An experiment using Go post-quantum cryptography to build a self-hostable SOCKS5 proxy with timing jitter, dummy packet injection, and frame size normalization to resist traffic analysis. The idea is inspired by the already existing Mullvad's DAITA.
Warning
Due to the nature of cybersecurity/privacy tools I have to give a disclaimer.
This program was written with the intent of self-defense from mass surveillance, privacy is not inherently suspicious. Think about that the next time you close the door when you use the toilet.
Also, this is meant for home networks or internal networks for small teams, if you decide to run a public relay you are on your own.
[app] ──SOCKS5──▶ [bell client 127.0.0.1:1080] ──PQC tunnel──▶ [bell relay] ──▶ [destination]
│
jitter + dummy packets + padding
controlled by policy.zy (hot-reload on SIGHUP)
Layers:
- Key Exchange: ML-KEM-768 + X25519 hybrid (NIST FIPS 203)
- Symmetric Encryption: AES-256-GCM, authenticated per frame
- Key Derivation: HKDF-SHA256
- Noise Policy: Zygomys Lisp Script, hot-reloadable
# Generate your relay keypair
$ bell keygen --out relay
# -> relay.pub (share with clients)
# -> relay.key (keep secure, it's on the relay server)
# Start your relay
$ bell relay --key <path_to_dotkey_file> --listen :9001
# Start a client
$ bell client --relay <relay_reachable_ip:9001> --pubkey <path_to_dotpub_file> \
--listen 127.0.0.1:1080 \
--policy <path_to_policy_zyfile>
# Connect
$ curl --socks5 localhost:1080 https://urutau-ltd.org/If you need to hot-reload your policy file without restarting run:
kill -HUP $(pgrep '^bell$')
The client listen default is 127.0.0.1:1080 (loopback only).
For practical deployment patterns (per-device, gateway/family network, multiple relays, public Wi-Fi workflows), see:
To demonstrate the full flow locally (SOCKS5 -> client -> relay -> destination):
$ make e2eOr directly:
$ bell selftestRelay (server):
$ bell relay --key relay.key --listen :9001 --token "$(cat relay.token)"Client:
$ bell client --relay <relay:9001> --pubkey relay.pub --listen 127.0.0.1:1080 --policy policy.zy \
--token "$(cat relay.token)"You can also use --token-file <path> on both commands.
Relay default hardening: local/loopback/link-local destinations are denied. Use
--allow-local-targets only for lab/testing scenarios.
Install the CLI package directly:
$ go install codeberg.org/urutau-ltd/bellbird/cmd/bellbird@latestThat installation path produces a bellbird binary name by default.
Or build the short-name binary (bell) locally:
$ make buildFor local, runner-less CI execution (Codeberg "to each on their own"):
# run lint/vet/tests + build in a container
$ make pipeline
# run only CI checks
$ make pipeline-ci
# run only build stage
$ make pipeline-build
# run only end-to-end check stage
$ make pipeline-e2e
# run verification suite (includes token positive/negative checks)
$ make pipeline-verifyPipeline notes:
- Uses Containerfile.ci
- Caches modules/build output in
.cache/pipeline/ - You can override image/tag via
PIPELINE_IMAGE=...
For a local verification pass:
$ make verifyThis runs:
- unit/integration test suite (
make ci) - full e2e check (
bell selftest) - token-authenticated e2e
- negative auth check (expected failure with wrong token)
Protects against:
- Traffic correlation by timing.
- Payload fingerprinting by size.
- Burst pattern analysis.
- Passive quantum-capable global threat actors recording traffic today (HNDL).
These protections will fail if:
- A threat actor gains access to both endpoints
- You connect to a relay operated by a threat actor
For application-layer traffic you are on your own measures.
This is not Tor, it has "one hop" and no onion routing was taken in mind. Combine with either Tor, I2P or a trustable VPN service for stronger privacy.
Almost all pieces are importable:
import "codeberg.org/urutau-ltd/bellbird/client"
import "codeberg.org/urutau-ltd/bellbird/relay"
import "codeberg.org/urutau-ltd/bellbird/pqc"
import "codeberg.org/urutau-ltd/bellbird/proxy"This repository is published alongside a blog entry from our part. If you're interested in reading more go to our website at https://urutau-ltd.org/