Saltar al contenido principal

Install — macOS

Phase 2 is manual build while we wait for an Apple Developer ID to code-sign the system-extension flow. The end-to-end path works today via sudo; brew distribution follows in Phase 3.

Prerequisites

  • macOS 13 (Ventura) or newer — needed for the modern utun interface.
  • Rust toolchain — install via rustup (curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh).
  • The framework's api-core running locally (typically at https://zeq.dev.local:3099) with the Phase 2 migration applied.

Build

git clone https://github.com/zeq-os/zeq-framework
cd zeq-framework/app/packages/zeq-vpn-client-macos
cargo build --release
sudo install -m 755 target/release/zeq-vpn-client /usr/local/bin/

Configure

The client reads two things at startup:

  1. The TOML file at ~/.zeq/vpn/config.toml.
  2. The zsm_ bearer from the macOS Keychain (or ZEQ_VPN_ZSM env var as a CI fallback).
# Stash the bearer in Keychain once per machine:
security add-generic-password \
  -a zeq.vpn.<your-slug> \
  -s "zeq-vpn-bearer" \
  -w "zsm_..." \
  -U

# Drop the TOML in place:
mkdir -p ~/.zeq/vpn
cat > ~/.zeq/vpn/config.toml <<EOF
api_base       = "https://zeq.dev.local:3099"
machine_slug   = "<your-slug>"
zsm_keychain   = "zeq.vpn.<your-slug>"
cover_traffic_default = false
multi_hop_default     = false
kill_switch_on_drop   = true
dns_via_peer          = true
EOF

First connection

# Browse who is offering relay capacity.
zeq-vpn-client marketplace --country EU --max-zeq-per-gb 100

# Open a tunnel to one of the listed peers.
zeq-vpn-client connect \
  --peer-slug zeq07000000007 \
  --lifespan-zeqonds 500 \
  --pricing-unit gb

# Watch your live + recent tunnels.
zeq-vpn-client tunnels

Settings

KeyDefaultMeaning
cover_traffic_defaultfalseFill egress to 12.87 packets/Zeqond (10× HulyaPulse) with random-bytes packets encrypted the same way. Off saves bandwidth; on adds traffic-analysis resistance.
multi_hop_defaultfalsePick an intermediate hop from the marketplace. Phase 3 surfaces multi-hop UX; Phase 2 stores the column but always negotiates direct.
kill_switch_on_droptrueOn tunnel-drop, optionally use pf (packet filter) to block all non-tunnel egress until the tunnel reconnects.
dns_via_peertrueResolve DNS through the peer's resolver. No DNS leaks to your ISP.

Brew tap (Phase 3)

# Not yet published — Apple Developer ID code-signing required.
brew tap zeq-os/vpn
brew install zeq-vpn