Server
trantor (Go) generates the master passphrase, forges deterministic certificates, manages ECH keys, and publishes encrypted DNS records via libdns. Runs as a one-shot CLI — no daemon, no listening port.
Documentation
Reference implementations #
Trantor ships two binaries plus a graphical front-end. They are the reference implementations of the protocol — anything else that follows the specification can interoperate with them.
Clients
terminus (daemon, Linux/Windows/macOS), terminus-gui (Fyne tray app), plus Terminus iOS and Terminus Android apps. Resolves the encrypted records, forges the matching certificates locally, and injects them into the OS trust store.
Protocol specifications #
The technical specification, the RFC-style draft, and the client implementation guide are maintained in the GitHub repository. They are the authoritative description of the protocol — start here if you want to write a third-party client or audit the design.
Specification (EN)
Full technical specification: cryptographic primitives, DNS record format, key derivation, certificate forging, ECH integration, lifecycle.
Read the spec →RFC draft
The RFC-style draft, structured for protocol implementers. Field definitions, MUST/SHOULD/MAY requirements, and interoperability notes.
Read the RFC →Client spec
Client implementation guide. Per-OS DNS interception, trust store integration, certificate lifecycle, refresh cycle, and edge cases.
Read the client spec →Une version française de la spécification est aussi disponible : trantor-spec-fr.md →
Quick links #
- How it works — protocol walkthrough with diagrams.
- Get started — install the server and clients, publish your first records.
- Comparison — Trantor vs Tor, Tailscale, ZeroTier, WireGuard.
- FAQ — frequent questions about DNS, ECH, brute force, blocking.
- GitHub repository — source code, releases, issues.