The ANet (ANet Secure Transport Protocol) project is developing an alternative stack for organizing secure tunnels, designed to connect private networks in conditions where standard solutions (WireGuard, OpenVPN) are not applicable due to various circumstances. The project is positioned not as another fork of WireGuard, but as a “Network of Friends” (Friends-to-Friends VPN) with an emphasis on the principle “security through obscurity, the use of proven crypto algorithms and autonomous operation in the “Dead Man’s Hand” mode. ANet uses a proprietary transport protocol, ASTP (ANet Secure Transport Protocol), which provides full end-to-end encryption, is resistant to high packet loss, and is indistinguishable from random UDP traffic. The code is written from scratch in the Rust language and distributed under the MIT license, but with an explicit ban on forks under the GPL (“Denied Licenses: GPL-2.0, GPL-3.0″).
Main features:
- Cryptography: ChaCha20/Poly1305 for stream, X25519 for Ephemeral DH, Ed25519 for authentication. No legacy algorithms or “cratches for compatibility with Windows XP.”
- Transport: QUIC-like package on top of UDP, but with its own framing: each packet is wrapped in an encrypted “envelope” with random padding and jitter (from 0 to N nanoseconds), which masks the connection negotiation process as white noise.
- Distributed architecture: authorization server (anet-auth) checks the client’s fingerprint (SHA256 from the public key based on Ed25519), but the tunnel itself is ascended by PSK (pre-shared key) obtained through a 4-phase handshake (DH + double ratchet). If the auth server fails, the network continues to operate on preloaded keys (failover to full local mode).
- Supported platforms: Linux (TUN), Windows (Wintun), macOS (utun), Android (VpnService via JNI). There is a GUI for egui (Rust-native), and a TUI for headless servers. Binary assemblies are provided.
Unlike WireGuard with a recognizable handshake (Magic number + Noise Protocol) and OpenVPN with a characteristic TLS fingerprint, in the ASTP protocol each packet begins with a random seed (nonce 12 bytes), followed by there is a ciphertext of variable length with additional padding to the nearest block size (configurable). To an outside observer, the traffic is indistinguishable from random traffic. ANet is presented as an attempt to bring back the “physicality” of the floppynet era (HDD from a friend) to VPN, but in digital: PSK (pre-shared keys), manual route management, “zero-knowledge proof” via fingerprint.