Mutual TLS Example

In this example, a CA is generated, node certificates are issued and signed by that CA, and both the entry and exit nodes are started with those certificates for mutual authentication.

By default, nodes generate ephemeral self-signed certificates at startup with no configuration required. Custom certificates are useful for persistent deployments or where control over the root of trust and certificate rotation is required.

Generating Certificates

Generate a self-signed CA to act as the root of trust:

openssl req -x509 -newkey rsa:4096 -days 365 -nodes \
  -keyout ca-key.pem -out ca-cert.pem \
  -subj "/CN=wallhack-ca"

Generate a node certificate signed by that CA:

openssl req -newkey rsa:4096 -nodes \
  -keyout node-key.pem -out node-req.pem \
  -subj "/CN=wallhack-node"

openssl x509 -req -in node-req.pem -days 365 \
  -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial \
  -out node-cert.pem

Starting a Tunnel

Pass the certificate, key, and CA to both nodes using --cert, --key, and --ca. Each node presents its certificate and verifies the other against the shared CA.

Entry node

wallhack --cert node-cert.pem --key node-key.pem --ca ca-cert.pem entry --listen :443

Exit node

wallhack --cert node-cert.pem --key node-key.pem --ca ca-cert.pem exit --connect ENTRY:443

Issue unique certificates per node rather than sharing one. This lets you revoke a single node without regenerating the entire chain.