Waveshift Documentation

Welcome to Waveshift - a platform for secure, anonymous internet access with optional physical hardware nodes for plug-and-play VPN routing.

What is Waveshift?

Waveshift provides multi-layer privacy by combining:

• WireGuard VPN with global egress points in any AWS region
• Cloudflare WARP integration for traffic normalisation
• Optional hardware routers for plug-and-play device routing
• Kasm Workspaces for isolated, containerised browsing
• Full infrastructure control - your AWS, your rules

Use cases: Privacy-focused browsing, secure remote access, geo-specific testing, team collaboration, situational awareness (TAK)

---

Quick Start

Deploy Waveshift to AWS in minutes using the wavectl CLI tool:

Deploy in 3 Commands

# 1. Initialize
wavectl init --identity-provider my-provider --region us-east-1

# 2. Deploy to AWS
wavectl deploy

# 3. Create Access Server
wavectl access-servers --add 1

That's it! You now have Waveshift running on AWS. Create PoPs in the web UI and start routing traffic.

Add Physical Hardware (Optional)

Want plug-and-play routers? Add hardware sites after deployment:

# Register site and configure Control Hub
wavectl sites --add 1
wavectl configure-hub --site 0

Connect GL.iNet routers following the Hardware Setup Guide.

Next steps:

• Complete Installation Guide - Detailed deployment walkthrough
• Quick Start - Fast deployment workflows
• CLI Reference - All wavectl commands

Understanding: Sites vs PoPs

Sites are physical locations with hardware routers:

• Registered via wavectl sites --add
• Contain 1 Control Hub (GL.iNet Brume2) + multiple Nodes (GL.iNet Slate AX)
• Control Hub connects to Access Server and manages the node pool
• Users assigned to sites can only configure nodes in that site
• Can also be used for user grouping without physical hardware

PoPs (Points of Presence) are VPN exit points:

• Created in Waveshift UI/API after deployment
• Provide WireGuard VPN servers in any AWS region
• Used for: QR code configs, Kasm Workspaces egress, Node routing

Learn more: How Waveshift Works

---

Key Features

Multi-Layer Privacy
WireGuard encryption + Cloudflare WARP = your ISP sees encrypted traffic, websites see Cloudflare's shared IP, your real location stays hidden.

Global Reach
Create PoPs in any AWS region worldwide: US, Europe, Asia-Pacific, South America, Africa, Middle East.

Kasm Workspaces
Containerised browsers that route through your PoPs. No traces on your device, destroy when done.

Physical Hardware
Optional GL.iNet routers provide plug-and-play VPN for any device. Perfect for IoT, smart TVs, game consoles.

Private Networking
Devices on the same PoP can communicate privately - file sharing, remote desktop, team collaboration.

Common Use Cases

• Privacy-focused browsing - Hide your location and identity
• Secure remote access - Centralised management for teams
• Geo-specific testing - Access services from specific regions
• Research & testing - Test global service behavior
• Situational awareness (TAK) - Private networks for secure collaboration

---

Documentation Sections

📘 Learn

• How Waveshift Works - Architecture and features
• Cloudflare Integration - Privacy deep dive
• FAQ - Frequently asked questions

🚀 Deploy

• Installation Guide - Complete wavectl deployment
• Hardware Setup - Physical router configuration
• Quick Start - Fast workflows

📖 Reference

• CLI Reference - All wavectl commands
• Configuration - Config file management
• Troubleshooting - Common issues
• Glossary - Terms and definitions

---

Support

Developed by: Blackfire Technology Ltd
Email: support@blackfire.tech
Documentation: https://docs.waveshift.io