🚀 Beacon Release — Peer-to-Peer WireGuard VPN

This release adds WireGuard VPN to Beacon — a peer-to-peer encrypted tunnel between your devices, with zero cloud involvement in the traffic path.

✨ Highlights

🔒 Beacon VPN

Beacon can now set up WireGuard tunnels between your devices. Your traffic flows directly between peers, end-to-end encrypted. BeaconInfra only coordinates key exchange — it never sees your traffic.

Why this exists:

• You're on a cafe, hotel, or airport WiFi and don't trust the network — route your traffic through your own home connection instead
• You're traveling abroad and want to appear as if you're browsing from home
• You want a VPN without paying for a subscription or trusting a third-party provider with your data

No monthly fees. No third-party servers in the middle. Your home internet is your exit node.

🛡️ WireGuard is cryptographically silent

Unlike a typical exposed service, a WireGuard port doesn't respond to anything without valid credentials. Port scanners see it as identical to a closed port. There's no banner, no handshake, no indication anything is listening.

This means forwarding the WireGuard port on your router is dramatically safer than forwarding any application port.

🧰 Simple setup

# Home device (exit node):
sudo setcap cap_net_admin,cap_net_raw+eip $(which beacon)   # one-time
beacon vpn enable
beacon master --foreground

# Laptop (anywhere else):
beacon vpn use my-home-device
beacon master --foreground

# Done — your traffic now routes through home

🏗️ Hardened command dispatch

Remote commands from BeaconInfra (including VPN) now go through defense-in-depth:

• Action allowlist — unknown actions rejected
• Command deduplication — replayed commands skipped
• User-configurable allowlist — restrict what your device accepts remotely via allowed_remote_commands
• Registration rollback — if local VPN setup fails after cloud registration, the stale cloud state is automatically cleaned up

📦 Other improvements

• beacon projects redeploy <name> — pull latest code and re-run the deploy command
• beacon update — self-update with SHA256 verification and proper semver comparison
• Auto-init on beacon master — master creates a default config if none exists
• Linux capabilities instead of sudo — no more running child processes as root
• Removed Kubernetes — observer, templates, and all k8s dependencies dropped (~8MB smaller binary)

🛠️ What's included

• WireGuard VPN: beacon vpn enable / use / disable / status
• Curve25519 key exchange, AES-GCM encrypted private key storage
• VPN status in heartbeat and local dashboard
• VPN piggyback commands for remote enable/disable from dashboard
• Cloud-side public IP detection from registration request
• Proper semver version comparison for beacon update
• Cross-filesystem self-update fix
• beacon projects redeploy command
• 40+ new tests across VPN, cloud, dispatcher, and update packages

📋 Current scope & what's next

Phase 1 (this release) requires the exit node to have a port-forwarded UDP port (default 51820). This covers most home setups.

Phase 2 (planned) adds STUN-based NAT traversal — neither side needs a port forward. Beacon will not ship a relay. If hole-punching fails (symmetric NAT), you get a clear error rather than your traffic silently routing through someone else's server.

❤️ Vision

Beacon started as a deployment and monitoring agent for self-hosted infrastructure.

With VPN, it takes a step toward something broader:

A single agent for running, monitoring, and securely connecting your devices — without handing your traffic to a third party.

Full Changelog: https://github.com/Bajusz15/beacon/compare/v0.5.2-tunnel-homeassistant...v0.6.1-vpn-wireguard

What's Changed

• ⭐ Structured logger with per-component prefixes by @Bajusz15 in https://github.com/Bajusz15/beacon/pull/156
• Beacon VPN (WireGuard) + self-updater + dispatcher hardening by @Bajusz15 in https://github.com/Bajusz15/beacon/pull/157

Full Changelog: https://github.com/Bajusz15/beacon/compare/v0.5.2-tunnel-homeassistant...v0.6.1-vpn-wireguard