PharosVPN
PharosVPN · v0 · pre-alpha · AGPL-3.0

Personal VPN.
Enterprise VPN.
The same VPN.

One operator with a handful of nodes. A team running many users across many regions. They get the same binaries from the same code under the same licence. The difference is one flag at first run — not a tier, not a SKU, not a paywall.

Read the design → Install github ↗
data plane
AmneziaWG · XRay/REALITY
port
443 (UDP+TCP)
controller
zero inbound ports
licence
AGPL-3.0-or-later

§01 · the platform in one paragraph

PharosVPN is a self-hostable, open-source, dual-protocol (AmneziaWG + XRay / REALITY) VPN fleet platform. A private controller — helm — drives a fleet of dumb public VPN nodes — buoy — over outbound mTLS, exposes end-users through an optional relay — beacon — and serves them a mobile client — caravel. One codebase, two postures: personal and enterprise.

02

four roles · one fleet

helm · buoy · beacon · caravel

The controller stays hidden behind NAT and dials out to everything. Nodes are deliberately dumb. The relay is the only public ingress for clients.

read about each component →

PharosVPN — three node roles plus clients helm sits in private space behind NAT. It dials outbound mTLS to each public buoy node, and a reverse tunnel out to a public beacon relay. Clients reach the controller only through the beacon. PRIVATE NETWORK · BEHIND NAT · ZERO INBOUND PORTS helm controller · CA · admin UI SOURCE OF TRUTH PUBLIC INTERNET buoy · node A awg udp 443 xray tcp 443 buoy · node B awg udp 443 xray tcp 443 buoy · node N awg udp 443 xray tcp 443 beacon relay · public CLIENT INGRESS caravel mobile client END USER END-USER TUNNELS · UDP/TCP 443 helm-initiated outbound mTLS tunnel / client connection private boundary
fig. 1 · roles & topology — helm dials out to everything
“Dumb nodes. A compromised VPN node must not yield control of the fleet.”

— DESIGN.md, §1 goals

03

presets · not products

Same engine. Different defaults.

helm init --personal and helm init --enterprise only swap defaults. Nothing on this table is locked behind an edition.

full comparison →

--personal --enterprise
Regions1, nearestoperator picks
Idle nodesnonepre-positioned
Adminsone (the operator)core + UI-added others
Audit retention30 days1 year
MDM-managed clientsoffsupported
Priceyour cloud billyour cloud bill
04

the thirty-minute promise

Self-hostable in under thirty minutes.

Clone the repo, run helm init, point it at any cloud VM you own. The controller stays on your laptop or a tiny private box; only the VPN nodes live in public. No vendor account, no lock-in beyond whichever cloud you happen to be paying. 

# personal preset — one operator, one or two nodes
git clone https://github.com/PharosVPN/helm
cd helm && make
./helm init --personal
./helm nodes add user@my-vm.example.net
pre-release · commands are the design target

install guide →

§05 · read the design

The architecture earns the trust.

Four trust boundaries, one CA, end-to-end-encrypted profiles, a controller that holds no usable user secrets. The design document is the single source of truth — every subproject defers to it.

Read the design → Full design doc