Skip to content

Kodachi Desktop Debian XFCE

Kodachi Desktop XFCE Edition

A full-featured desktop OS based on Debian 13 (Trixie) with the XFCE desktop environment, purpose-built for daily privacy-focused computing. Ships with all 22 Kodachi binaries pre-installed, the Kodachi Dashboard (Tauri 2 + Svelte 5), a Lua-powered Conky system monitor, and a complete GUI application suite spanning browsers, office, multimedia, security tools, and development environments. Supports KAICS plus ai-gateway as optional add-ons, and kodachi-claw for anonymous autonomous AI agent operations with embedded Tor circuits. 18 months of development. Built for privacy-conscious desktop users.

XFCE Desktop Privacy-First AI-Powered Tor-Ready Dark Theme Kodachi Claw

Download & Installation First Release: 22 February 2026 9.0.1 | Desktop last updated 20 February 2026 - build #1

Download ISO

Direct Download

Latest

Download the latest Kodachi Desktop XFCE ISO directly. Full desktop experience with privacy tools pre-configured.

9.0.1-amd64 ~5GB
Download ISO

Browse All Files

Access the complete archive of Kodachi releases, checksums, and documentation on SourceForge.

Open SourceForge
ISO Integrity Verification

Verify the downloaded ISO file integrity using the SHA256 checksum below to ensure secure installation:

SHA256 Checksum: 8a51470b5a0c8cbca1bf1779c3e65b44a2c89d2477472b2b7544b23a13fb81ee

Verification Command:
sha256sum linux-kodachi-desktop-9.0.1-amd64.iso

GPG Signature Verification Available

SourceForge also provides GPG signature files for cryptographic verification. Download the signature files from the same location:

  • linux-kodachi-desktop-9.0.1-amd64.iso.sig - GPG signature file
  • linux-kodachi-desktop-9.0.1-amd64.iso.sig.info - Signature information

Kodachi is built and maintained by one person since 2013. If this ISO is useful to you or your organisation, please consider supporting the project before you leave.

Installation Methods

  1. Bare Metal - Install directly on hardware for maximum performance and daily use
  2. Virtual Machine - Run in VMware/VirtualBox/QEMU for testing or isolated environments
  3. Live USB - Boot from USB drive without installation (portable, leaves no traces)
  4. Persistent Storage - Enable persistence for configuration retention across reboots

Create Bootable USB

Tool Platform Multiboot Best For
Ventoy Linux Windows Yes Drag-and-drop multiple ISOs onto one USB. Install once, reuse forever.
Rufus Windows No Industry-standard. Select ISO, select USB, write in DD or ISO mode.
Etcher Linux Windows macOS No Simplest UI. Three-step flash: select, target, burn.
YUMI Windows Yes Add multiple OSes to one USB, one at a time. Boot menu included.
UUI Windows No Single-OS USB creator from the YUMI team. Lightweight and reliable.
Linux (dd) Recommended 
# Find USB device
lsblk

# Write ISO (replace /dev/sdX)
sudo dd if=linux-kodachi-desktop-9.0.1-amd64.iso \
  of=/dev/sdX bs=4M status=progress oflag=sync
macOS (dd) 
# Find disk identifier
diskutil list

# Unmount and write ISO
diskutil unmountDisk /dev/diskN
sudo dd if=linux-kodachi-desktop-9.0.1-amd64.iso \
  of=/dev/rdiskN bs=4m
Double-check your target device. The dd command will overwrite the entire drive without confirmation. Use lsblk or diskutil list to verify the correct device before writing.

Why Kodachi Desktop

Kodachi Desktop is not a respin. It is a purpose-built operating system where every package, every configuration file, and every default setting was chosen with a single objective: uncompromising privacy for daily desktop computing.

Built over 18 months on Debian 13 (Trixie), Kodachi Desktop combines the terminal security stack with a complete XFCE desktop environment. The system includes 447 curated packages: 257 terminal-level security and networking packages plus 190 desktop GUI applications, each serving a specific privacy role.

The desktop ships with a dark theme (LK_Material-Black-Lime) optimized for operational security. Under the hood, 22 Rust binaries form a unified security control plane managed through the Kodachi Dashboard (Tauri 2 + Svelte 5).

Privacy by Design

Every network connection leaving Kodachi Desktop is privacy-protected by default. The system enforces privacy from the moment the kernel loads.

The routing-switch binary supports 12+ protocols: WireGuard, OpenVPN, Shadowsocks, V2Ray, Xray (VLESS/Reality), Hysteria2, Mieru (MITA), Dante, and Microsocks. Any protocol can be layered with system-wide Tor routing via tor-switch torrify-system-nftables-dns, encrypting every packet including DNS queries.

DNSCrypt auto-configures on first boot via dns-switch. MAC address randomization activates on every boot via health-control. The built-in kill switch blocks all traffic if your VPN drops, preventing IP leaks.

System Hardening

Kodachi Desktop applies defense-in-depth from the kernel upward. Mandatory access controls, file integrity monitoring, audit logging, device whitelisting, and application sandboxing create a layered security posture.

AppArmor confines critical applications to minimum required permissions. AIDE maintains cryptographic hashes of system files and detects unauthorized modifications. auditd records system calls, file accesses, and privilege escalations into tamper-resistant logs.

Firejail sandboxes applications with separate filesystem namespaces and network stacks. OpenSnitch operates as an application-level firewall, requiring explicit approval for every outbound connection. The boot system supports UEFI Secure Boot with signed GRUB and shim packages.

Binary Security Suite

Kodachi Desktop ships 22 high-performance Rust binaries that form a unified security control plane. Each binary uses strict error handling with no .unwrap() calls in production code.

The core services include health-control (209 commands for system monitoring, emergency panic modes, security scoring), tor-switch (107 commands for Tor lifecycle management), dns-switch (34+ commands for DNS management), routing-switch (22 commands for VPN management), integrity-check (binary signature verification), and permission-guard (file permission monitoring). All binaries communicate through logs-hook, which writes structured JSON for forensic analysis. The kodachi-dashboard (Tauri 2 + Svelte 5) exposes the entire suite through a unified GUI.

Kodachi Dashboard

Three Modes. One Mission. Total Control.

Built with Tauri 2 + Svelte 5, the Kodachi Dashboard orchestrates 400+ commands across 15 Rust services with zero GUI freezing. Choose your interface: gamified security ring, compact command center, or professional multi-panel workstation.

CIRCLE MODE

Gamified Security Ring

720×720px ~230MB RAM Beginner-Friendly

Interactive circular interface with 7 clickable security arcs surrounding a central hub showing real-time IP, country flag, and security score (0-100 with color-coded risk levels).

7 Security Arcs: Authenticate, MAC Randomize, Hostname Spoof, Random Timezone, DNSCrypt, WireGuard VPN, Torrify System

Victory Animations: Celebrate security milestones at 25%, 50%, 75%, and 100% completion

Dual Auto-Refresh: 30s for IP/status checks, 60s for deep metrics with pause/resume controls

4 Emergency Controls: Routing Recover, Internet Recover, Restart Tor, Secure Shutdown

7 Security Arcs
100 Max Score
4 Milestones
LITE MODE

Compact Command Center

1128×774px ~230MB RAM Intermediate

Collapsible sidebar with 7 tabs providing quick access to essential security operations, AI chat, command library, and direct terminal access with live output display.

7 Sidebar Tabs: Actions, AI Chat, Library, Terminal, Settings, About, Help

12 Primary Actions: Login/Logout, WireGuard, Torrify, DNSCrypt, Random DNS, Harden, MAC/Hostname/Timezone randomization, Recovery controls

Grid/List Toggle: Two visualization modes for command output with syntax highlighting and error detection

Live Metrics Footer: Real-time CPU usage, memory consumption, and network throughput monitoring

7 Tabs
12 Actions
2 View Modes
FULL MODE

Professional Workstation

1800×1000px ~380MB RAM Advanced Users

Multi-panel command center with 23 tabs across 4 major sections. Supports drag-and-drop command queuing, resizable panels, and parallel/sequential execution modes for power users.

4 Major Sections: Essentials (9 subtabs), Advanced (11 service tabs), System Monitor (7 subtabs), AI Integration

Drag & Drop Queue: Build complex operation sequences with reordering, parallel/sequential execution, and danger level badges

4 Panel Presets: Balanced split, logs-focused (70% logs), output-expanded, minimal sidebar with custom layout saving

15 Rust Services: Complete access to health-control, tor-switch (60+ commands), routing-switch, dns-switch, online-auth, workflow-manager, and more

23 Tabs
400+ Commands
15 Services
4 Presets

Core Infrastructure Across All Modes

All three modes share the same powerful backend: 400+ commands orchestrated across 15 Rust services with async execution to prevent GUI freezing. Security score aggregates 6 categories (Privacy, System, Network, Device, Advanced Privacy, Data Protection) with color-coded risk levels: Green (80+), Yellow (60-79), Red (<60).

Async Execution Danger Level Badges 4 Output Formats Auto-Refresh IP + Flag + Auth Status Mode Switcher

Mode Comparison Matrix

Mode Window Size RAM Usage Interface Skill Level Primary Use
Circle 720×720px ~230MB Gamified Ring Beginner Quick security setup
Lite 1128×774px ~230MB 7-Tab Sidebar Intermediate Daily operations
Full 1800×1000px ~380MB 23-Tab Workstation Advanced Power user workflows

Browser Privacy Configuration

Kodachi treats browsers as high-risk attack surfaces and applies aggressive privacy hardening. Both LibreWolf and Tor Browser run inside Firejail sandboxes with telemetry elimination, fingerprinting defense, and tracking protection at the configuration level.

LibreWolf

Primary clearnet browser with 16 pre-installed privacy extensions

Core Extensions

uBlock Origin (8 filter lists), ClearURLs (tracking parameter removal), Decentraleyes (local CDN resources), Cookie AutoDelete (tab-close cleanup)

Multi-Account Containers

4 isolated contexts with strict cookie separation: Personal, Work, Banking, Shopping

Fingerprinting Defense

Font Fingerprint Defender (blocks enumeration), WebRTC disabled (prevents IP leaks), Canvas protection, User-Agent randomization

DNS-over-HTTPS (DoH)

TRR mode 3 (fail-closed) forces all DNS through encrypted channels with zero plaintext fallback. Excludes localhost/kodachi.local for VPN/Tor compatibility

Search Engine Hardening

Removed 6 tracking engines (Google, Bing, Yahoo, Amazon, eBay, Wikipedia). Default: DuckDuckGo with privacy parameters (!safeoff, !ads-off)

Privacy Testing Bookmarks

20+ testing links: IP detection (whatismyip, ipleak.net), DNS leaks (dnsleaktest.com), WebRTC leaks, fingerprinting (amiunique.org, EFF Panopticlick)

16 Extensions
8 Filter Lists
4 Containers
20+ Test Links

Tor Browser

Dedicated .onion access with three security levels

Three Security Modes

Standard: Full features. Safer: Disables JavaScript on non-HTTPS. Safest: Disables JS/fonts/media on all sites

Circuit Display

Transparent routing path visualization showing entry guard, middle relay, and exit node with country flags

Firejail Sandboxing

Restricted filesystem access (read-only /usr, /lib, /bin; write-only ~/.tor-browser), seccomp filtering, disabled network namespaces to preserve Tor routing

.onion Service Access

Native support for onion addresses with automatic circuit creation for hidden services. No clearnet DNS lookups for .onion domains

Profile Separation

Dedicated browser profile prevents cross-contamination with LibreWolf. Separate cookie jars, cache, and browsing history

Circuit Refresh

New Identity button wipes all cookies/cache and creates fresh Tor circuits. Prevents long-term tracking correlation

3 Security Modes
100% Onion Native
3 Tor Hops
0 Telemetry

Dual-Browser Architecture with Firejail Isolation

Both browsers run in Firejail sandboxes with restricted filesystem access, seccomp filtering to block dangerous syscalls, and disabled network namespaces to preserve VPN/Tor routing. This dual-browser approach separates clearnet browsing (LibreWolf) from onion services (Tor Browser), preventing cross-contamination of browsing profiles and reducing fingerprinting surface area.

Read-Only System Directories Write-Only Browser Profiles Seccomp Syscall Filtering Network Namespace Disabled Separate Cookie Jars Zero Profile Cross-Contamination

AI-Powered Intelligence

Kodachi Desktop integrates an AI operations suite running entirely through anonymous channels. AI queries, model interactions, and automated tasks cannot be traced to your identity or location.

kodachi-claw is an autonomous AI agent runtime operating through embedded Tor circuits. Every API request routes through dedicated Tor circuits, making correlation impossible for AI providers. KAICS (Kodachi AI Command System) provides 8 specialized sub-binaries including ai-cmd for natural language OS control, ai-trainer for local model fine-tuning, and ai-gateway for routing AI requests through anonymous channels. All AI operations route through Tor for complete anonymity.

Security Models & Layered Anonymity

Kodachi Desktop includes 92 pre-built security workflows plus unlimited custom workflows via workflow-manager. Below are 18 example workflows by anonymity level covering WireGuard, OpenVPN, Shadowsocks, Hysteria2, V2Ray, Xray, and Mita. Workflows 1-3 (Triple VPN + Tor) provide maximum anonymity. Workflows 4-8 (Double VPN + Tor) offer ultra anonymity. Workflows 9-11 (Single VPN + Double Tor) provide very high anonymity. All profiles are in /home/kodachi/dashboard/hooks/config/profiles/.

Workflow Comparison Matrix

01

Router VPN → Host Mullvad → VM Kodachi WireGuard → Torrified

Chain: ISP → Router VPN → Host Mullvad VPN → Kodachi WireGuard (VM NAT) → Torrified System → Tor DNS

Anonymity: Ultra++ (6/6 - Triple VPN) Speed: Slowest

Ideal for: Ultimate anonymity, extreme threat models, maximum deniability, state-level adversaries.

sudo routing-switch connect wireguard sudo tor-switch torrify-system-nftables-dns
02

Router VPN → Host ProtonVPN → VM Kodachi OpenVPN → Torrified

Chain: ISP → Router VPN → Host ProtonVPN → Kodachi OpenVPN (VM NAT) → Torrified System → Tor DNS

Anonymity: Ultra++ (6/6 - Triple VPN) Speed: Slowest

Ideal for: Whistleblowing, state-level adversaries, journalist protection, maximum operational security.

sudo routing-switch connect openvpn sudo tor-switch torrify-system-nftables-dns
03

Router VPN → Host NordVPN → VM Kodachi Shadowsocks → Torrified

Chain: ISP → Router VPN → Host NordVPN → Kodachi Shadowsocks (VM NAT) → Torrified System → Tor DNS

Anonymity: Ultra++ (6/6 - Triple VPN) Speed: Very Slow

Ideal for: Maximum obfuscation, defeating DPI in hostile networks, evading advanced surveillance.

sudo routing-switch connect shadowsocks sudo tor-switch torrify-system-nftables-dns
04

Host Mullvad → VM Kodachi OpenVPN → Torrified + Tor DNS

Chain: ISP → Normal Router → Host Mullvad → Kodachi OpenVPN (VM NAT) → Torrified → Tor DNS

Anonymity: Ultra (5/5) Speed: Slow

Ideal for: Different VPN providers, avoiding single-point surveillance, investigative journalism.

sudo routing-switch connect openvpn sudo tor-switch torrify-system-nftables-dns
05

Host ProtonVPN → VM Kodachi Shadowsocks → Torrified + Tor DNS

Chain: ISP → Normal Router → Host ProtonVPN → Kodachi Shadowsocks (VM NAT) → Torrified → Tor DNS

Anonymity: Ultra (5/5) Speed: Slow

Ideal for: Censorship bypass with double VPN + Tor, evading DPI, hostile network environments.

sudo routing-switch connect shadowsocks sudo tor-switch torrify-system-nftables-dns
06

Host NordVPN → VM Kodachi V2Ray → Torrified + Tor DNS

Chain: ISP → Normal Router → Host NordVPN → Kodachi V2Ray (VM NAT) → Torrified → Tor DNS

Anonymity: Ultra (5/5) Speed: Moderate

Ideal for: Traffic obfuscation, triple anonymity layer, defeating advanced network analysis.

sudo routing-switch connect v2ray sudo tor-switch torrify-system-nftables-dns
07

Host ExpressVPN → VM Kodachi Hysteria2 → Torrified + Tor DNS

Chain: ISP → Normal Router → Host ExpressVPN → Kodachi Hysteria2 (VM NAT) → Torrified → Tor DNS

Anonymity: Ultra (5/5) Speed: Moderate

Ideal for: High-performance with maximum anonymity, restrictive network circumvention.

sudo routing-switch connect hysteria2 sudo tor-switch torrify-system-nftables-dns
08

Anonymous VPN → Tor → Torrified System + Tor DNS

Chain: ISP → Kodachi VPN (anonymous node) → Tor → Torrified System → Tor DNS

Anonymity: Ultra (5/5) Speed: Slow

Ideal for: Investigative journalism, activist operations, secure communications.

sudo routing-switch connect openvpn sudo tor-switch torrify-system-nftables-dns
09

Forced Xray → Torrified System + Tor DNS

Chain: ISP → Kodachi Xray (forced traffic) → Torrified System → Tor DNS

Anonymity: Very High (4.5/5) Speed: Very Slow

Ideal for: Extreme anonymity requirements, .onion operations, dark web access.

sudo routing-switch connect xray sudo tor-switch torrify-system-nftables-dns
10

WireGuard → Torrified System + Tor DNS

Chain: ISP → Kodachi WireGuard → Torrified System → Tor DNS

Anonymity: Very High (4.5/5) Speed: Slow

Ideal for: Dark web research, sensitive communications, enhanced privacy.

sudo routing-switch connect wireguard sudo tor-switch torrify-system-nftables-dns
11

Router VPN → VM WireGuard → Tor (Single Tor)

Chain: ISP → Router VPN → Kodachi WireGuard (VM via NAT) → Torified System → Tor DNS

Anonymity: Very High (4.5/5) Speed: Slow

Ideal for: Maximum deniability with physical isolation, secure operations.

sudo routing-switch connect wireguard sudo tor-switch torrify-system-nftables-dns
12

Host Mullvad → VM Kodachi Shadowsocks → DNScrypt

Chain: ISP → Normal Router → Host Mullvad → Kodachi Shadowsocks (VM NAT) → DNScrypt

Anonymity: High (4/5) Speed: Good

Ideal for: Censorship bypass with double VPN layer, evading DPI.

sudo routing-switch connect shadowsocks sudo dns-switch switch --names dnscrypt-cloudflare health-control net-check
13

Host ProtonVPN → VM Kodachi Hysteria2 → DNScrypt

Chain: ISP → Normal Router → Host ProtonVPN → Kodachi Hysteria2 (VM NAT) → DNScrypt

Anonymity: High (4/5) Speed: Very Good

Ideal for: High-performance double VPN for restrictive networks, streaming with privacy.

sudo routing-switch connect hysteria2 sudo dns-switch switch --names dnscrypt-quad9 ip-fetch
14

Host ExpressVPN → VM Kodachi Xray-VLESS-Reality → DNScrypt

Chain: ISP → Normal Router → Host ExpressVPN → Kodachi Xray-VLESS-Reality (VM NAT) → DNScrypt

Anonymity: High (4/5) Speed: Good

Ideal for: Advanced anti-detection with Xray Reality, defeating sophisticated censorship.

sudo routing-switch connect xray sudo dns-switch switch --names dnscrypt-quad9 health-control security-score
15

Forced Hysteria2 → Torrified System + Tor DNS

Chain: ISP → Kodachi Hysteria2 (forced traffic) → Torrified System → Tor DNS

Anonymity: Moderate-High (3.5/5) Speed: Moderate

Ideal for: Hostile network environments, censorship bypass with good performance.

sudo routing-switch connect hysteria2 sudo tor-switch torrify-system-nftables-dns
16

V2Ray → Torrified System + Tor DNS

Chain: ISP → Kodachi V2Ray → Torrified System → Tor DNS

Anonymity: Moderate-High (3.5/5) Speed: Moderate

Ideal for: General privacy and anonymous browsing, traffic obfuscation.

sudo routing-switch connect v2ray sudo tor-switch torrify-system-nftables-dns
17

Anonymous Shadowsocks → Tor + Tor DNS

Chain: ISP → Kodachi Shadowsocks (anonymous node) → Tor → Tor DNS

Anonymity: Moderate-High (3.5/5) Speed: Moderate

Ideal for: Daily privacy operations, secure communications, DPI evasion.

sudo routing-switch connect shadowsocks sudo tor-switch start-tor-dns-nftables
18

Forced OpenVPN → DNScrypt (Fast Performance)

Chain: ISP → Kodachi OpenVPN (forced traffic) → DNScrypt

Anonymity: Moderate (3/5) Speed: Fast

Ideal for: Online banking, shopping, business email, general secure browsing.

sudo routing-switch connect openvpn sudo dns-switch switch --names dnscrypt-quad9 health-control net-check

Protocol-Specific Initial Setup Workflows

Kodachi Desktop includes ready-to-use initial setup profiles for multiple routing protocols:

VPN Protocols:

  • initial_terminal_setup_openvpn_only - OpenVPN connection setup
  • initial_terminal_setup_wireguard_only - WireGuard connection setup

Anti-Censorship Protocols:

  • initial_terminal_setup_shadowsocks_only - Shadowsocks proxy setup
  • initial_terminal_setup_v2ray_only - V2Ray traffic obfuscation
  • initial_terminal_setup_xray_vless_only - Xray VLESS protocol
  • initial_terminal_setup_xray_trojan_only - Xray Trojan protocol
  • initial_terminal_setup_xray_vless_reality_only - Xray VLESS Reality
  • initial_terminal_setup_hysteria2_only - Hysteria2 high-performance

Proxy Servers:

  • initial_terminal_setup_dante_only - Dante SOCKS5 server
  • initial_terminal_setup_mita_only - Microsocks lightweight SOCKS5

Tor Combinations:

  • initial_terminal_setup_tor_only - Tor-only setup
  • initial_terminal_setup_wireguard_torrify - WireGuard + Tor torrification
  • initial_terminal_setup_auth_torrify_only - Authentication + Tor torrification

Execute with: sudo workflow-manager run <profile-name>

Workflow Selection Guide - Organized by Anonymity Tiers

TIER 1: Maximum Anonymity - Triple VPN + Tor (Workflows 01-03) - Anonymity Level: Ultra++ (6/6) - Triple VPN protection with Tor torrification - Best for: Ultimate anonymity, extreme threat models, state-level adversaries, whistleblowing, maximum deniability - Configuration: Router VPN → Host VPN (Mullvad/ProtonVPN/NordVPN) → Kodachi VPN (WireGuard/OpenVPN/Shadowsocks) → Torrified System → Tor DNS - Speed: Slowest to Very Slow

TIER 2: Ultra Anonymity - Double VPN + Tor (Workflows 04-08) - Anonymity Level: Ultra (5/5) - Double VPN with Tor torrification - Best for: Different VPN providers, avoiding single-point surveillance, investigative journalism, activist operations, censorship bypass with maximum protection - Configuration: Normal Router → Host VPN (Mullvad/ProtonVPN/NordVPN/ExpressVPN) → Kodachi VPN (OpenVPN/Shadowsocks/V2Ray/Hysteria2) → Torrified System → Tor DNS - Speed: Slow to Moderate

TIER 3: Very High Anonymity - Single VPN + Double Tor (Workflows 09-11) - Anonymity Level: Very High (4.5/5) - Double Tor circuits or Router + Guest VPN + Tor - Best for: Extreme anonymity requirements, .onion operations, dark web research, sensitive communications, maximum deniability - Configuration: Kodachi VPN (Xray/WireGuard) → Torrified → Double Tor Circuits OR Router VPN → Kodachi VPN → Torrified System - Speed: Very Slow to Slow

TIER 4: High Anonymity - Double VPN without Tor (Workflows 12-14) - Anonymity Level: High (4/5) - Double VPN layer - Best for: Censorship bypass, DPI evasion, advanced anti-detection, high-performance with strong privacy - Configuration: Normal Router → Host VPN (Mullvad/ProtonVPN/ExpressVPN) → Kodachi VPN (Shadowsocks/Hysteria2/Xray-VLESS-Reality) → DNScrypt - Speed: Good to Very Good

TIER 5: Moderate-High Anonymity - Single VPN + Tor (Workflows 15-17) - Anonymity Level: Moderate-High (3.5/5) - Single VPN with Tor - Best for: Hostile network environments, general privacy, anonymous browsing, daily privacy operations, secure communications - Configuration: Kodachi VPN (Hysteria2/V2Ray/Shadowsocks) → Torrified System → Tor DNS - Speed: Moderate

TIER 6: Moderate Anonymity - Single VPN Only (Workflow 18) - Anonymity Level: Moderate (3/5) - Single VPN with encrypted DNS - Best for: Online banking, shopping, business email, general secure browsing, fast performance requirements - Configuration: Kodachi VPN (OpenVPN) → DNScrypt - Speed: Fast

Create Custom Workflows using workflow-manager for: Multi-protocol chains, adaptive failover, custom threat models, automated security responses, and specialized use cases.

NOT Recommended: Tor → VPN

Avoid Configuration: Your Computer → Tor → VPN → Internet

This configuration is widely discouraged; it blocks .onion access, lets the guard see your real IP, makes Tor usage detectable, degrades performance, and shifts trust to the VPN.

Why this is dangerous: Entry nodes see your real IP • ISP detects Tor usage • NO access to .onion sites • Severely degraded performance • VPN provider can see your activity

Evidence: For detailed analysis, read the Tor Project's official documentation on Tor+VPN configurations.

Source Information

Based on Privacy Guides 2025 recommendations, Tor Project official documentation, and Kodachi security research. These workflows represent comprehensive threat modeling from maximum anonymity to secure financial operations.

Technical Specifications Dashboard

Core System Specifications
Component Details
Base SystemDebian 13 (Trixie)
Architectureamd64 (x86_64)
Desktop EnvironmentXFCE 4
Display ManagerLightDM with GTK Greeter
ISO Size~5GB (full desktop with GUI applications)
Total Packages~447 packages (257 terminal + 190 desktop GUI)
Terminal Packages257 security-focused terminal packages (from terminal.list.chroot)
GUI Packages190 desktop GUI packages (from gui-xfce.list.chroot)
Kodachi Binaries22 pre-installed binaries in /home/kodachi/dashboard/hooks/
ThemeLK_Material-Black-Lime (dark)
IconsLK_Newaita-Reborn-Mint-Dark
CursorLK_Capitaine-Cursors
FontNoto Sans 9pt
BrowsersLibreWolf (primary) + Tor Browser
Kernel6.16+
Boot SupportBIOS + UEFI + Secure Boot
InstallerCalamares graphical installer
Login CredentialsUsername: kodachi / Password: r@@t00
Sudo AccessPasswordless sudo enabled

Pre-Installed Kodachi Binaries

All 22 Kodachi binaries are pre-installed at /home/kodachi/dashboard/hooks/, including the full AI suite. Launch the complete security toolkit instantly without additional setup.

Core Binaries

health-control tor-switch dns-switch dns-leak routing-switch ip-fetch online-auth integrity-check permission-guard logs-hook deps-checker oniux online-info-switch workflow-manager global-launcher kodachi-claw kodachi-dashboard tun2socks-linux-amd64

AI Suite (KAICS)

ai-cmd ai-trainer ai-learner ai-admin ai-discovery ai-scheduler ai-monitor ai-gateway

Desktop Applications

Kodachi Desktop ships a curated selection of GUI applications organized by dynamic layers. Always-on applications are loaded at every boot; optional layers can be activated on demand.

Always-On Applications (Layer 02 - XFCE Core)
Category Applications
DesktopXFCE 4, Thunar file manager, Double Commander
BrowsersLibreWolf (primary), Tor Browser, Onioncircuits
TerminalsKitty, Tilix, Terminator, XFCE4 Terminal
EditorsGeany + plugins, Mousepad
SecurityFiretools (Firejail GUI), SiriKali (encryption), Kleopatra (GPG)
NetworkNetworkManager GUI, OpenVPN/VPNC plugins, RiseUp VPN
SystemConky system monitor, GNOME Disks, Baobab, GParted, System Monitor
UtilitiesGalculator, Ristretto image viewer, Evince PDF, File Roller, Engrampa, GTKHash
DisplayLightDM, Plymouth boot splash, Redshift (blue light filter)
AudioPulseAudio, PavuControl mixer, ALSA
InstallerCalamares graphical installer, GDebi package installer
Optional Layer Applications
Layer Category Applications
03Network GUIRemmina, FileZilla, Transmission, uGet, Syncthing, OnionShare
04Multimediampv, OBS Studio, SimpleScreenRecorder, Inkscape, gThumb, guvcview
05OfficeLibreOffice, Atril PDF viewer, pdftk-java, gedit
06PrintingCUPS printing system, HP drivers, Brother/Epson/Gutenprint, Simple Scan, SANE scanner support
07AVM GuestVMware Tools (auto-detect when running inside VM)
07BVM Hostvirt-manager, QEMU/KVM, libvirt, SPICE agent
08Security GUIWireshark, Zenmap, EtherApe, KeePassXC, OTPClient, metadata-cleaner, gnome-nettool, Catfish, GRSync
09Developmentgit-gui, gitk, meld, dkms, build tools, crypto libs, Python3 pip, ShellCheck, strace, GNOME Terminal
11UtilitiesTimeshift, Synaptic, Qalculate, CopyQ, wavemon, Font Manager, MenuLibre

External Packages (installed via hooks)

Always-on: LibreWolf, VeraCrypt, Monero GUI, VS Code, GitKraken, Termius

Optional: Session Desktop (messaging), ExifCleaner (metadata), Tabby terminal, VLC, WaveTerm

Dynamic Layer System

Kodachi Desktop uses a modular layer system that lets you activate feature sets on demand, keeping the base system lean while providing access to the full application suite when needed.

Layer Activation Map
Layer Name Activation Approximate Size
02XFCE DesktopAlways loaded (core desktop)~400MB
03Network GUINormal boot or "Enable Browser" button~300MB
04Multimedia"Enable Multimedia" button~450MB
05Office"Enable Office Suite" button~800MB
06Printing"Enable Printing" button~200MB
07AVM GuestAuto-detect (VMware only)~20MB
07BVM Host"Enable Virtualization" button~400MB
08Security GUI"Enable Security Tools" button~280MB
09Development"Enable Development" button~350MB
11Utilities"Enable Extra Utilities" button~120MB

Boot Modes

Normal boot: Layers 02 + 03 auto-loaded (desktop + browsers/network)

Minimal boot: Layer 02 only. Desktop shows "Enable" buttons for each optional layer

VM detected: Layer 07A (VMware guest tools) auto-enabled when running inside a VM

Package Categories Breakdown

Desktop GUI Package Categories
Category Count Signature Packages
XFCE Desktop Core~85xfce4, xfce4-goodies, thunar, lightdm, kitty, tilix, terminator, conky-all, geany
Network GUI Apps6remmina, filezilla, transmission-gtk, syncthing, onionshare, uget
Multimedia8mpv, obs-studio, simplescreenrecorder, inkscape, gthumb, guvcview
Office Suite5libreoffice, atril, pdftk-java, gedit
Printing & Scanning19cups, hplip, printer-driver-gutenprint, simple-scan, sane-utils
VM Guest Tools2open-vm-tools, open-vm-tools-desktop
Virtualization Host9virt-manager, qemu-system-x86, libvirt-daemon-system
Security Tools GUI12wireshark, zenmap, keepassxc, otpclient, metadata-cleaner, catfish
Development Tools32git-gui, meld, dkms, linux-headers-amd64, python3-pip, shellcheck
Extra Utilities7timeshift, synaptic, qalculate-gtk, copyq, font-manager
Accessibility3speech-dispatcher, onboard, orca
Terminal Security (inherited)257All terminal.list.chroot packages (networking, VPN, security, firmware)
AI & IntelligenceOptionalKAICS tools and kodachi-claw (anonymous agent runtime)

Supported Routing Protocols

Kodachi Desktop ships with 12+ routing protocols via the routing-switch binary, covering everything from battle-tested VPNs to advanced censorship-resistant transports.

Routing Protocol Coverage
Category Protocols & Features
VPN ProtocolsOpenVPN (industry-standard, AES encryption), WireGuard (modern, ChaCha20 encryption) with kill switch and DNS leak protection
Anti-CensorshipShadowsocks (SOCKS5 + encryption), V2Ray (traffic obfuscation), Xray (enhanced V2Ray), Hysteria2 (high-performance for restrictive networks), Mieru (MITA - lightweight anti-censorship proxy)
Proxy ProtocolsSOCKS5 (standard proxy), Dante (SOCKS server), HTTP/HTTPS (proxy support), Microsocks (lightweight SOCKS5 server)
Tor IntegrationRedsocks (transparent Tor routing), SOCKS proxy configuration, TransPort routing, DNS over Tor, System-wide torrification (can run on top of any existing VPN service)
Multi-LayerVPN + Tor (double encryption), protocol chaining for enhanced anonymity, traffic obfuscation layers

Protocol Documentation

For detailed protocol configuration and usage, see the routing-switch documentation.

Torrification Capability

Kodachi Desktop supports system-wide torrification that can run on top of any existing VPN service. Layer Tor routing on top of WireGuard, OpenVPN, Hysteria2, Shadowsocks, V2Ray, or Xray connections for enhanced anonymity. Use sudo tor-switch torrify-system-nftables-dns to torrify your entire system regardless of your underlying VPN connection.

Security & Privacy Features

Kodachi Desktop inherits the full terminal security stack and adds GUI-specific protections for desktop environments.

System Hardening

Kernel

AppArmor mandatory access control, AIDE file integrity monitoring, auditd kernel auditing, usbguard device whitelisting, Firejail sandboxing with GUI (Firetools)

Network Anonymity

Network

Tor routing (system-wide torrification), VPN integration (12+ protocols), DNS encryption (DNSCrypt), MAC address randomization, kill switch protection

Application Firewall

GUI

OpenSnitch application-level firewall, UFW/GUFW graphical firewall management, nftables/iptables network filtering, per-application network rules

Data Protection

Files

Metadata cleaning (mat2, ExifCleaner, metadata-cleaner), secure deletion (secure-delete, BleachBit, nwipe), encrypted containers (SiriKali, VeraCrypt), LUKS disk encryption

Credential Management

Auth

KeePassXC password manager, OTPClient TOTP/HOTP authenticator, Kleopatra GPG key management, fail2ban SSH brute-force protection

Network Analysis

Tools

Wireshark packet capture, Zenmap network scanner, EtherApe traffic visualization, gnome-nettool diagnostics, DNS leak testing

Conky Desktop Monitor

Live Security Telemetry Rendered on Desktop

Lua-powered system monitor with 4 desktop panels, 22 monitoring scripts, 8 circular Cairo gauges, and 2 Lua rendering modules. Coordinated by systemd watchdog service for auto-restart on crash or freeze.

4 Panels
22 Scripts
8 Cairo Gauges
6 Config Files

Resources + Gauges

280px × Full Height
Upload Ring: Orange, tx rate
Download Ring: Pink, rx rate
CPU Ring: Cyan, core average
Memory Ring: Green, used/total
Disk Ring: Purple, root partition
Swap Ring: Yellow, swap usage
Ping Ring: Red dual-ring, latency to privacy DNS
Bandwidth Ring: White, combined throughput

Security Status

320px × Full Height
4×6 Binary Grid: AUTH/VPN/TOR/DNS visual status (lit = active)
External IP: Country code + flag via ip-fetch
Security Score: 0-100 aggregate from 6 categories
Tor Circuits: Active circuit count via tor-switch
DNSCrypt Status: Encryption state via dns-switch
Firewall Rules: nftables active count

21 Metrics: Auth, VPN, MAC randomization, hostname spoofing, timezone obfuscation, swap encryption, kernel hardening, AppArmor, USBGuard, systemd health, package integrity, file permissions, network interfaces, connections, privilege escalation

System + Traffic

280px × Full Height
CPU Frequency: Scaling governor state
Thermal Zones: CPU temp, GPU temp, disk temp
Fan Speeds: If supported by sensors
Load Average: 1min, 5min, 15min
Uptime: Precision to seconds
Logged Users: Active session count
Sparkline Graphs: Upload/download trends (60s windows)
Top Processes: Bandwidth consumers ranked by bytes sent/received
Connection States: ESTABLISHED, TIME_WAIT, CLOSE_WAIT counts

Logo + AI Detection

200px × 150px
Kodachi Logo: Top-right corner overlay
13 AI Agents Detected: Claude Code, Ollama, OpenAI GPT, GitHub Copilot, Codex, TabNine, Kite, Codeium, Amazon CodeWhisperer, Replit Ghostwriter, JetBrains AI, Cursor, Continue
Per-Agent Stats: CPU % and memory consumption

Advanced Monitoring Features

Prime Number Refresh: 41s, 43s, 47s, 53s, 59s, 113s intervals prevent API collision
VPS Node Status: Pings configured servers, shows latency + packet loss
Crypto Prices: BTC, ETH, XMR, AZERO, Gold, Silver via privacy APIs
Version Alerts: Blink animation for outdated binaries (red = critical updates)
Lock Files: Prevent duplicate script execution (300s stale timeout)
Privacy DNS Ping: Cloudflare 1.1.1.1, Quad9 9.9.9.9, Mullvad 194.242.2.2 (zero Google)
Systemd Watchdog: Auto-restart on unresponsive panels (15s timeout) or memory leaks (>500MB)
DPI Scaling: Auto-detects Xft.dpi, scales fonts/gauges for HiDPI displays

Hardware Support Matrix

Kodachi Desktop bundles 30+ firmware packages inherited from the terminal base, plus GPU drivers for desktop rendering.

Hardware Support Matrix
Hardware Type Supported Chipsets & Manufacturers
WiFiIntel (all generations), Broadcom (modern + legacy wl driver), Atheros/Qualcomm, Realtek, MediaTek, Marvell, TI, Atmel
EthernetBroadcom (bnx2, bnx2x), Cavium, Myricom, Netronome, QLogic, Realtek
BluetoothBlueZ firmware, miscellaneous nonfree firmware
GPU / GraphicsAMD (amdgpu), Intel (i915), NVIDIA (nouveau open-source driver)
MicrocodeIntel CPU microcode updates, AMD CPU microcode updates
AudioPulseAudio + ALSA, Bluetooth audio (pulseaudio-module-bluetooth)

Broadcom Wireless Support - Pre-Installed

Broadcom b43 and b43legacy firmware is pre-installed in the ISO at /lib/firmware/b43/ and /lib/firmware/b43legacy/. No post-boot installation required.

Desktop Customization

Kodachi Desktop ships with a carefully crafted dark theme optimized for long coding and privacy sessions.

Theme Configuration
Component Configuration
GTK ThemeLK_Material-Black-Lime (dark theme with lime green accents)
Icon ThemeLK_Newaita-Reborn-Mint-Dark (flat, modern icon set)
Cursor ThemeLK_Capitaine-Cursors (clean, high-DPI cursor)
Window ManagerXFWM4 with compositing and shadows
Panel LayoutTop panel with Docklike taskbar plugin (window grouping and pinning)
FontNoto Sans 9pt (with Noto Color Emoji)
WallpaperKodachi-branded privacy-themed dark wallpapers
Boot SplashPlymouth with Kodachi theme
Login ScreenLightDM GTK Greeter with Kodachi branding
Blue Light FilterRedshift-GTK for automatic color temperature adjustment

Boot Menu Overview

Kodachi Desktop groups every boot entry by security tier so you can pick the right hardening profile. Use the comparison table for a quick overview.

Main Boot Entries
Mode Tier Persistence Best For
Full HardeningTier 5NoHigh-threat environments, maximum kernel security
Forensics ModeTier 5No (RAM)Forensic analysis, volatile memory analysis
Secure Boot ModeTier 4NoUEFI Secure Boot, module signing enforcement
Maximum PrivacyTier 4No (RAM)Anonymity operations, anti-tracking
CPU HardenedTier 3NoVulnerable CPUs (Spectre/Meltdown protection)
Encrypted PersistenceTier 3LUKSLong-term use with encrypted storage
PersistentTier 2YesPersonal devices, everyday privacy
LiveTier 1NoQuick testing, hardware diagnostics

Layer Activation on Boot

Normal boot: Layers 02 (XFCE core) + 03 (Network GUI) are auto-loaded. Minimal boot: Only Layer 02. Desktop shows enable buttons for optional layers. All layers are included in the ISO and activate instantly without downloads.

First Boot Experience

What Happens on First Boot

  1. LightDM Login - Kodachi-branded login screen appears. Enter credentials: kodachi / r@@t00
  2. XFCE Desktop - Dark-themed XFCE desktop loads with panel, taskbar, and system tray
  3. Conky Dashboard - Real-time system monitor appears on desktop showing CPU, RAM, network, VPN, and security status
  4. Welcome Screen - Interactive setup wizard with VPN protocol selection, Tor configuration, and DNS encryption options
  5. Automatic Setup - DNSCrypt auto-configuration, binary verification, online authentication, and system status collection

Automatic First-Boot Operations

  • Binary deployment verification (validates all 22 core binaries)
  • DNSCrypt auto-configuration (encrypted DNS on first run)
  • Online authentication (Kodachi services and premium features)
  • System status collection (IP, geolocation, security score)
  • Conky dashboard initialization (real-time monitoring)

Welcome Screen — Interactive Setup Wizard

The Welcome Screen is a Tauri 2 + Svelte 5 desktop application that launches automatically on first boot, providing an interactive, countdown-driven setup wizard for configuring anonymity layers, randomizing system identity, and establishing secure connections. Features real-time system telemetry, protection level visualization, and persistent configuration storage.

Fortify Your Digital World

Countdown timer with auto-execution, real-time system resources monitoring, before/after identity comparison, and shield strength meter showing protection level based on enabled security steps.

Countdown Timer Ring

Auto

Animated circular countdown (60s / 2min / 5min / 10min / Manual) with step progress tracking. Auto-executes enabled steps when timer reaches zero. Shows real-time execution progress with animated ring fill.

System Resources Bar

Live

Real-time telemetry flanking the timer ring: CPU%, memory usage, swap, uptime, temperature, open ports, network I/O (tx/rx), disk I/O (read/write). Updates every 2 seconds.

Shield Strength Meter

Visual

Segmented bar visualization showing protection level (Low/Medium/High/Maximum) based on number of enabled steps. Pulsing glow animations with color-coded threat levels (red/yellow/green).

Before/After Panel

Compare

Shows identity values before and after execution: Hostname, MAC address, Timezone, Security Score. Each value has a copy button for easy clipboard access.

Auth Gate Protection

Premium

Non-authenticated users can only run Authenticate and Refresh steps. All other operations require successful Kodachi authentication. Premium users bypass support overlay prompts.

Persistent Settings

JSON

Timer duration, step toggles, auto-refresh interval, and auto-close preference persist across reboots via JSON settings file. Maintains user configuration between sessions.

9 Configurable Security Steps
Step Command Default Before/After Tracking
Authenticate with Kodachi Services online-auth authenticate --relogin Enabled Auth status (Not Authenticated → Authenticated)
Randomize Hostname health-control set-random-hostname Enabled Hostname (kodachi → random-string)
Randomize MAC Address health-control mac-force-change Enabled MAC address (real → randomized)
Randomize Timezone health-control set-random-timezone Enabled Timezone (UTC → random zone)
Harden PC Security health-control security-harden Disabled Security Score (before → after score)
Recover Internet Connectivity health-control recover-internet Enabled Network state (blocked → restored)
Quick Connect WireGuard routing-switch connect wireguard Enabled VPN status (Disconnected → Connected)
Torrify System + DNS tor-switch torrify-system-nftables-dns Disabled Tor status (Inactive → Active + Torrified)
Refresh System Status Fetches current IP, geolocation, auth, VPN, Tor, DNS status Enabled All current system values updated
Shield Strength Protection Levels
Level Steps Enabled Visual Effect Description
Low 0-2 steps Red pulsing bar Minimal protection. System identity exposed, no anonymity layers.
Medium 3-4 steps Yellow pulsing bar Partial protection. Some identity randomization, basic network security.
High 5-6 steps Green pulsing bar Strong protection. Full identity randomization, VPN active, DNS encrypted.
Maximum 7+ steps Bright green pulsing bar Ultimate protection. All anonymity layers active, system hardened, Tor routing enabled.

Quick Launch Buttons

Apps

5 instant-launch applications:
Kodachi Dashboard - Main control panel
Kodachi Browser - Privacy-hardened Chromium
Tor Browser - Anonymous browsing via Tor
RiseVPN - VPN management application
Kodachi Browser via Oniux - Isolated Tor routing per tab

Timer Options

Config

5 countdown modes:
60 seconds - Quick automated setup
2 minutes - Default balanced timer
5 minutes - Extended review time
10 minutes - Manual review and customization
Manual - No auto-execution, manual trigger only

Auto-Refresh Intervals

Live

Configurable system status refresh:
• 30 seconds, 1 minute, 5 minutes, 15 minutes, 30 minutes, 1 hour, 6 hours, 24 hours
Automatically updates IP, geolocation, VPN status, Tor status, DNS mode, and security metrics at selected interval.

System Status Tab

Info

Real-time telemetry display:
Auth status, IP address, geolocation with country flag, VPN status, Tor status, MAC address, Hostname, Timezone, DNS mode, Hardening modules, Security Score. All values have copy-to-clipboard buttons.

Output Log Tab

Debug

Live execution output:
Real-time command output with timestamps, duration tracking, success/failure indicators, and scrollable history. Shows stdout/stderr from all executed steps for debugging and verification.

Support Overlay

Donate

Periodic donation/share prompt:
Binary rain animation with support links. Hidden for premium authenticated users. Shows after initial setup and periodically during usage. Includes Bitcoin/PayPal donation links and social sharing options.

Default Configuration

Enabled by default: Authenticate, Randomize Hostname, Randomize MAC, Randomize Timezone, Recover Internet, Connect WireGuard, Refresh Status (7 steps = Maximum protection). Disabled by default: Harden PC Security (system-wide changes), Torrify System (conflicts with WireGuard on first boot). Default timer: 2 minutes with auto-execution enabled.

Settings Persistence

All configuration (timer duration, step toggles, auto-refresh interval, auto-close preference) is saved to a JSON settings file in the user's home directory. Settings persist across reboots and system updates, maintaining your preferred security configuration.

Editions Comparison

Kodachi Editions
Feature Terminal Server Desktop XFCE Kodachi OS
DesktopHeadless (CLI only)XFCE 4Custom
BaseDebian 13 (Trixie)Debian 13 (Trixie)Debian
ISO Size~2.4GB~5GB~2.9GB
Binary Suite17 terminal binariesAll 22 binariesAll binaries
Tauri DashboardNoYesYes
Kodachi ClawYesYesYes
Conky MonitorNoYes (Lua-powered)Yes
BrowsersCLI only (w3m)LibreWolf + Tor BrowserCustom
Office SuiteNoLibreOffice (optional layer)Yes
Dynamic LayersNo10 optional layersLimited
InstallerCLI/CalamaresCalamares graphicalLive ISO
Target UseServers, VPS, proxy gatewaysDesktop workstations, daily useLive USB, privacy-first
StatusAvailableAvailableAvailable

Use Case Examples

Example 1: Daily Privacy Workstation

Install Kodachi Desktop on your main computer or laptop. Use LibreWolf for browsing, LibreOffice for documents, and Tor Browser for sensitive research. All traffic routed through VPN + Tor with Conky monitoring your security posture in real-time.

Example 2: Secure Development Machine

Enable the Development layer (Layer 09) for VS Code, git tools, build tools, and crypto libraries. Write code with Firejail sandboxing, GPG-signed commits via Kleopatra, and all network traffic anonymized through the routing stack.

Example 3: Multimedia & Content Creation

Activate the Multimedia layer (Layer 04) for video recording with OBS Studio, screen capture with SimpleScreenRecorder, and vector graphics with Inkscape. All content creation tools operate behind the privacy stack.

Example 4: Network Security Audit

Enable the Security GUI layer (Layer 08) for Wireshark packet capture, Zenmap network scanning, and EtherApe traffic visualization. Run analyses through Tor or VPN for anonymous reconnaissance.

Example 5: Air-Gapped Secure Computing

Boot from USB in Maximum Privacy mode (Tier 4). Runs entirely in RAM, leaves no traces on host hardware. Use KeePassXC for credential management, SiriKali for encrypted containers, and BleachBit for cleanup before shutdown.

Example 6: Virtual Machine Testing Lab

Enable the Virtualization Host layer (Layer 07B) for virt-manager and QEMU/KVM. Run additional VMs inside Kodachi Desktop for nested security testing, malware analysis in isolated environments, and network simulation.

Stay Updated

Check for release announcements and updates on SourceForge. For questions or feature requests, visit Discord Support.