blackLimes
A security appliance that lets you work from home — from anywhere.
Built for people with real intellectual property at stake. For remote employees whose enterprise needs them to appear at a specific address. For travelers who refuse to give up the services they depend on at home.
What's done · what's coming
blackLimes is an ongoing project. Architecture, branding, license, and the deployment surface are committed in the open. The control plane and CI-built release artefacts are next.
- Architecture & threat model (full design docs in
docs/concepts/) policy.yamlschema · zones · tiers · QoS · Home Anywhere · notifications- Branding · boot screen · admin GUI mockups
- Container
Dockerfile+docker-compose.yml· runs today - Operator scripts:
install.sh·backup.sh·restore.sh - Raspberry Pi image builder (Pi 4 / Pi 5 / Pi 3B+ slim)
- CI release pipeline (containers · ISOs · disk images · Pi images · cosign-signed)
- blackLimes Free Use License v1.0
blacklimes-ctl— Python control plane that rendersnftables/tc/kea/unboundfrompolicy.yaml- Admin GUI backend — the FastAPI service driving the mockups
- First-boot wizard implementation (the five-role selection screen)
- WireGuard mesh provisioning & invite-token flow
- Notification fan-out (ntfy · SMTP · Twilio · webhook)
- blackLimes Connect desktop apps (Windows · macOS · Linux)
- First tagged release (
v0.1.0) with signed artefacts on the GitHub release page - Branded mobile clients (currently: official WireGuard apps + exported config)
- Multi-home failover · per-app routing · captive portal · plausible-deniability mode
Why people install blackLimes
Appear at home from anywhere
Two appliances form an encrypted WireGuard mesh: one at your house, one that travels with you. Every device you point at the field appliance egresses through your home ISP. The world sees your home WAN — Spectrum, Quantum, Xfinity, whoever serves your house. Your physical location stays inside the box.
Authorized devices only — automatically
Every device that joins your network lands in quarantine at 100 kbps until you approve it. New MAC on a known IP? You get a push notification with the old and new MAC, the OUI vendor, and a one-tap approve/reject. No more wondering who's on your network.
One box instead of five
Router, firewall, PBX (voice), mail server, DHCP / DNS, DMZ host, WireGuard mesh — one appliance, one policy file, one operator. Runs on a Raspberry Pi 3B+, a Pi 5, an old desktop, a Proxmox VM, or a Docker container. Built on Alpine + nftables + WireGuard. No proprietary anything.
Who blackLimes is built for
You work for a large enterprise that geo-fences VPN access
Your employer's ClientVPN policy requires you to appear from a US address. Travel happens, but the policy doesn't bend. blackLimes makes your laptop appear at your home WAN — tunnel-in-tunnel, completely transparent to the corporate VPN client.
You handle real intellectual property
Lawyers, researchers, engineers, financial professionals, journalists, executives. Your physical location is itself sensitive. blackLimes means a traceroute back to you terminates at your home — not at whatever Airbnb / hotel / coffee shop / country you're actually in.
You travel and want to keep using home services
YouTube TV, your bank app, your home phone number on SIP, Hulu, Max, Netflix's US catalog. All of them geo-fence by IP. blackLimes egresses through your home ISP so every one of them just works — no per-service config, no commercial VPN flagged by the streamer.
You want one appliance instead of five products
The pfSense + FreePBX + Postfix + a managed-DNS-provider + a commercial VPN stack — replaced by one appliance, one policy file. Built on tools you can inspect (nftables, tc, unbound, kea, asterisk, postfix, dovecot, WireGuard). No vendor lock-in.
You want friends or family on your mesh without buying them hardware
blackLimes Connect is a free desktop app for Windows, macOS, and Linux. You mint an invite from your home appliance, send it to your dad / your spouse / your cousin, they paste it, they're on. 90 seconds end-to-end.
Install or deploy blackLimes
The container path runs today from the repo (docker compose up -d).
The ISO + disk-image + Pi-image builders are written and CI-wired;
they begin emitting signed artefacts to GitHub releases at v0.1.0.
Form factors below are the ones the architecture supports — availability per row tracks the project status above.
| Form factor | Best for | Get started |
|---|---|---|
| Docker container | Lab, test, k8s · multi-arch image | docker compose up -d |
| Proxmox VM (qcow2) | Production gateway in an existing virt environment | qm importdisk then qm start |
| Installer ISO | Bare metal · old desktop, mini-PC, repurposed thin client | USB-boot, walk the 5-question installer |
| Raspberry Pi 5 image | Permanent home appliance · full stack (PBX, mail, everything) | Flash with rpi-imager → boot |
| Raspberry Pi 4 image | Home appliance for households on ≤500 Mb/s broadband | Flash with rpi-imager → boot |
| Raspberry Pi 3B+ image · slim profile | Travel-perfect field appliance · fits in a coat pocket, runs off a phone charger | Flash with rpi-imager (auto-detects slim) |
| ARM SBC (Rock 5, Orange Pi, Odroid) | Generic arm64 disk image | xz -d && dd to SD/SSD/USB |
| blackLimes Connect · desktop app | Windows, macOS, Linux laptops · no hardware required · friends & family | Download installer, paste an invite |
| Mobile (iOS / Android) | Phones and tablets · uses the official WireGuard app for now | Operator exports invite as QR; user scans |
Free to use. Not free to redistribute.
What you get under the blackLimes Free Use License
blackLimes is free to use for any purpose — personal, household, internal commercial, internal government, internal nonprofit, research. Run it on any number of devices you own or control, forever, at no cost. Read the source. Modify it for your own deployments. Tell people about it.
What you don't get
- You may not redistribute the software (no mirroring, no forking and re-publishing, no app-store listings).
- You may not offer it as a managed service to third parties.
- You may not ship a re-branded build under your own name.
- You may not strip the copyright or version branding.
For commercial redistribution, OEM bundling, branded distributions, or any other arrangement beyond the Free Use License: contact legal@albrightlab.com. Full license text lives in the repo: LICENSE.md.
Quickstart, architecture notes, deployment guide, threat model — all in the repo.
View on GitHub