Web UI for a Debian-based travel router. Connects any device via WiFi to a VPN - the AP forwards all client traffic through Tailscale, WireGuard, or OpenVPN. Runs on any Debian system (Raspberry Pi, x86, ARM), built with Django.
Plug the device into any network (Ethernet or WiFi uplink), connect your devices to its AP, and all traffic exits through the configured VPN. No client-side VPN setup required.
- AP → Tailscale: all AP clients routed through
tailscale0, exit node selectable from UI - AP → WireGuard: multi-tunnel support, start/stop and manage peers per tunnel
- AP → OpenVPN: start/stop, config selection
- AP → Direct: plain NAT through the uplink interface
The exit gateway is set per AP and applied via policy routing and nftables.
- Dashboard: system load, memory, temperature, interface bandwidth, active VPN topology
- Internet: WAN config (Ethernet/WiFi uplink via NetworkManager), WiFi scan & connect, failover priority
- Wireless: hostapd AP config (SSID, channel, password, band, country code with auto-detect), shared-radio channel sync
- Clients: connected AP clients (live station dump), static DHCP leases, bandwidth history, DNS overrides per client
- Firewall: full nftables
inet hekatetable (input/forward/NAT/postrouting) via UI, port forwarding, protected system rules - VPN: Tailscale (connect, accept routes, advertise routes, exit node), WireGuard (multi-tunnel, QR client onboarding, peer management), OpenVPN (start/stop, config upload)
- DNS: upstream DNS server selection, pushed to AP clients via DHCP
- Console: in-browser root shell with xterm.js - full color, scrollback, copy/paste
- System: service control, log viewer, interface assignment, backup/restore, password change, one-click update with package diff
- Toggles: WiFi auto-reconnect, WAN failover, VPN kill switch
- Debian 12 or 13 (tested on Raspberry Pi 4, x86)
- Internet access during install (packages + Tailscale are fetched automatically)
wget -qO- https://raw.githubusercontent.com/Garfieldttt/hekate/main/bootstrap.sh | sudo bashThe installer handles all dependencies: Python, NetworkManager, nftables, hostapd, dnsmasq, WireGuard, OpenVPN, Tailscale.
Installs to /opt/hekate, creates a systemd service on port 8080.
Default login: admin / admin - change via Settings after first login.
Default AP: SSID: hekate / Password: hekate123 - change via Wireless page after installation.
Connect to the hekate WiFi AP, then open:
The web UI is only reachable on the AP network (10.42.0.0/24) by design. HTTPS is not built-in; add a reverse proxy (nginx, Caddy) if you need TLS.
Via the web UI: System → Software Update
The web UI handles everything: downloads the latest release, runs migrations, restarts the service. The update.sh script in the repo is an optional fallback for manual updates from a cloned checkout.
sudo bash uninstall.sh- Raspberry Pi 4 (Debian 13, Python 3.13)
- x86 (Debian 12/13)
