Kodachi 9 Architecture — animated command center

READ THE MAP

Click a layer to spotlight the moving paths.

scroll the diagram horizontally →

WireGuard tunnel
client-a (normal) ↔ vps1, kernel-level, mint-cyan

V2Ray tunnel
client-b (VIP) ↔ vps2, VMess obfuscated

Shadowsocks tunnel
client-c (custom) ↔ vps3, censorship-resistant

Multi-Tor + HAProxy
client-d ↔ vps4 Tor relay, 3-hop anonymous

Auth + card ship
64-char challenge up, signed card down, hardware-bound

Card intake
card-generator.sh on every worker, cron */5m, JSON cards pushed to master

Card vault
master keeps 3 pools: normal 200, VIP 50, custom 20; matches by tier on auth

Workers run the full stack
every VPS hosts all protocol daemons (openvpn, wireguard, shadowsocks, v2ray, xray, hysteria2, dante, mita, tor, dns). Per-worker chips show a sample only. The fleet is elastic and hosted on DMCA-resistant providers.

You're not locked to the Kodachi fleet
the same dashboard's External VPN Providers tab catalogs 13 third-party providers (VPN Gate, Riseup, NordVPN, IVPN, PIA, Surfshark, Mullvad, AirVPN, Windscribe, ProtonVPN, ExpressVPN, TorGuard) plus a custom pseudo-provider that auto-detects pasted .ovpn / WireGuard / Shadowsocks / V2Ray / Hysteria2 configs and vmess:///vless:///ss:// URI schemes plus Clash YAML / sing-box JSON subscriptions. The Kodachi fleet is the turnkey path, not the only path.

DNS layer
1000+ resolvers in 15 categories; DNSCrypt, DoH/DoT, Pi-hole filtering, and DNS-over-Tor all ship in every card and are driven on the client by dns-switch.

On-device defenses
3-tier PANIC, Kill Switch, Dashboard NUKE, Threat Watchdog, Security Score, MAC randomize, RAM/Browser/Logs wipe, 92+ workflows, KAICS AI. Runs on every kodachi laptop, independent of the worker fleet.

Boot

The ISO comes up. integrity-check verifies the signed Rust components before anything else runs.

Authenticate

The client requests a 64-char challenge from the master node, solves it locally, returns the solution, gets a hardware-bound session token.

Card assigned

Master matches your tier (normal, VIP, custom) to a fresh card from the pool. The card contains every protocol config you need.

Tunnel up

routing-switch brings the selected protocol online. dns-leak verifies the resolver is inside the tunnel.

Guarded

Heartbeat every 2 minutes, security score recomputed live, health-control watchdog ready to fire panic at any tier.

1 + N

Master + elastic worker fleet

Privilege tiers

270

Card pool ceiling

*/5m

Rotation cron

Protocols per card

HW-bound

Session model

NORMAL

200

Shared resources. Every protocol included. Cards regenerated on cron when the pool dips below the threshold.

VIP

Prioritized exits, lower contention, faster card rotation. Same protocol surface, smaller pool.

CUSTOM

Bespoke configs per holder. Dedicated worker mapping. The card pool is hand-shaped, not auto-generated.

Kodachi is an infrastructure.