Skip to content

Frequently Asked Questions

Common questions and answers about Waveshift.

General Questions

What is Waveshift?

Waveshift is a hardware and software platform for creating resilient mesh networks and edge computing deployments with secure anonymous access to the internet via Cloudflare WARP and AWS egress locations across the world.

Key Features: - Hardware nodes for plug-and-play VPN routing - On-demand AWS-based Points of Presence (PoPs) worldwide - Optional Cloudflare WARP integration for traffic normalisation - Kasm Workspaces integration for secure browsing and persistent profiles - Private peer-to-peer networking between devices

See How Waveshift Works for detailed architecture.

What's the benefit of using Waveshift over Cloudflare WARP alone?

Cloudflare WARP is excellent for fast internet access, but limited to selecting an egress location near your physical location.

Waveshift advantages:

Choose any AWS region for egress (not just nearby)
Protect your IP from Cloudflare (they see AWS, not you)
Full infrastructure control (deploy, configure, destroy)
Hardware nodes for easy device integration
Kasm workspaces for isolated browsing
P2P networking between your devices

See Cloudflare Integration for details.

Who should use Waveshift?

Ideal for: - Privacy-conscious users needing anonymous internet access - Organisations requiring secure remote access - Users needing specific geographic egress points - Teams wanting private mesh networking - Anyone wanting control over their VPN infrastructure

How is Waveshift different from commercial VPNs?

Feature Waveshift Commercial VPN
Infrastructure Your own AWS resources Shared provider servers
Exit IPs Unique to you (or shared via Cloudflare) Shared with thousands
Control Full control and transparency Trust the provider
Locations Any AWS region Provider's locations only
Logging You control (none by default) Provider's policy
Privacy Multi-layer anonymisation Single-layer
Hardware Nodes for easy integration Software-only

VPN & Networking

What type of VPN does Waveshift use?

WireGuard - A modern, fast VPN protocol using state-of-the-art cryptography: - Curve25519 for key exchange - ChaCha20 for symmetric encryption - Poly1305 for authentication - BLAKE2s for hashing

How does Waveshift handle traffic encryption?

Multi-layer encryption:

  1. Device to Node: LAN (HTTPS/TLS)
  2. Node to AWS PoP: WireGuard tunnel through internet
  3. PoP to Cloudflare (if enabled): WireGuard to WARP
  4. Cloudflare to Internet: Encrypted to final destination (HTTPS/TLS)

Your data is encrypted with multiple layers of protection.

Where does Waveshift generate the encryption keys?

Key generation location depends on use case:

Server Keys: - Generated on the EC2 instance itself - Private key never leaves the server - Only public key shared with Control Plane

Peer Keys (QR codes/configs): - Generated on Control Plane - Both private and public keys in config - Intended for personal devices you control

Node Keys: - Generated on the node device - Private key stays on node - Only public key shared with Control Plane

Entropy sources: Drand (public randomness beacon) + local system entropy for maximum security.

When a PoP is deleted, what happens to the data?

Permanent Data Destruction

When you delete a PoP, all data is permanently destroyed with no possibility of recovery. This is a destructive operation that cannot be undone.

What gets destroyed:

  1. EC2 instance terminated - All data on the instance is erased
  2. IP address released - Returns to AWS pool and may be reassigned to other customers
  3. WireGuard configs invalidated - All keys become immediately invalid

Before deleting: Always ensure you have backups of any important data, logs, or configurations you may need later.

Is it possible to network multiple devices together?

Yes! Devices on the same PoP can communicate privately:

Peer-to-Peer Features: - Secure encrypted communication between peers - No internet exposure for P2P traffic - File sharing between trusted devices - Remote desktop access - Private TAK servers - Team collaboration tools

How it works: - All devices on same PoP are in same VPN subnet - WireGuard allows peer-to-peer routing - Traffic stays within VPN, never touches internet

See How Waveshift Works - P2P Networking for details.

Is it possible to use the VPN to connect to the public internet?

Absolutely! That's the primary use case:

  1. Device connects to Node (or uses QR code config)
  2. All internet traffic encrypted via WireGuard
  3. Traffic routes through AWS PoP
  4. Optional: Further encrypted to Cloudflare WARP
  5. Exits to public internet

Your ISP sees: Encrypted WireGuard traffic
Websites see: AWS IP (or Cloudflare shared IP if enabled)
Your real IP: Completely hidden

Hardware

What's included in the Waveshift hardware package?

Standard Kit includes:

  • 1x Control Hub (GL.iNet Brume 2) - Control Hub router
  • 5x Nodes (GL.iNet Slate AX) - User device routers
  • 1x Network Switch (8+ ports) - Unmanaged
  • Power adapters for all devices
  • 20x Ethernet cables (Cat 6)

See Hardware Setup for complete details.

Can I use different hardware than provided?

Waveshift Firmware Requirements

Control Hub and Node routers require Waveshift-specific firmware and cannot be substituted with standard routers.

Hardware requirements:

  • Control Hub and Nodes require Waveshift custom firmware
  • Firmware is custom-built specifically for GL.iNet hardware
  • Standard consumer routers cannot be flashed with Waveshift firmware
  • GL.iNet devices other than those provided are not currently supported

Why this matters: The firmware includes specialised VPN management, automatic configuration, and killswitch functionality that aren't available on standard router firmware.

However, you can substitute:

  • Switch can be any unmanaged switch (8+ ports)
  • Bearer router can be any router providing internet
  • Tablet can be any device with Ethernet adapter
  • Power adapters can be substituted (check voltage/amperage)

Alternative Hardware Options

If you need different hardware than the standard kit, Blackfire Technology can help scope alternatives.

When to contact: If you need higher capacity, different form factors, or deployment-specific requirements.

Contact: support@blackfire.tech

What firmware is running on the GL.iNet devices?

Waveshift Custom Firmware: - Based on OpenWrt Linux distribution - Custom Waveshift modules for VPN management - Automatic configuration from Control Plane - VPN killswitch and firewall rules

Firmware updates: Released periodically through Waveshift deployment updates.

How can I get the latest firmware?

  • Firmware updates released periodically by Blackfire Technology
  • Deployed during Waveshift service updates
  • Control Hub and Nodes update in coordination with Control Plane

How do I reset the Internet Bearer Router?

Reset procedure:

  1. Locate the reset button on the Bearer Router
  2. Hold the reset button for 10 seconds
  3. Release when the system begins to reboot
  4. Wait for full boot (approximately 4 minutes)
  5. Reconfigure internet settings via admin panel at 192.168.8.1

Reset Wipes Configuration

A factory reset will erase all settings including Wi-Fi credentials, internet configuration, and custom settings.

What if I need more nodes?

Expanding your deployment:

  • Additional nodes can be purchased through Blackfire Technology
  • All nodes come pre-flashed with Waveshift firmware
  • Simply connect and power on following the same setup procedure
  • Contact: support@blackfire.tech

Can nodes be used without Control Hub?

No. Nodes require the Control Hub for operation:

  • Control Hub provides management network connectivity
  • Configuration is pushed from Control Plane via Control Hub
  • WireGuard credentials are distributed through Control Hub
  • Node status monitoring requires Control Hub connection

Architecture: Nodes are designed as managed endpoints, not standalone routers.

Setup & Configuration

What are the default login credentials?

See Default Values & Credentials for complete list.

Change Default Passwords

Always change default passwords in production environments!

Can I deploy Waveshift without the hardware?

Yes! Two deployment options:

1. With Waveshift Nodes: - HQ style setups - Users get issued nodes to connect/network different devices

2. Cloud-Only: - Clients use QR Codes / config files provided by wveshift to fill their devices - Kasm Workspaces use only the cloud infrastructure - No Waveshift hardware required

See Quick Start Guide for cloud-only deployment.

Privacy & Security

Does Waveshift log my traffic?

Privacy by Default

Waveshift is designed with privacy as a core principle. It is a self hosted VPN service provider. Any logs that are available belong to you. Currently there is no logging of your traffic. In the future, we may add logging capabilities but these logs will belong to the client running waveshift and Blackfire Technology will ave no access to these.

What Waveshift Control Plane logs:

  • ✅ Does NOT log your browsing activity
  • ✅ Does NOT log websites you visit
  • ✅ Does NOT log DNS queries
  • ✅ Logs only: System events, infrastructure builds, and errors

What AWS logs:

  • ✅ Does NOT log your traffic (unless you explicitly enable VPC Flow Logs)
  • ✅ Logs only: Infrastructure metrics and API calls (via CloudTrail)

What Cloudflare logs (if WARP is enabled):

  • ✅ Claims no user-identifiable logging
  • ✅ Publishes regular third-party audits of their 1.1.1.1 service
  • ✅ May see aggregated traffic patterns but cannot correlate them to individual users

Your privacy: With Waveshift, you control the infrastructure. Unlike commercial VPNs, you can verify there's no logging by inspecting your own servers.

Can my ISP see what I'm doing?

Your ISP sees: - Encrypted WireGuard traffic - Amount of data transferred - Connection timing - Destination: AWS ingress PoP IP address

Your ISP CANNOT see: - Websites you visit - Content of your traffic - Your DNS queries - Your actual destinations

What happens if the VPN disconnects?

Automatic Killswitch Protection

Waveshift includes built-in VPN killswitch functionality to protect against accidental exposure if your VPN connection drops.

How the killswitch works:

  1. Immediate blocking - Traffic is blocked the instant VPN disconnects
  2. No leaks - All data is prevented from using your regular internet connection
  3. Firewall enforcement - Node firewall rules strictly prevent non-VPN traffic
  4. Visual indicators - Node LEDs show VPN connection status
  5. Auto-reconnect - Connection automatically retries without manual intervention

Your protection: If the VPN fails for any reason, your device is protected from accidentally exposing your real IP address or unencrypted traffic.

When you'll see this: The killswitch activates automatically during network interruptions, VPN server maintenance, or any connectivity issues.

How secure are the WireGuard keys?

Cryptographically secure:

  • High-quality entropy from Drand + local sources
  • Curve25519 elliptic curve cryptography
  • Perfect forward secrecy - past sessions remain secure
  • Short-lived sessions reduce exposure
  • Unique keys per PoP - no key reuse

See Cloudflare Integration - Entropy for technical details.

Troubleshooting

Devices aren't showing up in the UI?

Node Registration Troubleshooting

If nodes aren't appearing in the Waveshift console, work through these troubleshooting steps in order.

1. Verify physical connections:

  • Node WAN port connected to Bearer Router (for internet)
  • Node LAN2 port connected to Control Hub (for management)
  • All Ethernet cables firmly seated

2. Confirm power status:

  • All nodes powered on with LEDs lit
  • Using correct power adapters (minimum 3A for nodes)
  • Power outlets functional

3. Allow registration time:

  • Nodes take 1-2 minutes to register after power-on
  • Refresh the Nodes page in your browser
  • Check if nodes appear as "Unassigned"

4. Test Control Hub access:

  • Verify http://console.waveshift.internal loads from your device connected to the control hub
  • Confirm Control Hub has active internet connection

Still not working? See the complete Hardware Setup Troubleshooting guide for advanced diagnostics.

PoP build is failing?

PoP Build Prerequisites

If your PoP build is failing, these are the most common causes. Check each before retrying.

Common failure causes:

  1. AWS credentials expired - For wavectl users, re-authenticate with AWS
  2. Regional capacity limits - Try deploying to a different AWS region
  3. Network connectivity issues - Ensure Control Plane has stable internet
  4. AWS service quotas exceeded - Check your account limits for EC2 instances

When you'll see this: During PoP creation, especially in high-demand regions or with new AWS accounts.

Next steps: See detailed solutions in Troubleshooting - Common Issues.

Can't access the Control Hub console?

Control Hub Console Access

If you can't access the Control Hub console at http:console.waveshift.internal, work through these troubleshooting steps.

1. Verify tablet/computer connection:

  • USB-Ethernet adapter properly connected to tablet
  • Ethernet cable from adapter to Control Hub LAN port (any LAN port)

2. Try different LAN port:

  • Control Hub has multiple LAN ports - try each one
  • Avoid the WAN port (used for internet, not management)

3. Power cycle the Control Hub:

  • Unplug power adapter, wait 10 seconds
  • Reconnect power and wait 60 seconds for full boot
  • LEDs should illuminate during boot sequence

4. Verify power supply:

  • LED indicators are lit (not dim or flickering)
  • Using the provided power adapter (not a substitute)
  • Power adapter firmly connected

Still stuck? The complete Hardware Setup guide has advanced diagnostics and solutions.

Kasm Workspaces

What is Kasm and why use it with Waveshift?

Kasm Workspaces Integration

Kasm Workspaces provides secure, containerized browser environments that run in isolated containers rather than on your local device.

Key benefits:

  • Isolated browsing - Browser runs in a container; no traces left on your device
  • Disposable sessions - Destroy the workspace when done; all data is removed, unless preserved using persistent profiles.
  • Fingerprinting resistance - Consistent browser fingerprint across sessions
  • Waveshift PoP routing - Route through any of your PoPs worldwide
  • Multiple browsers - Chrome, Firefox, Tor Browser, and more

How it works: When you launch a Kasm workspace, it creates a fresh containerized browser instance. All browsing happens in that container, which routes through your selected Waveshift PoP. When you close the workspace, the container is destroyed completely.

When to use Kasm: Perfect for sensitive browsing where you want zero traces on your local machine, or when you need consistent browser fingerprinting.

Waveshift Integration:

  • Automatically configured when building PoP
  • One-click access to workspaces
  • Egress through your selected PoP location

How do I access Kasm Workspaces?

From Waveshift Console As Non Admin User:

  1. Click Workspaces in left navigation
  2. Browser opens new tab automatically
  3. Select workspace (Browser, Desktop, etc.)
  4. Set Egress Provider to Waveshift
  5. Select your PoP from dropdown
  6. Launch workspace

All your browsing routes through the selected PoP.

Billing & Costs

How much does Waveshift cost to run?

AWS Costs: - EC2 instances (per hour) - varies by instance type and deployment location - Data transfer (per GB) - Other AWS services (minimal)

Typical monthly cost: Approximately $200-400 depending on usage and instance types.

Cloudflare WARP: Free (built into Cloudflare's 1.1.1.1 service)

How can I reduce AWS costs?

Minimizing AWS Costs

Waveshift uses on-demand AWS resources, so you have complete control over costs. Follow these strategies to minimize spending.

Cost-saving best practices:

  1. Destroy unused PoPs - Don't leave PoPs running when not in use; AWS charges by the hour
  2. Limit active PoPs - Only create PoPs you're actively using; you can quickly recreate them later
  3. Choose cost-effective regions - US regions tend to be cheaper than EU or Asia-Pacific
  4. Monitor with Cost Explorer - AWS Cost Explorer shows your spending patterns

When you'll save most: Destroying PoPs when not actively using them is the single biggest cost saver. A PoP running 24/7 costs much more than one you spin up for a few hours when needed.

Understanding AWS On-Demand Pricing

Waveshift uses AWS on-demand resources, which means you pay only for what you use, when you use it.

How it works:

  • EC2 instances are billed per hour while running
  • Data transfer is billed per gigabyte transferred
  • No charges when instances are stopped or terminated
  • No long-term contracts or commitments

Cost control: You have complete control over costs. Destroy PoPs when not needed, and you stop incurring charges immediately. Need a PoP again? Create it on-demand in minutes.

Example: A single PoP running 24/7 for a month might cost $3-5. The same PoP used 8 hours/day would cost $0.50-2/month.

Support

Where do I get help?

Support Channels:

📧 Email: support@blackfire.tech
📚 Documentation: https://docs.waveshift.io
🐛 Bug Reports: support@blackfire.tech

How do I report bugs?

Reporting Issues Effectively

Help us help you by including these details when reporting bugs or issues.

Essential information to include:

  1. Clear description - What's the problem in plain language?
  2. Reproduction steps - Exact steps that led to the issue
  3. Expected vs actual - What should have happened vs what did happen
  4. System details - Hardware models, firmware versions, wavectl version
  5. Log files - Any error logs or console output
  6. Screenshots - Visual evidence helps immensely

Where to send: Email all details to support@blackfire.tech

Response time: Blackfire Technology typically responds to support requests within 24-48 business hours.

Can I request features?

Yes! Feature requests are welcome.

Submit via email: support@blackfire.tech

Include: - Detailed description of desired feature - Use case / why it's needed - Any relevant examples or references

See Also