Self-hosted zero-trust access layer built on WireGuard.
Device enrollment, session brokering, STUN/TURN-assisted NAT traversal, and a clean admin UI.
System Design · Architecture · CLI Reference · Deployment · Apache 2.0
Selkie is a self-hosted management and administration layer for a WireGuard-based zero-trust overlay network. It wraps the underlying WireGuard peer-to-peer protocol, which is open source and maintained independently.
WireGuard is developed by Jason A. Donenfeld and released under the GPLv2 license. Selkie links to WireGuard userspace implementations at runtime and does not distribute WireGuard source. See wireguard.com and the WireGuard GitHub organisation for the canonical project.
- Enrolls devices (macOS, Linux, iOS, Android) into a shared WireGuard overlay network
- Issues short-lived session tokens and brokers peer-to-peer connections via ICE/STUN/TURN
- Exposes a service catalog — each device reports its listening ports; peers connect by overlay IP
- Provides a single-page admin UI for device management, session history, relay health, and system status
- Ships a Node.js CLI daemon (
selkie) that runs as an OS service on each enrolled device - Provides native mobile apps (iOS and Android) for connecting to enrolled servers
Admin UI (browser, static HTML + Tailwind)
│ HTTPS (internal session JWT)
Control Server (Go 1.23+)
Auth · Device registry · Session broker · Policy · Audit
PostgreSQL (durable) · Redis (ephemeral)
│ WireGuard overlay + STUN/TURN
Selkie CLI (Node.js, runs as OS service on each device)
WireGuard peer · Heartbeat · Service manifest reporter
The control server coordinates identity and session establishment. It never carries application-layer traffic — once a connection is established, peers communicate directly over the WireGuard overlay (or via TURN relay when direct paths are blocked by NAT).
| Document | Description |
|---|---|
| docs/brief.md | Full system design, data models, API surface |
| docs/frameworks.md | Component architecture, SDK design, auth flows |
| docs/cli.md | CLI daemon reference |
| docs/mobile.md | Native iOS and Android app specification |
| docs/sso.md | Authentication with UOA (UnlikeOtherAuthenticator) |
| docs/techstack.md | Library and dependency choices |
# Copy and fill in your environment
cp .env.example .env
# Start with Docker Compose (server + postgres + redis + coturn)
docker compose up
# Enrol your first device (runs on the device being enrolled)
npm install -g selkie
selkie enrollAfter enrollment, open the admin UI, complete SSO login — the first login becomes the super user account.
LLM-first browser for iOS, Android, macOS, and desktop. Control real browsers via mDNS discovery, HTTP API, and MCP.
Selkie is released under the Apache License 2.0.
Copyright 2026 UnlikeOtherAI Ltd
Author: Ondrej Rafaj <ondrej@unlikeotherai.com>
WireGuard® is a registered trademark of Jason A. Donenfeld. Selkie is not affiliated with or endorsed by the WireGuard project.