Documentation
Reference: ports and protocols
This page factually lists the network ports and protocols used by VIGIL-MESH. The rule fits in one sentence: an ordinary node opens no inbound port — it only makes outbound connections — while a vigie, which must be reachable to relay and to coordinate NAT traversal, opens three public inbound ports. The transport is QUIC over UDP, encrypted with TLS 1.3, with raw Ed25519 public keys and a hybrid post-quantum key exchange.
Ports by role
The exposure model depends entirely on the role. A node never accepts an inbound connection: it connects out to the vigies and to the controller, then establishes its direct paths through NAT traversal. A vigie, conversely, is a public service reachable from the outside; it is the one that carries the three inbound ports.
| Role | Inbound ports | Traffic direction |
|---|---|---|
| Node | None | Outbound only: the node initiates its connections to the vigies and the controller; no public listener is opened. |
| Vigie | udp/443, udp/4433, tcp/443 | Inbound: the vigie is a service reachable from the outside to relay encrypted traffic and coordinate NAT traversal. |
| Inbound port (vigie) | Role |
|---|---|
| udp/443 | Main QUIC transport for relayed sessions. |
| udp/4433 | NAT-traversal coordination (public address mirror, putting nodes in touch with each other). |
| tcp/443 | Qualification and reachability of the vigie from the outside. |
Protocols and cryptography
A session between two machines is an end-to-end QUIC connection: there is no tunnel layered on top of another tunnel. The table below summarizes the transport and encryption building blocks.
| Element | Value | Details |
|---|---|---|
| Transport | QUIC over UDP | Traffic travels over UDP; QUIC provides multiplexing, reliability and session migration. |
| Encryption | TLS 1.3 only | No earlier TLS version is accepted. |
| ALPN | vigil-e2e/1 | Application protocol identifier negotiated during the handshake. |
| Peer authentication | Raw Ed25519 public keys (RPK, RFC 7250) | No X.509 certificate chain to manage: the raw public key identifies the peer. |
| Cipher suites | ChaCha20-Poly1305 / AES-256-GCM | Authenticated encryption (AEAD). |
| Key exchange | Hybrid X25519 + ML-KEM768 | The session key depends on both mechanisms at once; it holds as long as either of the two resists — a defense against “harvest now, decrypt later”. |
Firewall and opening ports
On the node side, there is no inbound rule to create: allowing outbound traffic is enough (which is the default behavior of most firewalls). No port forwarding or specific NAT configuration is needed for a node.
On the vigie side, open the three public inbound ports (udp/443, udp/4433, tcp/443) on the host firewall and, where applicable, on the upstream gateway. The controller tests these three listeners from the outside before allocating any traffic: a vigie that is only reachable outbound never becomes operational. The step-by-step deployment guide is at /en/docs/vigie-privee.