- GRE6 tunnel over Yggdrasil to VPS gateway (172.16.0.0/24)
- Kill switch: guest→vpn_tunnel only (no guest→wan)
- OWE transition mode on Parahub_Free (encrypted + open fallback)
- DNS-over-HTTPS via https-dns-proxy (Cloudflare 1.1.1.1)
- Guest DNS hijacked via firewall DNAT redirect
- IPv6 blocked for guest zone (leak prevention)
- SQM 128→512 kbps
- Added kmod-gre6, https-dns-proxy to PACKAGES_CORE
- SSH authorized key for passwordless root access
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Random per-node mesh keys prevented nodes from connecting to each other.
Now all Parahub nodes share a pre-configured mesh SAE key for automatic
802.11s mesh peering. Private WiFi keys remain randomly generated per node.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
First-boot script that configures a Parahub mesh node with zero user
interaction: batman-adv BATMAN_V mesh, dual-band WiFi (private SAE +
public open), firewall zones with guest isolation, SQM 128kbps shaping,
MAC-derived subnets for collision avoidance, and key generation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
