PharosVPN
§07 · install

two presets, one engine · pre-release

Install.

The shortest path is helm init with a preset flag and one or two cloud VMs. helm stays on a private box; every operational instruction to nodes is mTLS gRPC, helm-initiated.

prerequisites

What you need before you start.

  • A private machine to run helm on — your laptop, a home server, a small private box. It needs outbound internet; it does not need a public IP or open ports.
  • One or more public VMs to run buoy on, on any provider. helm doesn't call cloud APIs; you create the VMs.
  • SSH access to those VMs from the machine running helm. helm generates its own keypair on first run and prints the public key for you to add.
  • Go 1.22+ & Make for now, while we're building from source. Released binaries land later.

preset · for one operator

helm init --personal

One operator, one or two nodes, sensible defaults, AmneziaWG by default, the relay embedded in helm itself. 

# 1. build helm on your private machine
git clone https://github.com/PharosVPN/helm
cd helm && make

# 2. first-run setup with the personal preset
./helm init --personal

# 3. create a VM on any cloud provider you like.
#    add helm's SSH public key to that VM's authorized_keys:
./helm ssh-key

# 4. enroll the node — helm SSHes in, installs buoy, signs a CSR
./helm nodes add [email protected]

# 5. issue yourself a device profile
./helm users add me
./helm devices enroll me --qr        # scan with caravel
# ...or:
./helm devices enroll me --file me.pharos

what defaults the preset sets →

preset · for a fleet

helm init --enterprise

Multi-region, multi-admin, AmneziaWG and XRay both enabled, remote beacon relays optional, longer audit retention. The presets only swap defaults — the engine is the same. 

# 1. build helm on a private box (laptop, home server, jump host)
git clone https://github.com/PharosVPN/helm
cd helm && make

# 2. first-run setup with the enterprise preset
./helm init --enterprise

# 3. enroll one or more nodes in each region you care about
./helm ssh-key
./helm nodes add [email protected]  --region eu-fra
./helm nodes add [email protected]       --region us-east

# 4. (optional) deploy a remote beacon — same SSH enrollment pattern
./helm relays add [email protected]

# 5. add admins; each gets their own device cert from the Device CA
./helm admins add alice
./helm admins add bob

# 6. roll out caravel via your MDM, or by handing out enrollment QR codes
./helm users add team-employee
./helm devices enroll team-employee --qr

what defaults the preset sets →

what happens after init

From here, every instruction is gRPC.

helm holds a long-lived outbound mTLS connection open to each buoy. Pushes are applied live — adding a peer doesn't restart the data plane. SSH was a deployment channel only, used once at enrollment and again for agent upgrades.

The admin UI is a SvelteKit SPA embedded in the helm binary, served on localhost. Open it from the machine that's running the controller.

read the design → component details → github.com/PharosVPN ↗