Documentation
BlueSkyGate connects your gateways over an encrypted overlay. A gateway is a single static binary; the control plane coordinates identity, routing, and key rotation. This guide gets a two-node overlay running in a few minutes.
Quickstart
- Create a project and download your enrollment token from the dashboard.
- Install the
bsgagent on each gateway. - Enroll each gateway with the token; it dials the control plane and joins the mesh.
- Define a routing policy and apply it.
Install a gateway
Linux (amd64/arm64):
curl -fsSL https://get.blueskygate.net/install.sh | sh
bsg versionThe agent installs as a systemd service and runs unprivileged after the first start.
Join the overlay
bsg enroll --token "$BSG_TOKEN" --name edge-fra-01
bsg statusOnce enrolled, the gateway holds an outbound tunnel to the control plane. No inbound ports are opened on the host.
Routing policy
Policies are declarative and version-controlled. Example: expose an internal service to a tagged group only.
route "internal-api" {
to = "10.20.0.10:8080"
allow = ["group:engineering"]
exposed = false
}Apply with bsg apply policy.hcl. Changes roll out atomically across the mesh.
CLI reference
| Command | Description |
|---|---|
bsg enroll | Join a gateway to the overlay |
bsg status | Show link health and peers |
bsg apply | Apply a routing policy |
bsg keys rotate | Force credential rotation |
bsg logs | Stream local agent logs |
FAQ
Does BlueSkyGate see my traffic? No. The overlay carries your traffic end-to-end; we coordinate identity and routing, not payloads.
What happens if the control plane is unreachable? Existing tunnels keep forwarding. New peers can't join until connectivity is restored.
Need help? Contact us.