Skip to content


Cyberhive Connect has several configuration options to tune its behaviour to your needs. On Unix-like systems, these are set via environment variables.

The following options are available:


When set, this token will be sent in requests to the Control Service to serve as authentication, which is useful mostly during registration when interactive authentication is not an option.

The token is linked to a user. This user must be specified in CONNECT_USERNAME.

Following registration, a signing key will have been generated. For authentication, the signing key is given preference over the authentication token, as the signature-based authentication works with PQ-resistant signatures, rather than a static key string.

When using CONNECT_AUTH_TOKEN, a secure connection must be used (https, ideally protected with KEMTLS or similar) to avoid leaking credentials. It is strongly recommended to only use the authentication token for registration.


When in UDP injection mode (defined by CONNECT_INTERFACE_PATH), defines the port Connect uses to listen for (UDP-encapsulated) injected packets for the VPN.


Overrides the tunnel interface path. For operating systems that use file-system based device paths, this permits pointing Connect to a different tunnel device, e.g. /dev/net/your_preferred_tun.

The interface path can also be set to{port}, which enables UDP injection mode. In this mode, unencrypted network packets can be read/written on the socket (encapsulated in UDP packets), and Connect takes care of the encryption. {port} defines the port that an external application uses to listen for packets from the VPN (see also CONNECT_INJECTION_PORT which defines the port that Connect uses to listen for packets going to the VPN).


Provides the prefix to be used as interface name. Optional.


Specify the directory where any keys such as SSH keys, signing keys, and preshared keys are stored. The default is $HOME/.config/cyberhive-connect for Unix-like systems.


Specify a listening port to use.


Specify the MTU to use inside the VPN tunnel. A good value is 80 bytes less than the MTU of your network interface. When not specified, Connect assumes a default of 1420. It is strongly advised to keep the MTU of your network interface at 1456 or higher.


This provides name resolution for hosts that DNS doesn't know about. Formatted as hostname:ip[,hostname:ip]. This is similar to a hosts file, but limited in scope to services that Connect needs to function. Typically either not set, or limited to the IP address of the Control Service.


Server URL to use when none is given on the command line. Should be in the format https://servername.domain:port (port number optional).


Setting this to "local" will make clients use their local IP addresses rather than public IP addresses. Use this for "local vpn", where all vpn clients run on the same LAN. Specify {ip}:{port} to force the client to advertise itself to the Control Service as being accessible on a given IP address and port number without performing STUN calls. In this mode, manual gateway configuration may be required.


Specify the directory to be used as temporary directory.


user@domain style username to be used.


Each host within the Organisation must have a unique name. Set this if you wish to use a host name that differs from the actual host name of your machine.