derptun 0.16.1 → 0.16.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,43 +1,62 @@
1
1
  # derphole
2
2
 
3
- `derphole` is a standalone CLI for session-scoped byte transfer and temporary local TCP service sharing. Use it for one-shot transfers, receive-code flows, and short-lived service sharing.
4
-
5
- [`derptun`](#long-lived-tcp-tunnels) is its companion for long-lived TCP tunnels. Use it when a tunnel needs stable tokens, restartable endpoints, and repeated client reconnects.
6
-
7
- [`derpssh`](#share-a-terminal) is its companion for interactive terminal sharing. Use it when two people need one shared PTY with host approval and no open ports.
8
-
9
- `derphole` supports:
10
-
11
- - raw byte streams with `listen` and `pipe`
12
- - text, file, and directory transfer with `send` and `receive`
13
- - local TCP service sharing with `share` and `open`
14
- - SSH access exchange with `ssh invite` and `ssh accept`
15
-
16
- Both tools use the public Tailscale [DERP](#what-is-derp) relay network for rendezvous and fallback, then promote live traffic to direct encrypted UDP when possible. Payload bytes stay end-to-end encrypted on relay fallback, direct UDP, and authenticated QUIC stream paths; DERP sees routing metadata, not contents. They are **not** affiliated with Tailscale and do **not** use `tailscaled`.
17
-
18
- Neither tool is a WireGuard overlay or VPN. `derphole` handles one token, one session, one transfer or shared service. `derptun` handles one long-lived tunnel. See [Transport Model](#transport-model), [Why It Is Fast](#why-it-is-fast), and [Security Model](#security-model).
19
-
20
- Neither tool requires:
21
-
22
- - a Tailscale account
23
- - a tailnet
24
- - `tailscaled`
25
- - a separate control plane to run yourself
26
-
27
- Session tokens carry authorization. Public sessions fetch the DERP map at runtime so both sides can find relay and bootstrap nodes. See [Security Model](#security-model) for token and relay details.
3
+ `derphole` is a small CLI for the network job that should not require a new
4
+ network: move bytes, expose a local TCP service, or exchange SSH access for one
5
+ short session when neither side has an inbound port to offer.
6
+
7
+ The obvious answer is "use a VPN." Sometimes that is correct. If you need
8
+ stable private IPs, ACLs, subnet routes, exit nodes, and machines that remember
9
+ each other, use a VPN. If you need one transfer, one tunnel, or one shared
10
+ terminal, a VPN is a lot of state for a short conversation.
11
+
12
+ This repo ships three tools:
13
+
14
+ - `derphole` for one-shot files, byte streams, receive-code flows, temporary
15
+ localhost shares, and SSH access exchange.
16
+ - [`derptun`](#tcp-tunnels) for longer-lived TCP tunnels with stable server and
17
+ client tokens.
18
+ - [`derpssh`](#share-a-terminal) for shared terminal sessions with host approval
19
+ and no open ports.
20
+
21
+ The tools use the public Tailscale [DERP](#what-is-derp) relay network for
22
+ rendezvous and fallback, then promote live traffic to direct encrypted UDP when
23
+ possible. Payload bytes stay end-to-end encrypted on relay fallback, direct UDP,
24
+ and authenticated QUIC stream paths. DERP sees routing metadata and packet
25
+ timing, not contents.
26
+
27
+ These tools are **not** affiliated with Tailscale and do **not** use
28
+ `tailscaled`.
29
+
30
+ They are also not a WireGuard overlay or a VPN. `derphole` handles one token,
31
+ one session, one transfer or shared service. `derptun` handles one tunnel with
32
+ reusable scoped tokens. `derpssh` handles one approved PTY session. See
33
+ [Transport Model](#transport-model), [Why It Is Fast](#why-it-is-fast), and
34
+ [Security Model](#security-model).
35
+
36
+ No Tailscale account, tailnet, daemon, or self-hosted control plane is required.
37
+ Session tokens carry authorization. Treat them like passwords with a shorter
38
+ half-life. Public sessions fetch the DERP map at runtime so both sides can find
39
+ relay and bootstrap nodes.
28
40
 
29
41
  ## Pick the Workflow
30
42
 
31
- - Use `listen` and `pipe` for raw byte streams and shell pipelines.
32
- - Use `send` and `receive` for text, files, directories, progress, and receive-code UX.
33
- - Use `share` and `open` for temporary access to a local TCP service.
34
- - Use `ssh invite` and `ssh accept` for SSH public key exchange.
35
- - Use [`derpssh`](#share-a-terminal) for approved terminal sharing.
36
- - Use [`derptun`](#long-lived-tcp-tunnels) for long-lived TCP tunnels with reusable tokens.
43
+ - Use `listen` and `pipe` when you want raw bytes and shell pipelines.
44
+ - Use `send` and `receive` when you want text, files, directories, progress, and
45
+ receive-code UX.
46
+ - Use `share` and `open` when you want temporary access to a local TCP service.
47
+ - Use `ssh invite` and `ssh accept` when you want to exchange SSH access.
48
+ - Use [`derpssh`](#share-a-terminal) when two people need one approved terminal.
49
+ - Use [`derptun`](#tcp-tunnels) when the TCP tunnel needs reusable tokens and
50
+ reconnects.
37
51
 
38
52
  ## Quick Start
39
53
 
40
- `listen` receives bytes and prints a token. `pipe` sends stdin into that token. `share` and `open` do the same for local TCP services. Use [`derptun`](#long-lived-tcp-tunnels) for reusable, longer-lived tunnels.
54
+ `listen` receives bytes and prints a token. `pipe` sends stdin into that token.
55
+ `share` and `open` do the same shape of thing for local TCP services. The trick
56
+ is small on purpose: one token, one capability, one session.
57
+
58
+ Use [`derptun`](#tcp-tunnels) when the tunnel should live longer than a one-off
59
+ share.
41
60
 
42
61
  ### Stream a Raw File
43
62
 
@@ -47,7 +66,8 @@ Receiver:
47
66
  npx -y derphole@latest listen > received.img
48
67
  ```
49
68
 
50
- `listen` prints a token to stderr, keeping stdout clean. Copy the token to the sender.
69
+ `listen` prints a token to stderr, keeping stdout clean. Copy the token to the
70
+ sender.
51
71
 
52
72
  Sender:
53
73
 
@@ -75,7 +95,8 @@ npx -y derphole@latest send ./photo.jpg
75
95
  npx -y derphole@latest receive <code>
76
96
  ```
77
97
 
78
- Known-size files and directories show progress on stderr. Use `--hide-progress` for quiet output.
98
+ Known-size files and directories show progress on stderr. Use `--hide-progress`
99
+ when quiet output matters more than watching the counter move.
79
100
 
80
101
  Text uses the same flow:
81
102
 
@@ -141,47 +162,83 @@ npx -y derpssh@latest share
141
162
  npx -y derpssh@latest connect <invite>
142
163
  ```
143
164
 
144
- The host approves the guest as read-only or read/write. The session uses the derptun transport path, so neither side needs an inbound port.
165
+ The host approves the guest as read-only or read/write. The session uses the
166
+ `derptun` transport path, so neither side needs an inbound port.
167
+
168
+ Optional local lookup keeps the invite behind a service name on the connecting
169
+ machine:
170
+
171
+ ```bash
172
+ npx -y derpssh@latest service set ops-shell <invite>
173
+ npx -y derpssh@latest connect --service ops-shell
174
+ ```
175
+
176
+ The host still approves the guest. The service name only finds the invite; it
177
+ does not bypass approval.
145
178
 
146
- ### Long-Lived TCP Tunnels
179
+ ### TCP Tunnels
147
180
 
148
- `derptun` is the long-lived TCP tunnel companion to `derphole`. It uses stable tokens, survives restarts on either side, and lets one client reconnect many times without opening ports on `vps-server`. It fits SSH well.
181
+ `derptun` exposes a local TCP service without asking either side to open an
182
+ inbound port. Start with a one-off tunnel:
149
183
 
150
- On `vps-server`:
184
+ On the serving machine:
151
185
 
152
186
  ```bash
153
- npx -y derptun@latest token server > server.dts
154
- npx -y derptun@latest token client --token-file server.dts > client.dtc
155
- npx -y derptun@latest serve --token-file server.dts --tcp 127.0.0.1:22
187
+ npx -y derptun@latest serve --tcp 127.0.0.1:3000
156
188
  ```
157
189
 
158
- Copy only `client.dtc` to `alice-laptop`.
190
+ `serve` prints the command for the other side:
159
191
 
160
- On `alice-laptop`:
192
+ ```bash
193
+ npx -y derptun@latest open --token DT1...
194
+ ```
195
+
196
+ Run that command on the connecting machine. It opens a local listener and
197
+ forwards connections through the tunnel.
198
+
199
+ For a persistent tunnel, create both tokens on the serving machine and keep the
200
+ server token there:
161
201
 
162
202
  ```bash
163
- npx -y derptun@latest open --token-file client.dtc --listen 127.0.0.1:2222
164
- ssh -p 2222 user@127.0.0.1
203
+ npx -y derptun@latest token server > server.dts
204
+ npx -y derptun@latest token client --token-file server.dts > client.dt1
205
+ npx -y derptun@latest serve --token-file server.dts --tcp 127.0.0.1:3000
165
206
  ```
166
207
 
167
- For SSH without a separate local listener, use `ProxyCommand`:
208
+ Copy only `client.dt1` to the connecting machine.
209
+
210
+ On the connecting machine:
168
211
 
169
212
  ```bash
170
- ssh -o ProxyCommand='npx -y derptun@latest connect --token-file ./client.dtc --stdio' foo@127.0.0.1
213
+ npx -y derptun@latest open --token-file client.dt1 --listen 127.0.0.1:3001
171
214
  ```
172
215
 
173
- The server token is serving authority. Keep it on the serving machine or in its secret manager. The client token can connect until expiry, but cannot serve or mint tokens.
216
+ The server token is serving authority. Keep it on the serving machine or in a
217
+ secret manager. Client tokens can connect until expiry, but cannot serve or mint
218
+ tokens.
174
219
 
175
- Server tokens default to 180 days. Client tokens default to 90 days and cannot outlive their server token. Set a relative lifetime with `--days`, or use an absolute expiry:
220
+ Server tokens default to 180 days. Client tokens default to 90 days and cannot
221
+ outlive their server token. Set a relative lifetime with `--days`, or use an
222
+ absolute expiry:
176
223
 
177
224
  ```bash
178
225
  npx -y derptun@latest token server --expires 2026-05-01T00:00:00Z > server.dts
179
- npx -y derptun@latest token client --token-file server.dts --expires 2026-04-25T00:00:00Z > client.dtc
226
+ npx -y derptun@latest token client --token-file server.dts --expires 2026-04-25T00:00:00Z > client.dt1
180
227
  ```
181
228
 
182
- Use `--token TOKEN` for inline one-off commands. Prefer `--token-file PATH` for durable tokens. `--token-stdin` reads the token from the first stdin line.
229
+ Use `--token TOKEN` for inline one-off commands. Prefer `--token-file PATH` for
230
+ durable tokens. `--token-stdin` reads the token from the first stdin line.
231
+
232
+ Optional local lookup keeps the client token behind a service name on the
233
+ connecting machine:
234
+
235
+ ```bash
236
+ npx -y derptun@latest service set web --token-file client.dt1
237
+ npx -y derptun@latest open --service web --listen 127.0.0.1:3001
238
+ ```
183
239
 
184
- `derptun` is TCP-only for now. UDP forwarding is planned for use cases like Minecraft Bedrock servers.
240
+ The registry is local name-to-token storage. It is not a hosted control plane,
241
+ and no lookup server is contacted by default.
185
242
 
186
243
  ### Useful Extras
187
244
 
@@ -193,7 +250,9 @@ npx -y derptun@dev version
193
250
  npx -y derpssh@dev version
194
251
  ```
195
252
 
196
- Default output stays quiet: tokens, bind addresses, receive commands, and progress only. Use `--hide-progress` to suppress progress, or `--verbose` to see transitions like `connected-relay` and `connected-direct`:
253
+ Default output stays quiet: tokens, bind addresses, receive commands, and
254
+ progress only. Use `--hide-progress` to suppress progress, or `--verbose` to see
255
+ path changes such as `connected-relay` and `connected-direct`:
197
256
 
198
257
  ```bash
199
258
  npx -y derphole@latest --verbose listen
@@ -201,93 +260,161 @@ npx -y derphole@latest --verbose pipe <token>
201
260
  npx -y derphole@latest --verbose send ./photo.jpg
202
261
  ```
203
262
 
204
- For transport details, see [Transport Model](#transport-model), [Behavior](#behavior), and [Security Model](#security-model).
263
+ For transport details, see [Transport Model](#transport-model),
264
+ [Behavior](#behavior), and [Security Model](#security-model).
205
265
 
206
266
  ## Transport Model
207
267
 
208
- Flow:
268
+ The session flow is deliberately boring. Boring is good here.
209
269
 
210
- 1. `listen`, `share`, or `receive` creates a session and prints an opaque bearer token or receive code.
211
- 2. The token carries session ID, expiry, DERP bootstrap hints, listener public identity, bearer secret, and allowed capability.
212
- 3. `pipe`, `send`, or `open` uses that token to contact the listener through DERP and claim the session.
213
- 4. The listener validates the claim, checks the requested capability, and returns current direct-path candidates.
270
+ 1. `listen`, `share`, or `receive` creates a session and prints an opaque bearer
271
+ token or receive code.
272
+ 2. The token carries session ID, expiry, DERP bootstrap hints, listener public
273
+ identity, bearer secret, and allowed capability.
274
+ 3. `pipe`, `send`, or `open` uses that token to contact the listener through
275
+ DERP and claim the session.
276
+ 4. The listener validates the claim, checks the requested capability, and returns
277
+ current direct-path candidates.
214
278
  5. Both sides start on the first working path, including DERP relay if needed.
215
- 6. Both sides keep probing for a better direct path. Successful direct paths upgrade the live session in place.
279
+ 6. Both sides keep probing for a better direct path. Successful direct paths
280
+ upgrade the live session in place.
216
281
 
217
282
  ### Data Plane Selection
218
283
 
219
- DERP provides **rendezvous** and **relay fallback**. See [What Is DERP?](#what-is-derp):
284
+ DERP provides **rendezvous** and **relay fallback**. See
285
+ [What Is DERP?](#what-is-derp):
220
286
 
221
- - rendezvous: exchange claim, decision, and direct-path coordination messages without an account-backed control plane
222
- - relay fallback: keep the session working when NAT traversal fails or direct connectivity is not ready
287
+ - rendezvous: exchange claim, decision, and direct-path coordination messages
288
+ without an account-backed control plane
289
+ - relay fallback: keep the session working when NAT traversal fails or direct
290
+ connectivity is not ready
223
291
 
224
292
  The data plane is selected per session:
225
293
 
226
- - `share/open` uses multiplexed QUIC streams over `derphole`'s relay/direct UDP transport. One claimed session can carry many TCP connections to the shared service.
227
- - `derptun` uses a stable tunnel token and the same transport for reconnectable TCP streams. It is built for longer-lived access, such as SSH to a host behind NAT.
228
- - `derpssh` uses the derptun app mux for approved terminal streams and side-channel control.
229
- - `listen/pipe` uses a one-shot byte stream. It coordinates through DERP, promotes to rate-adaptive direct UDP when traversal succeeds, and stays on encrypted relay fallback when direct paths fail.
230
- - `send/receive` wraps the same one-shot stream with text, file, directory, and progress metadata.
294
+ - `share/open` uses multiplexed QUIC streams over `derphole`'s relay/direct UDP
295
+ transport. One claimed session can carry many TCP connections to the shared
296
+ service.
297
+ - `derptun` uses a stable tunnel token and the same transport for reconnectable
298
+ TCP streams. It is built for longer-lived access, such as a private service
299
+ behind NAT.
300
+ - `derpssh` uses the `derptun` app mux for approved terminal streams and
301
+ side-channel control.
302
+ - `listen/pipe` uses a one-shot byte stream. It coordinates through DERP,
303
+ promotes to rate-adaptive direct UDP when traversal succeeds, and stays on
304
+ encrypted relay fallback when direct paths fail.
305
+ - `send/receive` wraps the same one-shot stream with text, file, directory, and
306
+ progress metadata.
231
307
 
232
308
  Candidate discovery splits into two phases:
233
309
 
234
- - fast local candidates first: advertise local sockets, interfaces, and cached port mappings immediately
235
- - background traversal discovery: run STUN and UPnP / NAT-PMP / PCP refresh, then send updated candidates and `call-me-maybe` probes
310
+ - fast local candidates first: advertise local sockets, interfaces, and cached
311
+ port mappings immediately
312
+ - background traversal discovery: run STUN and UPnP / NAT-PMP / PCP refresh,
313
+ then send updated candidates and `call-me-maybe` probes
236
314
 
237
315
  This keeps startup latency low while preserving relay-to-direct promotion.
238
316
 
239
317
  ## How This Differs From Tailscale / WireGuard
240
318
 
241
- Tailscale uses WireGuard for a secure general-purpose network: durable machine connectivity, private addresses, ACLs, subnet routing, exit nodes, and long-lived overlays.
319
+ Tailscale uses WireGuard for a secure general-purpose network: durable machine
320
+ connectivity, private addresses, ACLs, subnet routing, exit nodes, and
321
+ long-lived overlays.
322
+
323
+ That is the right tool when you want a network.
242
324
 
243
- `derphole` is narrower. It creates session-scoped transport for one transfer or one shared service:
325
+ `derphole` is narrower. It creates session-scoped transport for one transfer or
326
+ one shared service:
244
327
 
245
328
  - no WireGuard tunnel device
246
329
  - no overlay network interface
247
330
  - no persistent mesh control plane
248
331
  - no need to route arbitrary traffic through a general encrypted network
249
332
 
250
- Instead, `derphole` authorizes one session with a bearer token, uses DERP to connect peers immediately, then promotes onto the best direct path it can establish. See [Transport Model](#transport-model) and [Security Model](#security-model).
333
+ Instead, `derphole` authorizes one session with a bearer token, uses DERP to get
334
+ peers connected immediately, then promotes onto the best direct path it can
335
+ establish. See [Transport Model](#transport-model) and
336
+ [Security Model](#security-model).
251
337
 
252
- For `listen/pipe`, `send/receive`, and `share/open`, this can beat routing the same traffic through a WireGuard-based overlay because `derphole` optimizes one active session. See [Why It Is Fast](#why-it-is-fast).
338
+ For `listen/pipe`, `send/receive`, and `share/open`, this can beat routing the
339
+ same traffic through a WireGuard-based overlay because `derphole` optimizes one
340
+ active session instead of maintaining a whole private network. Not magic. Less
341
+ machinery.
253
342
 
254
343
  ## Why It Is Fast
255
344
 
256
- Performance comes from transport shape:
345
+ Performance comes from the transport shape:
257
346
 
258
347
  - DERP handles rendezvous and fallback, not preferred steady-state data.
259
- - Sessions can start relayed, then promote in place to direct without restarting.
260
- - `listen/pipe` and `send/receive` can scale across direct UDP lanes, run path-rate probes, then use paced sending, adaptive rate control, and targeted replay/repair. Fast links can run near WAN ceiling without forcing slower links into the same send rate.
261
- - Direct UDP payloads use AEAD with a per-session key derived from the bearer secret. Headers stay visible for sequencing and repair; user bytes stay encrypted and authenticated.
262
- - `share/open` keeps QUIC stream multiplexing for service sharing, where many independent TCP streams need one claimed session.
263
- - Candidate discovery starts with local interfaces and cached mappings, then refines in the background with STUN and port mapping refresh.
264
-
265
- Result: move bytes early, keep relay fallback, and shift live sessions to direct paths when ready.
348
+ - Sessions can start relayed, then promote in place to direct without
349
+ restarting.
350
+ - `listen/pipe` and `send/receive` can scale across direct UDP lanes, run
351
+ path-rate probes, then use paced sending, adaptive rate control, and targeted
352
+ replay/repair. Fast links can run near WAN ceiling without forcing slower
353
+ links into the same send rate.
354
+ - Direct UDP payloads use AEAD with a per-session key derived from the bearer
355
+ secret. Headers stay visible for sequencing and repair; user bytes stay
356
+ encrypted and authenticated.
357
+ - `share/open` keeps QUIC stream multiplexing for service sharing, where many
358
+ independent TCP streams need one claimed session.
359
+ - Candidate discovery starts with local interfaces and cached mappings, then
360
+ refines in the background with STUN and port mapping refresh.
361
+
362
+ The practical result: move bytes early, keep relay fallback, and shift live
363
+ sessions to direct paths when ready.
266
364
 
267
365
  ## Security Model
268
366
 
269
- Tokens are **bearer capabilities**. Anyone with a token can claim the matching session or tunnel until expiry, so share tokens over a trusted channel. `derphole` session tokens expire after one hour. `derptun` server tokens default to 180 days and can mint shorter-lived client tokens. Client tokens default to 90 days and cannot serve.
270
-
271
- Payload bytes are always end-to-end encrypted between token holders. Session and tunnel encryption is pinned to token-derived identity, so DERP relays do **not** get keys needed to read or impersonate sessions. DERP can see routing metadata and packet timing, but not plaintext user payload bytes:
272
-
273
- - On `listen/pipe` and `send/receive`, direct UDP and relay fallback both encrypt and authenticate user payloads with session AEAD derived from the bearer secret.
274
- - Relay-prefix startup frames leave frame kind and byte offsets visible for flow control, but encrypt user payload bytes.
275
- - On `share/open`, stream traffic uses authenticated QUIC streams for the claimed session.
276
- - On `derptun`, stream traffic uses authenticated QUIC streams pinned to the stable tunnel identity in the token.
277
- - On `derpssh`, terminal streams use authenticated QUIC streams pinned to the invite identity.
278
-
279
- Simple rule: token possession authorizes the session. Relays move packets; they do not hold decrypt keys for user payloads.
367
+ Tokens are **bearer capabilities**. Anyone with a token can claim the matching
368
+ session or tunnel until expiry, so share tokens over a trusted channel.
369
+
370
+ `derphole` session tokens expire after one hour. `derptun` server tokens default
371
+ to 180 days and can mint shorter-lived client tokens. Client tokens default to
372
+ 90 days and cannot serve.
373
+
374
+ Local service registry entries are bearer secrets because they contain derptun
375
+ client tokens or derpssh invites. Protect the registry file like token files.
376
+ List output redacts token and invite values, and no lookup server is contacted
377
+ by default.
378
+
379
+ Payload bytes are always end-to-end encrypted between token holders. Session and
380
+ tunnel encryption is pinned to token-derived identity, so DERP relays do **not**
381
+ get keys needed to read or impersonate sessions. DERP can see routing metadata
382
+ and packet timing, but not plaintext user payload bytes:
383
+
384
+ - On `listen/pipe` and `send/receive`, direct UDP and relay fallback both encrypt
385
+ and authenticate user payloads with session AEAD derived from the bearer
386
+ secret.
387
+ - Relay-prefix startup frames leave frame kind and byte offsets visible for flow
388
+ control, but encrypt user payload bytes.
389
+ - On `share/open`, stream traffic uses authenticated QUIC streams for the
390
+ claimed session.
391
+ - On `derptun`, stream traffic uses authenticated QUIC streams pinned to the
392
+ stable tunnel identity in the token.
393
+ - On `derpssh`, terminal streams use authenticated QUIC streams pinned to the
394
+ invite identity.
395
+
396
+ Simple rule: token possession authorizes the session. Relays move packets; they
397
+ do not hold decrypt keys for user payloads.
280
398
 
281
399
  ## Behavior
282
400
 
283
- Sessions can start on DERP relay and later promote to direct paths without restarting. By default, CLI output stays minimal. Use `--verbose` for path changes, NAT traversal state, and direct-path tuning.
401
+ Sessions can start on DERP relay and later promote to direct paths without
402
+ restarting. By default, CLI output stays minimal. Use `--verbose` for path
403
+ changes, NAT traversal state, and direct-path tuning.
284
404
 
285
405
  ## Use Cases
286
406
 
407
+ Use this when you need:
408
+
287
409
  - cross-host transfer with no account setup
288
- - NAT-heavy networks where direct connectivity may or may not work
410
+ - useful behavior on NAT-heavy networks where direct connectivity may or may not
411
+ work
289
412
  - quick sharing of local web apps, APIs, and admin interfaces
290
- - `npx` use without manual install
413
+ - `npx` execution without manual install
414
+
415
+ Do not use this as a replacement for a real private network when you actually
416
+ need one. That is how small tools become infrastructure nobody remembers
417
+ owning. Oops.
291
418
 
292
419
  ## Development
293
420
 
@@ -326,13 +453,22 @@ REMOTE_HOST=my-server.example.com mise run promotion-1g
326
453
 
327
454
  ## What Is DERP?
328
455
 
329
- DERP stands for **Designated Encrypted Relay for Packets**. It is a globally reachable relay network that both peers can use when they cannot yet talk directly.
456
+ DERP stands for **Designated Encrypted Relay for Packets**. It is a globally
457
+ reachable relay network that both peers can use when they cannot yet talk
458
+ directly.
330
459
 
331
- DERP was built by Tailscale for the Tailscale networking stack. The public Tailscale-operated DERP network is reachable without running your own relays. Headscale, the open-source Tailscale control server, can also serve DERP maps and DERP servers.
460
+ DERP was built by Tailscale for the Tailscale networking stack. The public
461
+ Tailscale-operated DERP network is reachable without running your own relays.
462
+ Headscale, the open-source Tailscale control server, can also serve DERP maps
463
+ and DERP servers.
332
464
 
333
465
  In `derphole`, DERP has two jobs:
334
466
 
335
- - rendezvous: carry claim, decision, and direct-path coordination messages without a separate account-backed control plane
336
- - fallback relay: carry encrypted session traffic when NAT traversal has not succeeded or direct connectivity is unavailable
467
+ - rendezvous: carry claim, decision, and direct-path coordination messages
468
+ without a separate account-backed control plane
469
+ - fallback relay: carry encrypted session traffic when NAT traversal has not
470
+ succeeded or direct connectivity is unavailable
337
471
 
338
- DERP is not the preferred steady-state path. It starts the session and keeps it working. If direct UDP becomes available, `derphole` promotes the live session. DERP forwards bytes; it does not get session decrypt keys.
472
+ DERP is not the preferred steady-state path. It starts the session and keeps it
473
+ working. If direct UDP becomes available, `derphole` promotes the live session.
474
+ DERP forwards bytes; it does not get session decrypt keys.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "derptun",
3
- "version": "0.16.1",
3
+ "version": "0.16.3",
4
4
  "license": "BSD-3-Clause",
5
5
  "bin": {
6
6
  "derptun": "bin/derptun.js"