or relayed, the payload is identical encrypted WireGuard traffic. The relay changes the transport path only — encryption, authentication, and peer identity remain fully intact. The relay cannot read or modify any payload.

The Metrics page shows whether each peer pair is using a direct or relay connection. Direct is always preferred; relay is a transparent fallback that activates automatically.

🗺️ Putting It All Together Full Stack

Layer	Technology	Purpose	Protocol
Identity	Apple / Google / GitHub OAuth 2.0	Prove who you are without passwords	HTTPS / RS256 JWT
Session	HS256 JWT + Cloudflare KV refresh token	Short-lived access, long-lived refresh	HTTPS Bearer
Control plane	Cloudflare Workers + D1 + Hono	Device registry, peer list, metrics	HTTPS / REST
Signaling	Cloudflare Durable Object WebSocket	Real-time peer endpoint exchange	WSS
Tunnel (direct)	WireGuard / wireguard-go	Encrypted peer-to-peer data plane	UDP (port 51820)
Tunnel (relay)	Go UDP relay on AWS Lightsail	NAT traversal fallback	UDP (port 51821)
TUN device	utun (macOS) / tun (Linux)	Inject/extract packets from the OS network stack	IP (Layer 3)
Distribution	Homebrew tap / install.sh	Install the client binary	HTTPS

Data privacy: The control plane sees metadata only (device names, public keys, endpoints, metrics). It never sees plaintext traffic between your devices. The relay sees only encrypted WireGuard ciphertext. Your actual data travels peer-to-peer, encrypted end-to-end with keys that only your devices hold.

About

Concerning Shireguard and the Free Folk of the network

Concerning Shireguard

"Even the smallest device can change the course of the network."

In an age when the roads of the internet are watched by unseen eyes and every packet that travels in the open may be read by strangers, the free folk of the network sought a better way.

Shireguard weaves secret tunnels — WireGuard pathways sealed with cryptographic keys that only trusted devices may hold — so that your machines may speak freely across any distance, as if gathered around the same hearth in Bag End.

🔑

Encrypted Paths

Every packet is wrapped in ciphers that not even the Nine Riders of the Network could unravel. Your traffic passes unseen through the lands of a hostile internet.

🌿

Direct Connections

Your devices find each other across the wild — through firewalls, across NAT, over mountain passes — without passing word through any great tower or dark cloud.

🏡

Always the Shire

No matter how far your Fellowship roams, they share a single private realm: 100.65.0.0/16. From Minas Tirith to the Prancing Pony, every device knows its way home.