VIGIL MESH

Documentation

Reference: ports and protocols

This page factually lists the network ports and protocols used by VIGIL-MESH. The rule fits in one sentence: an ordinary node opens no inbound port — it only makes outbound connections — while a vigie, which must be reachable to relay and to coordinate NAT traversal, opens three public inbound ports. The transport is QUIC over UDP, encrypted with TLS 1.3, with raw Ed25519 public keys and a hybrid post-quantum key exchange.

Ports by role

The exposure model depends entirely on the role. A node never accepts an inbound connection: it connects out to the vigies and to the controller, then establishes its direct paths through NAT traversal. A vigie, conversely, is a public service reachable from the outside; it is the one that carries the three inbound ports.

RoleInbound portsTraffic direction
NodeNoneOutbound only: the node initiates its connections to the vigies and the controller; no public listener is opened.
Vigieudp/443, udp/4433, tcp/443Inbound: the vigie is a service reachable from the outside to relay encrypted traffic and coordinate NAT traversal.
Inbound port (vigie)Role
udp/443Main QUIC transport for relayed sessions.
udp/4433NAT-traversal coordination (public address mirror, putting nodes in touch with each other).
tcp/443Qualification and reachability of the vigie from the outside.

Protocols and cryptography

A session between two machines is an end-to-end QUIC connection: there is no tunnel layered on top of another tunnel. The table below summarizes the transport and encryption building blocks.

ElementValueDetails
TransportQUIC over UDPTraffic travels over UDP; QUIC provides multiplexing, reliability and session migration.
EncryptionTLS 1.3 onlyNo earlier TLS version is accepted.
ALPNvigil-e2e/1Application protocol identifier negotiated during the handshake.
Peer authenticationRaw Ed25519 public keys (RPK, RFC 7250)No X.509 certificate chain to manage: the raw public key identifies the peer.
Cipher suitesChaCha20-Poly1305 / AES-256-GCMAuthenticated encryption (AEAD).
Key exchangeHybrid X25519 + ML-KEM768The session key depends on both mechanisms at once; it holds as long as either of the two resists — a defense against “harvest now, decrypt later”.

Firewall and opening ports

On the node side, there is no inbound rule to create: allowing outbound traffic is enough (which is the default behavior of most firewalls). No port forwarding or specific NAT configuration is needed for a node.

On the vigie side, open the three public inbound ports (udp/443, udp/4433, tcp/443) on the host firewall and, where applicable, on the upstream gateway. The controller tests these three listeners from the outside before allocating any traffic: a vigie that is only reachable outbound never becomes operational. The step-by-step deployment guide is at /en/docs/vigie-privee.

Read nextReference: CLI and configuration files