Beacon

v0.6.2-vpn-redeploy Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo Server & OS Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

home-lab home-lab-dashboard home-security hosting-deployment iot iot-application

+3 more

monitoring monitoring-automation self-hosted

Affected surfaces

auth rbac crypto_tls

Summary

AI summary

Updates 🛠️ What's included, 🧰 Simple setup ```bash, and ✨ Highlights across a mixed release.

Full changelog

🚀 Beacon Release — Peer-to-Peer WireGuard VPN

This release adds WireGuard VPN to Beacon — a peer-to-peer encrypted tunnel between your devices, with zero cloud involvement in the traffic path.

✨ Highlights

🔒 Beacon VPN

Beacon can now set up WireGuard tunnels between your devices. Your traffic flows directly between peers, end-to-end encrypted. BeaconInfra only coordinates key exchange — it never sees your traffic.

Why this exists:

You're on a cafe, hotel, or airport WiFi and don't trust the network — route your traffic through your own home connection instead
You're traveling abroad and want to appear as if you're browsing from home
You want a VPN without paying for a subscription or trusting a third-party provider with your data

No monthly fees. No third-party servers in the middle. Your home internet is your exit node.

🛡️ WireGuard is cryptographically silent

Unlike a typical exposed service, a WireGuard port doesn't respond to anything without valid credentials. Port scanners see it as identical to a closed port. There's no banner, no handshake, no indication anything is listening.

This means forwarding the WireGuard port on your router is dramatically safer than forwarding any application port.

🧰 Simple setup

# Home device (exit node):
sudo setcap cap_net_admin,cap_net_raw+eip $(which beacon)   # one-time
beacon vpn enable
beacon master --foreground

# Laptop (anywhere else):
beacon vpn use my-home-device
beacon master --foreground

# Done — your traffic now routes through home

🏗️ Hardened command dispatch

Remote commands from BeaconInfra (including VPN) now go through defense-in-depth:

Action allowlist — unknown actions rejected
Command deduplication — replayed commands skipped
User-configurable allowlist — restrict what your device accepts remotely via allowed_remote_commands
Registration rollback — if local VPN setup fails after cloud registration, the stale cloud state is automatically cleaned up

📦 Other improvements

beacon projects redeploy <name> — pull latest code and re-run the deploy command
beacon update — self-update with SHA256 verification and proper semver comparison
Auto-init on beacon master — master creates a default config if none exists
Linux capabilities instead of sudo — no more running child processes as root
Removed Kubernetes — observer, templates, and all k8s dependencies dropped (~8MB smaller binary)

🛠️ What's included

WireGuard VPN: beacon vpn enable / use / disable / status
Curve25519 key exchange, AES-GCM encrypted private key storage
VPN status in heartbeat and local dashboard
VPN piggyback commands for remote enable/disable from dashboard
Cloud-side public IP detection from registration request
Proper semver version comparison for beacon update
Cross-filesystem self-update fix
beacon projects redeploy command
40+ new tests across VPN, cloud, dispatcher, and update packages

📋 Current scope & what's next

Phase 1 (this release) requires the exit node to have a port-forwarded UDP port (default 51820). This covers most home setups.

Phase 2 (planned) adds STUN-based NAT traversal — neither side needs a port forward. Beacon will not ship a relay. If hole-punching fails (symmetric NAT), you get a clear error rather than your traffic silently routing through someone else's server.

❤️ Vision

Beacon started as a deployment and monitoring agent for self-hosted infrastructure.

With VPN, it takes a step toward something broader:

A single agent for running, monitoring, and securely connecting your devices — without handing your traffic to a third party.

Full Changelog: https://github.com/Bajusz15/beacon/compare/v0.5.2-tunnel-homeassistant...v0.6.1-vpn-wireguard

What's Changed

⭐ Structured logger with per-component prefixes by @Bajusz15 in https://github.com/Bajusz15/beacon/pull/156
Beacon VPN (WireGuard) + self-updater + dispatcher hardening by @Bajusz15 in https://github.com/Bajusz15/beacon/pull/157

Full Changelog: https://github.com/Bajusz15/beacon/compare/v0.5.2-tunnel-homeassistant...v0.6.1-vpn-wireguardv0.6.1-vpn-wireguard

Full Changelog: https://github.com/Bajusz15/beacon/compare/v0.6.1-vpn-wireguard...v0.6.2-vpn-redeploy

Breaking Changes

Removed all Kubernetes dependencies, reducing binary size (~8MB smaller).

Security Fixes

Hardened command dispatch: action allowlist, deduplication, user‑configurable allowlist, and automatic rollback of stale cloud state after VPN registration failure.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Beacon

Get notified when new releases ship.

About Beacon

All releases →

Related context

Related tools

Earlier breaking changes

v0.6.8-remote-access-pass Renames command `beacon master` to `beacon start`; alias retained for compatibility.
v0.6.6-remote-tty-ha-os-tunnel Renames command `beacon master` to `beacon start`; alias retained for compatibility.