Deployment Guide

This guide covers deploying QuFabric with the AES double VPN and DSKE key management features enabled. It assumes you have a working QuFabric deployment (management, signal, relay services) and want to add the security layer.

Prerequisites

A working QuFabric management server, signal server, and relay
At least 3 Linux peers (2 clients + 1 security hub, minimum)
The QuFabric client with AES WireGuard support installed on each peer

The AES WireGuard interface is currently Linux-only. Non-Linux peers can connect to the network but will use single-layer WireGuard encryption only (as AES-exempt peers).

Architecture Overview

A typical deployment includes:

┌──────────────────┐      ┌──────────────────┐
│  Management      │      │  Signal / Relay   │
│  Server          │      │  Servers          │
└────────┬─────────┘      └────────┬──────────┘
         │                         │
    ─────┼─────────────────────────┼───── Internet
         │                         │
    ┌────┴─────────────────────────┴────┐
    │         WireGuard Mesh (wg0)       │
    │                                    │
    │  ┌──────────┐    ┌──────────┐     │
    │  │ Security │    │ Security │     │
    │  │ Hub A    │    │ Hub B    │     │
    │  └──────────┘    └──────────┘     │
    │                                    │
    │  ┌──────────┐    ┌──────────┐     │
    │  │ Client   │◄══►│ Client   │     │
    │  │ Peer 1   │ AES│ Peer 2   │     │
    │  └──────────┘    └──────────┘     │
    └────────────────────────────────────┘

Step 1: Configure AES on the Management Server

Set AES IP Subnet

The management server needs an AES IP subnet to allocate AES addresses. This is configured via the management server settings. Each peer will receive an AES IP from this range in addition to its standard WireGuard IP.

Set AES DNS Domain (Optional)

Configure the AES DNS domain for DNS-based peer resolution:

curl -X PUT "https://management.example.com/api/accounts/{accountId}" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "settings": {
      "aes_dns_domain": "aes.example.com"
    }
  }'

Or use the management server flag: --aes-dns-domain aes.example.com

Step 2: Deploy Security Hubs

You need at least 2 security hubs for DSKE threshold cryptography.

Mark Peers as Security Hubs

Via the REST API, set dske_security_hub: true on the hub peers:

# Mark a peer as a security hub
curl -X PUT "https://management.example.com/api/peers/{peerId}" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"dske_security_hub": true}'

The management server will automatically:

Create a "DSKE Security Hubs" group
Create a bidirectional policy ensuring all peers can reach the hubs
Allocate the peer as AES-exempt (hubs don't use the AES tunnel)

Verify Hub Provisioner

On each security hub peer, verify the provisioner is running:

# Check for PSRD files being generated
ls /var/lib/qufabric/dske/psrd-out/

You should see PSRD files appearing. The provisioner maintains a pool of 5 pre-generated files.

Step 3: Provision PSRD to Client Peers

For each client peer, you need to:

Add the client on each security hub:

# On Security Hub A
sudo -u qbtld qbt-local-distributor dske-client add peer1-hubA --json

# On Security Hub B
sudo -u qbtld qbt-local-distributor dske-client add peer1-hubB --json

Generate PSRD files:

sudo -u qbtld qbt-local-distributor dske-client assign-psrd \
  --first \
  --user-bytes 524288 \
  --server-bytes 524288 \
  --user-id <dske-client-id> \
  -o /var/lib/qufabric/dske/psrd-out/

Transfer PSRD files to the client (via SSH or another secure channel):

scp /var/lib/qufabric/dske/psrd-out/peer1-hubA.json user@peer1:/tmp/
scp /var/lib/qufabric/dske/psrd-out/peer1-hubB.json user@peer1:/tmp/

Ingest PSRD on the client peer:

qufabric dske ingest-psrd /tmp/peer1-hubA.json
qufabric dske ingest-psrd /tmp/peer1-hubB.json

Repeat for each client peer, with unique PSRD files per client per hub.

Step 4: Verify the Double VPN

Once PSRD is ingested on at least 2 hubs, DSKE will automatically:

Discover shared hubs between peer pairs
Generate and distribute PSKs
Establish the AES tunnel

Verify it's working:

# Check DSKE status
qufabric dske status

# Check AES interface
sudo wg show aes0

# Ping a peer via AES tunnel
ping <peer-aes-ip>

The AES tunnel should establish within seconds of PSRD ingestion.

Step 5: Mark Non-Linux Peers as AES-Exempt

If you have Windows, macOS, or other non-Linux peers, mark them as AES-exempt:

curl -X PUT "https://management.example.com/api/peers/{peerId}" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"aes_exempt": true}'

AES-exempt peers use standard WireGuard encryption and can communicate normally with all peers — they just don't participate in the AES double VPN layer.

Peer Configuration Summary

Peer Type	AES Exempt	Security Hub	AES Tunnel	DSKE
Linux client	No	No	Yes (aes0)	Active (generator or recoverer)
Non-Linux client	Yes	No	No	Not active
Security hub	Yes (auto)	Yes	No	Provisioner only

Monitoring

After deployment, monitor the following:

What to Monitor	Command	Alert On
DSKE status	`qufabric dske status`	Status not "Enabled"
PSRD levels	`qufabric dske status`	Below 10 KiB on any hub
AES handshakes	`sudo wg show aes0`	No recent handshake with active peers
Key rotation	Check logs for PSK injection	No rotation events for > 5 minutes

DSKE (Key Exchange)

Operations

Platforms

Peers

Access Control

Networks

Network Routes

DNS

Team

Activity

Settings

Integrations

Public API

For Partners

Maintenance

Authentication

Migration Guides