What it does: Encrypted tunnel between your devices. Once connected, they see each other like they're on the same network. SSH, file sharing, everything works through it.
Cost: Free. Built into Linux kernel. Free app on Mac/iOS/Android.
Depends on: Nothing — it's just two devices talking to each other. But they need to FIND each other first (that's the signaling problem below).
Both devices are behind CGNAT. Neither has a public IP. They can't find each other directly. They need a tiny coordination point — something that says "hey, Mac is currently at this address, Linux box is currently at that address." Once they know, WireGuard connects direct.
Options (pick any one):
| Method | How it works | Account needed | Self-hostable | Real-time |
|---|---|---|---|---|
| Cloudflare DNS TXT | Update a TXT record with IP:port. Other device does dig. | You already have CF | N/A (your domain) | No (DNS cache delay) |
| GitHub repo | Push IP:port to a file via API. Other device reads it. | You already have GH | No | No (polling) |
| GitLab/Codeberg | Same as GitHub | Free account | Codeberg is open source | No (polling) |
| ntfy.sh | Publish IP:port to a topic. Other device subscribes. Instant. | None | Yes | Yes |
| Nostr | Publish to decentralized relay. Keypair only. No account. | None | Yes | Yes |
| MQTT | Lightweight IoT messaging. Free brokers exist (HiveMQ). | Free account | Yes | Yes |
| Cloudflare Worker | Tiny script stores IP:port. Devices read/write via HTTP. | You already have CF | N/A | No (polling) |
| Cloudflare R2 | Store a tiny file. S3-compatible. | You already have CF | N/A | No (polling) |
| Upstash Redis | Free tier REST API key-value store. | Free account | No | No (polling) |
Recommendation: ntfy.sh for real-time + self-hostable. Cloudflare DNS TXT as backup (you already own it). GitHub as third backup. Three independent signaling methods means no single point of failure.
What it does: Keeps folders in sync between devices automatically. Change a file on Mac, it appears on Linux box. Bidirectional.
Cost: Free, open source.
Depends on: Devices finding each other (works over WireGuard tunnel, or discovers on local network automatically).
Good for: Keeping your workspace, research, wiki content, and FOI documents synced across both machines without touching anyone's cloud.
What it does: Terminal access from one machine to the other.
Cost: Free. Built into both operating systems.
Depends on: Network connection (works over WireGuard tunnel).
Good for: Running commands on the Linux box from the Mac at a cafe. Or vice versa.
What it does: One keyboard and mouse controls both screens. Move your cursor off the edge of the Mac screen, it appears on the Linux screen.
Cost: Free, open source (fork of Synergy).
Depends on: Both machines on same local network (or WireGuard tunnel).
Good for: When they're sitting side by side on your desk.
What it does: Exposes local web services through Cloudflare. Wiki, dashboard, anything running on your home machine becomes accessible at a URL.
Cost: Free.
Depends on: Cloudflare (you already use it for everything).
Works behind CGNAT: Yes — connects outbound.
Not good for: SSH (requires clunky wrapper on client side). Use WireGuard for SSH instead.
What it does: Publish/subscribe messaging. Send a message to a topic, anyone listening gets it instantly.
Cost: Free. No account.
Self-hostable: Yes.
Good for:
What it does: A signed statement published regularly saying "we have not received secret government orders." If it stops updating, that IS the message.
Cost: Free.
How it connects:
What it does: Publish messages to decentralized relays. No account — just a keypair. No one controls it.
Cost: Free.
Good for: Signaling, public statements, canary publishing, communication that no one can censor or shut down.
Aligns with: Everything OMXUS stands for. No middleman. Keypair identity. Censorship-resistant.
What it does: Same as Tailscale (mesh VPN, NAT traversal, devices find each other) but you run the coordination server yourself.
Cost: Free.
You already have it: Config exists in your infra/ directory.
Depends on: A server to run the coordination (could be the Pop!_OS box + Cloudflare Tunnel to make it reachable, or any free VPS).
┌─────────────┐
│ ntfy.sh │ ← signaling (IP:port exchange)
│ (or DNS │ ← backup signaling
│ or GitHub)│ ← third backup
└──────┬──────┘
│
┌────────────┼────────────┐
│ │ │
┌────▼────┐ ┌───▼────┐ ┌───▼────┐
│ M4 Mac │ │Pop!_OS │ │ Phone │
│ (daily) │ │ (home) │ │ │
└────┬────┘ └───┬────┘ └───┬────┘
│ │ │
└────────────┼────────────┘
│
WireGuard tunnel
(direct peer-to-peer)
│
┌────────────┼────────────┐
│ │ │
Syncthing SSH access Input Leap
(file sync) (terminal) (shared kb/mouse)
| Thing | Can it disappear? | Backup plan |
|---|---|---|
| WireGuard | No — it's local software, open source, in the kernel | N/A |
| Syncthing | No — local software, open source | N/A |
| ntfy.sh (public) | Yes — one guy runs it | Self-host it on your Linux box |
| GitHub API | Unlikely but yes | Switch to GitLab, Codeberg, or DNS |
| Cloudflare DNS | Unlikely but yes | Switch to GitHub or ntfy |
| STUN servers | Google's could go | Many free alternatives exist |
Nothing in this stack costs money. Nothing requires a specific provider. Everything has a backup. Everything is open source. You own all of it.
Total: about 30 minutes and you're connected indefinitely for free.
Libraries:
The "Google Docs" experience except data goes browser-to-browser and saves to GitHub.
A document with an embedded invisible resource (1x1 pixel image, DNS lookup, or external template reference). When someone opens the document, it reaches out to a URL. The server logs who, when, where.
How it works:
Harder-to-block version: DNS canary. Document references a unique hostname. Even if image loading is blocked, the DNS lookup still happens. Almost impossible to prevent without breaking everything.
The connection potential:
A document that creates a room just by being opened:
A document is not a file. It's a doorbell. Reading becomes connecting.
The author feels the document being read — not analytics, not "542 views," but a living presence. Someone is with your words right now.
Nostr uses secp256k1. Same curve as Ethereum. Same curve as VexID. Your OMXUS identity IS your Nostr identity IS your mesh address IS your document signature IS your canary key.
One key, everywhere:
Concept #1 (one identity everywhere) connects to concept #14 (vouched chat) connects to concept #21 (peer-to-peer without infrastructure). It's all the same key.
Automerge/Loro/Yjs solve the vouched chat and collaboration problem:
Person opens OMXUS app (or document)
→ Hyperswarm joins the mesh (automatic, no config)
→ Finds other OMXUS users (DHT, no server)
→ WebRTC connects them directly
→ Yjs/Automerge syncs state in real-time
→ WireGuard available for persistent encrypted tunnel
→ Canary tokens make documents into live connections
→ ntfy.sh for notifications (self-hosted)
→ Nostr for censorship-resistant publishing
→ All signed with one secp256k1 key
→ Everything encrypted, everything peer-to-peer
→ Nothing costs money
→ Nothing depends on anyone
A person doesn't "join a network." They ARE the network the moment they open the app. The document doesn't just contain words. It contains a doorway. Reading is connecting. The act of opening is the act of arriving.
One identity, everywhere
$29 ring — hardware second factor
Zero-trust without the complexity
Policy as code as prose as law
Single binary, every platform
The mesh IS the distribution
Device attestation without surveillance
Brutal honesty built in
Selfishness as infrastructure
Every decision auditable
Call of Duty — protagonist game mechanics
Step up — challenges, never pleads
Voice of god — system has personality
Vouched chat — verified humans, real talk
WebRTC live collab
Proof of work, not proof of opinion
The system handles the awkward part
Building codes — the door is already open
Don't punish the helper
The app's job is to get you off the app
Peer-to-peer without infrastructure — Hyperswarm DHT, WireGuard, STUN, no server
Documents as doorways — canary tokens, reading as connecting, presence not analytics
The Slave gets fed — fitness has purpose, bouldering because you're a responder, fight club without the violence
14 nodes armed. You're covered. Go climb something.