@@ -19,6 +19,7 @@ Rust-powered WebSocket server with Python API for remote command execution and i
1919- ** Command Execution** - Run shell commands on remote machines with timeout control
2020- ** Interactive Sessions** - Full PTY sessions with bash for manual work
2121- ** File Transfer** - Upload/download files between controller and workers
22+ - ** Tunnel Mode (VPN)** - Secure mesh networking with WireGuard encryption via Tailscale
2223- ** High Performance** - Rust async runtime handles high-concurrency workloads
2324- ** Auto Reconnection** - Workers reconnect automatically on network failures
2425- ** Cross-Platform** - Linux, macOS, Windows support
@@ -46,8 +47,8 @@ Rust-powered WebSocket server with Python API for remote command execution and i
4647│ └────────────────────────────────────┘ │
4748└──────────────────────────────────────────┘
4849 ▲
49- │ WebSocket (WSS)
50- │ (Daemon initiates connection )
50+ │ WebSocket
51+ │ (ws:// in direct mode, encrypted via VPN in tunnel mode )
5152 │
5253 ┌─────────┼─────────┐
5354 │ │ │
@@ -132,16 +133,19 @@ sandd --server-url ws://10.200.0.1:8765/ws \
132133
133134### Tunnel Mode (Production)
134135
135- For secure multi-cloud deployments with mesh VPN:
136+ For secure multi-cloud deployments with mesh VPN (no TLS setup needed) :
136137
137138``` python
138- from sandd import Server
139+ from sandd import Server, TunnelConfig
139140
140141config = TunnelConfig(
141142 authkey = " YOUR_KEY"
142143 server = " http://headscale:8080"
143144)
144- server = Server(connect = " tunnel" tunnel_config = config) # Secure tunnel mode
145+ server = Server(connect = " tunnel" tunnel_config = config)
146+ # ✓ Encrypted with WireGuard (no TLS needed)
147+ # ✓ Works across NAT/firewalls
148+ # ✓ No public IPs required
145149```
146150
147151See [ Tunnel Mode Guide] ( ./docs/TUNNEL.md ) for setup instructions.
@@ -154,20 +158,8 @@ See [Tunnel Mode Guide](./docs/TUNNEL.md) for setup instructions.
154158- [ Development Guide] ( ./docs/DEVELOP.md )
155159- [ Examples] ( ./examples )
156160
157- ## Security
158-
159- ⚠️ ** Add security layers for production use:**
160-
161- - Use ` wss:// ` (TLS) instead of plain ` ws:// `
162- - Add authentication (tokens, mTLS)
163- - Run workers in containers
164- - Validate commands before execution
165- - Audit log all commands
166-
167161## Roadmap
168162
169- - [ ] ** Authentication** - Token-based auth for daemon connections
170- - [ ] ** TLS Support** - Built-in WSS with certificate management
171163- [ ] ** Audit Logging** - Track all commands, sessions, and file transfers
172164- [ ] ** Metrics** - Prometheus-compatible metrics for monitoring
173165- [ ] ** Resource Limits** - CPU/memory/timeout controls per daemon
0 commit comments