gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b8fb58b392
secubox-openwrt/docs/wiki/Architecture.md
CyberMind-FR 01246a693d docs: Add comprehensive wiki and module documentation 
Wiki structure:
- Home.md: Main navigation with module categories
- Installation.md: Getting started guide
- Quick-Start.md: First-time setup walkthrough
- Architecture.md: 4-layer architecture overview
- Modules.md: Complete catalog of 80+ modules

Module documentation (docs/wiki/modules/):
- Security.md: 15 security modules (CrowdSec, WAF, Guardians)
- Network.md: 12 network modules (HAProxy, Bandwidth, Traffic)
- Mesh.md: 7 VPN/mesh modules (WireGuard, P2P, MirrorNet)
- DNS.md: 6 DNS modules (DNS Master, Vortex, Meshname)
- Apps.md: 20 application modules (Jellyfin, Nextcloud, Matrix)
- System.md: 14 system modules (Config Vault, Reporter, RTTY)
- AI.md: 8 AI modules (Gateway, LocalAI, Threat Analyst)

Updated:
- SCREENSHOTS.md: Expanded to 111 modules with all categories
- README.md: Added wiki links and module index

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-26 12:35:31 +01:00

5.4 KiB
Raw Blame History

SecuBox Architecture

SecuBox is built on a 4-layer architecture designed for privacy, security, and decentralization.

The 4 Layers (Les 4 Couches)

+--------------------------------------------------+
|            Layer 4: Roadmap & Governance         |
|         Version milestones, certifications       |
+--------------------------------------------------+
|            Layer 3: MirrorNetworking             |
|      P2P gossip, mesh orchestration, CDN         |
+--------------------------------------------------+
|            Layer 2: AI Gateway                   |
|    Data sovereignty, local inference, routing    |
+--------------------------------------------------+
|            Layer 1: Core Mesh                    |
|     OpenWrt, WireGuard, CrowdSec, HAProxy        |
+--------------------------------------------------+

Layer 1: Core Mesh

The foundation layer running on OpenWrt 24.10.

Components

Component Purpose
OpenWrt Base operating system
WireGuard VPN tunnels for mesh
CrowdSec IDS/IPS with threat intel
HAProxy Reverse proxy, SSL termination
mitmproxy WAF, TLS inspection
dnsmasq DNS and DHCP
LXC Container runtime

Mesh Daemon (secuboxd)

The mesh daemon handles:

  • Peer discovery via mDNS (_secubox._udp.local)
  • Topology management
  • Gate election (weighted scoring)
  • Cross-node telemetry
secubox-mesh/
├── secuboxd          # Main daemon
├── secuboxctl        # CLI interface
└── lib/
    ├── topology.sh   # Topology management
    ├── discovery.sh  # Peer discovery
    ├── election.sh   # Gate election
    └── telemetry.sh  # Metrics collection

Layer 2: AI Gateway

Data sovereignty engine for AI operations.

Data Classification

Tier Description Destination
LOCAL_ONLY Raw network data, IPs, MACs Never leaves device
SANITIZED Anonymized patterns Mistral EU (opt-in)
CLOUD_DIRECT Generic queries Claude/GPT (opt-in)

Provider Routing

Priority order for AI requests:

  1. LocalAI (local inference)
  2. Mistral (EU sovereign)
  3. Claude
  4. OpenAI GPT
  5. Gemini
  6. xAI

AI Agents

Agent Function
Threat Analyst CrowdSec alert analysis
DNS Guard DNS anomaly detection
CVE Triage Vulnerability prioritization
Network Anomaly Traffic pattern analysis
Config Advisor ANSSI compliance

Layer 3: MirrorNetworking

Decentralized mesh orchestration.

Dual Transport

Tier Protocol Purpose
Tier 1 WireGuard Known peers, trusted mesh
Tier 2 Yggdrasil Discovery, extended mesh

Gossip Protocol

Services synchronized across the mesh:

  • Threat Intel: IoC signed gossip
  • Service Registry: Published services
  • Configuration: Distributed config sync
  • AI Inference: Distributed model queries

Punk Exposure Model

Three-verb service exposure:

  1. Peek: Discover and scan services
  2. Poke: Configure exposure channels
  3. Emancipate: Activate exposure

Channels:

  • Tor: .onion hidden services
  • DNS/SSL: HTTPS via HAProxy + ACME
  • Mesh: P2P service registry

Layer 4: Roadmap

Version governance and certifications.

Milestones

Version Status Features
v0.18 Done MirrorBox Core
v0.19 Done AI Expansion
v1.0 Done Full Stack
v1.1 Done Extended Mesh

Target Certifications

  • ANSSI CSPN: French security certification
  • CE: European conformity
  • GDPR: Data protection compliance
  • NIS2: Network security directive

Network Architecture

Internet
    │
    ▼
┌──────────────┐
│   HAProxy    │ ◄── SSL termination, routing
│  (LXC)       │
└──────┬───────┘
       │
       ▼
┌──────────────┐
│  mitmproxy   │ ◄── WAF, TLS inspection
│  (LXC)       │
└──────┬───────┘
       │
       ▼
┌──────────────┐
│   CrowdSec   │ ◄── IDS/IPS
│  (host)      │
└──────┬───────┘
       │
       ▼
┌──────────────┐
│  Services    │ ◄── Jellyfin, Nextcloud, etc.
│  (LXC)       │
└──────────────┘

Directory Structure

package/secubox/
├── secubox-core/           # Base utilities
├── secubox-mesh/           # Mesh daemon
├── secubox-p2p/            # P2P protocol
├── secubox-identity/       # DID/trust
├── secubox-ai-gateway/     # AI routing
├── luci-app-*/             # LuCI modules (80+)
├── luci-theme-secubox/     # CRT P31 theme
└── secubox-app-*/          # Service packages

Key Configuration Files

File Purpose
/etc/config/secubox Main SecuBox config
/etc/config/secubox-mesh Mesh settings
/etc/config/wireguard_* VPN tunnels
/etc/config/crowdsec IDS/IPS config
/etc/config/haproxy Reverse proxy

See also:

SecuBox v1.0.0