kaya-go/README.md

# Kaya

[![Build status](https://github.com/yggdrasil-network/yggdrasil-go/actions/workflows/ci.yml/badge.svg)](https://github.com/yggdrasil-network/yggdrasil-go/actions/workflows/ci.yml)

## Introduction

Kaya is an early-stage implementation of a fully end-to-end encrypted IPv6
network. It is lightweight, self-arranging, supported on multiple platforms and
allows pretty much any IPv6-capable application to communicate securely with
other Kaya nodes. Kaya does not require you to have IPv6 Internet
connectivity - it also works over IPv4.

## Supported Platforms

Kaya works on a number of platforms, including Linux, macOS, Ubiquiti
EdgeRouter, VyOS, Windows, FreeBSD, OpenBSD and OpenWrt.

Please see our [Installation](https://yggdrasil-network.github.io/installation.html)
page for more information. You may also find other platform-specific wrappers, scripts
or tools in the `contrib` folder.

## Building

If you want to build from source, as opposed to installing one of the pre-built
packages:

1. Install [Go](https://golang.org) (requires Go 1.22 or later)
2. Clone this repository
2. Run `./build`

Note that you can cross-compile for other platforms and architectures by
specifying the `GOOS` and `GOARCH` environment variables, e.g. `GOOS=windows
./build` or `GOOS=linux GOARCH=mipsle ./build`.

## Running

### Generate configuration

To generate static configuration, either generate a HJSON file (human-friendly,
complete with comments):

```
./kaya -genconf > /path/to/kaya.conf
```

... or generate a plain JSON file (which is easy to manipulate
programmatically):

```
./kaya -genconf -json > /path/to/kaya.conf
```

You will need to edit the `kaya.conf` file to add or remove peers, modify
other configuration such as listen addresses or multicast addresses, etc.

### Run Kaya

To run with the generated static configuration:

```
./kaya -useconffile /path/to/kaya.conf
```

To run in auto-configuration mode (which will use sane defaults and random keys
at each startup, instead of using a static configuration file):

```
./kaya -autoconf
```

You will likely need to run Kaya as a privileged user or under `sudo`,
unless you have permission to create TUN/TAP adapters. On Linux this can be done
by giving the Kaya binary the `CAP_NET_ADMIN` capability.

## Documentation

Documentation is available [on our website](https://yggdrasil-network.github.io).

- [Installing Kaya](https://yggdrasil-network.github.io/installation.html)
- [Configuring Kaya](https://yggdrasil-network.github.io/configuration.html)
- [Frequently asked questions](https://yggdrasil-network.github.io/faq.html)
- [Version changelog](CHANGELOG.md)

## Extended Features in This Repository

This repository includes a substantial set of enhancements on top of the baseline Kaya behavior, focused on performance, operability, observability, and operator UX.

### 1) Operator Dashboard (Built-in HTTP UI)

A built-in web dashboard is available directly from the daemon to monitor and manage node state.

- **Live runtime telemetry** for:
  - node/self identity and routing metadata,
  - peer links and per-peer health,
  - session/flow activity,
  - path and tree information.
- **Peer control actions** from the UI (e.g. disconnect/traffic control via the daemon APIs).
- **Optional authentication** for the private dashboard listener.
- **Public read-only dashboard mode** (`--public-interface`) for safe external observability exposure.
- **Real-time bandwidth visualization** and rate rendering in human units (Mbit/s), including directional indicators.
- **Responsive, overflow-safe layout** so long URIs/IP addresses remain contained and readable.

### 2) Runtime Control and Safety Hardening

The runtime now provides stronger operator controls for CPU/thread behavior and process hardening:

- `--threads` controls scheduler parallelism (`GOMAXPROCS`) explicitly.
- `--max-threads` provides an additional hard cap for runtime OS threads.
- `--sandbox` enables Linux hardening measures early in runtime startup:
  - no-new-privileges,
  - non-dumpable process mode,
  - core-dump suppression.

These options are intended for predictable behavior on constrained systems and for hardened production deployments.

### 3) Colorized, High-Signal Terminal Logging

Interactive stdout logs are rendered with contextual colorization to improve readability and triage speed:

- different color classes for errors, warnings, link lifecycle, addressing/interface messages, and sandbox messages,
- improved per-line rendering for TTY operation,
- better at-a-glance operator diagnostics during startup and runtime events.

### 4) Admin API Extensions for Traffic Control

The admin control surface includes enhanced peer traffic operations:

- **`setPeerTraffic` support** to toggle whether traffic is routed via specific peers,
- stricter boolean parsing/validation in control requests,
- integration with dashboard and CLI control workflows.

### 5) `kayactl` UX and Topology Visibility Improvements

CLI output and control ergonomics were expanded:

- improved peer listing with a direct **Remote** endpoint/host view,
- significantly clearer tree/topology presentation with hierarchical formatting,
- tighter integration with peer traffic control operations.

### 6) Core Performance Optimizations

Multiple datapath-adjacent and control-path optimizations were added to reduce CPU and allocation pressure without changing protocol semantics:

- periodic link average updates moved to persistent ticker-style processing (reduced timer churn),
- peer snapshot collection optimized with better preallocation and reduced repeated work,
- optimized inbound allowed-key authorization path using faster lookup strategy,
- reduced atomic overhead in hot accounting paths by skipping zero-byte updates,
- debug protocol response assembly/lifecycle improvements to reduce transient allocations and bound payload behavior,
- URI parsing and formatting optimizations in CLI/control surfaces.

### 7) Transport and Dialing Efficiency Enhancements

Connection setup paths were tuned for performance and reliability across transports:

- better TCP source-interface handling with short-lived interface metadata caching,
- improved address selection and error behavior in dial suitability checks,
- WS/WSS transport setup refinements to reduce repetitive per-dial overhead,
- QUIC dialing/configuration improvements for throughput-oriented behavior and lower overhead in this usage profile,
- correctness fixes to ensure intended TLS configuration usage in QUIC dial paths.

### 8) Process-Model and Platform Behavior Tightening

Additional reliability and deployment refinements include:

- stronger single-process behavior expectations in runtime paths,
- FreeBSD TUN setup behavior tightened to return direct ioctl failures instead of shelling out to external fallback tooling,
- clearer startup/runtime wiring for dashboard lifecycle and shutdown handling.

### 9) Practical Outcome

Taken together, these enhancements provide:

- better **operator visibility** (dashboard + improved CLI),
- stronger **runtime control** (`--threads`, `--max-threads`, sandboxing),
- lower **operational overhead** in frequent control/network paths,
- improved **day-2 usability** for debugging, monitoring and peer management,
- preserved core functionality with a focus on safer and faster default operation.

## Communities

A number of IRC communities exist, including the `#kaya` IRC channel on [libera.chat](https://libera.chat) and various others on [Kaya-internal IRC networks](https://yggdrasil-network.github.io/services.html#irc).

## License

This code is released under the terms of the LGPLv3, but with an added exception
that was shamelessly taken from [godeb](https://github.com/niemeyer/godeb).
Under certain circumstances, this exception permits distribution of binaries
that are (statically or dynamically) linked with this code, without requiring
the distribution of Minimal Corresponding Source or Minimal Application Code.
For more details, see: [LICENSE](LICENSE).