Kodachi 9 Architecture — animated command center

READ THE MAP

Click a layer to spotlight the moving paths.

scroll the diagram horizontally →

WireGuard tunnel
client-a (Free) ↔ vps1, kernel-level, mint-cyan

V2Ray tunnel
client-b (Premium) ↔ vps2 (low-density), VMess obfuscated

Shadowsocks tunnel
client-c (Dedicated) ↔ vps3 (isolated, single-tenant), censorship-resistant

Multi-Tor + HAProxy
client-d (Free) ↔ vps4 Tor relay, 3-hop anonymous. Worker Tor SOCKS is VPN-only: it binds to the OpenVPN/WireGuard subnets, never a public IP, so the remote Tor route layers on an active VPN tunnel and is never an open proxy.

Auth + card ship
64-char challenge up, signed card down, hardware-bound

Card intake
card-generator.sh on every worker, cron */5m, JSON cards pushed to master

Card vault
master keeps 3 pools: Free 200 (shared VPS), Premium 50 (low-density VPS), Dedicated 20 (isolated single-tenant VPS); matches by tier on auth — see the support page for plan details

Workers run the full stack
every VPS hosts all protocol daemons (openvpn, wireguard, shadowsocks, v2ray, xray, hysteria2, dante, mita, tor, dns). Per-worker chips show a sample only. The fleet is elastic and hosted on DMCA-resistant providers.

You're not locked to the Kodachi fleet
the same dashboard's External VPN Providers tab catalogs 13 third-party providers (VPN Gate, Riseup, NordVPN, IVPN, PIA, Surfshark, Mullvad, AirVPN, Windscribe, ProtonVPN, ExpressVPN, TorGuard) plus a custom pseudo-provider that auto-detects pasted .ovpn / WireGuard / Shadowsocks / V2Ray / Hysteria2 configs and vmess:///vless:///ss:// URI schemes plus Clash YAML / sing-box JSON subscriptions. The Kodachi fleet is the turnkey path, not the only path.

DNS layer
1000+ resolvers in 15 categories; DNSCrypt, DoH/DoT, Pi-hole filtering, and DNS-over-Tor all ship in every card and are driven on the client by dns-switch.

On-device defenses
3-tier PANIC, Kill Switch, Dashboard NUKE, Threat Watchdog, Security Score, MAC randomize, RAM/Browser/Logs wipe, 92+ workflows, KAICS AI. Runs on every kodachi laptop, independent of the worker fleet.

Boot

The ISO comes up. integrity-check verifies the signed Rust components before anything else runs.

Authenticate

The client requests a 64-char challenge from the master node, solves it locally, returns the solution, gets a hardware-bound session token.

Card assigned

Master matches your tier (Free, Premium, Dedicated) to a fresh card from the matching pool — Free clients land on shared VPS, Premium on low-density VPS, Dedicated on isolated single-tenant VPS. The card contains every protocol config you need.

Tunnel up

routing-switch brings the selected protocol online. dns-leak verifies the resolver is inside the tunnel.

Guarded

Heartbeat every 2 minutes, security score recomputed live, health-control watchdog ready to fire panic at any tier.

1 + N

Master + elastic worker fleet

Privilege tiers

270

Card pool ceiling

*/5m

Rotation cron

Protocols per card

HW-bound

Session model

FREE

200

Shared, high-density VPS. Every protocol included. Cards regenerated on cron when the pool dips below the threshold. Personal-use tier — same OS and binaries as the paid plans.

PREMIUM

Low-density shared VPS for consistent performance. Prioritized exits, lower contention, faster card rotation. Same protocol surface, smaller pool. Commercial usage rights included.

DEDICATED

Fully isolated VPS per customer. Bespoke configs per holder. Dedicated worker mapping. The card pool is hand-shaped, not auto-generated. Intended for organisations and serious operational use.

Kodachi is an infrastructure.