Beam

Architecture

Beam uses a hybrid architecture that separates user interface from core tunneling logic. A Node.js CLI handles command parsing and process management, while a Rust daemon performs the actual network operations. This design provides both developer ergonomics and high performance.

System Overview

When you run beam 3000, several components work together:

Beam Architecture

CLI Tool
(Node.js)
Tunnel Daemon
(Rust)
Tor Service
(.onion)
Local DNS
Server
Your App
(Port 3000)

The CLI spawns the daemon as a child process, communicates via stdout/stderr, and handles user interaction. The daemon manages all network operations including Tor connections, DNS resolution, and HTTP proxying.

CLI Tool (Node.js)

The CLI is written in TypeScript and distributed via npm. It serves as the user-facing interface to Beam, handling argument parsing, configuration management, and process lifecycle.

Responsibilities

  • Argument parsing: Validates and processes CLI flags like --port, --domain, --tor
  • Process management: Spawns the Rust daemon and monitors its health
  • Configuration: Reads and writes ~/.beam/config.json
  • Status display: Shows tunnel URLs, connection status, and errors
  • Signal handling: Graceful shutdown on Ctrl+C

Technology Stack

  • Runtime: Node.js 18+ with ES modules
  • Language: TypeScript for type safety
  • Build: tsup for bundling to CJS and ESM
  • Distribution: npm package @byronwade/beam

The CLI is intentionally lightweight. All heavy lifting happens in the Rust daemon, keeping the Node.js process responsive to user input.

Tunnel Daemon (Rust)

The daemon is compiled to a native binary for each platform (macOS, Linux, Windows). It handles all performance-critical networking operations using Rust's async runtime.

Responsibilities

  • HTTP/HTTPS proxy: Accepts incoming requests and forwards them to your local server
  • Tor integration: Creates and maintains hidden service connections
  • DNS server: Resolves custom domains like myapp.local to 127.0.0.1
  • TLS termination: Generates self-signed certificates for HTTPS
  • WebSocket support: Proxies WebSocket connections through the tunnel

Technology Stack

  • Language: Rust for memory safety and performance
  • Async runtime: Tokio for non-blocking I/O
  • HTTP server: Hyper for high-performance HTTP handling
  • TLS: rustls for pure-Rust TLS implementation
  • Tor: arti-client for Tor protocol implementation

Rust was chosen for the daemon because tunneling is inherently I/O-bound. Tokio's async model handles thousands of concurrent connections efficiently without the overhead of garbage collection pauses or thread-per-connection models.

The daemon binary is bundled with the npm package. When you install Beam, it includes pre-compiled binaries for your platform. No Rust toolchain is required on user machines.

Tor Integration

Beam uses the Tor network to provide global access without exposing your IP address. When you enable Tor mode, the daemon creates a hidden service (onion service) that routes traffic through the Tor network.

How It Works

  1. The daemon starts an embedded Tor client using the arti library
  2. It generates an Ed25519 keypair that determines your .onion address
  3. A hidden service descriptor is published to the Tor distributed hash table
  4. Introduction points are established in the Tor network
  5. Clients connect through rendezvous points without learning your IP

The .onion address is derived from your public key, providing cryptographic identity verification. Anyone connecting to your .onion address can be certain they're reaching your service and not an impostor.

Initial Tor connection takes 10-30 seconds while circuits are built. Subsequent requests have 100-300ms additional latency due to the multi-hop routing. This tradeoff provides strong privacy guarantees in exchange for some speed.

Local DNS Resolution

Beam runs a lightweight DNS server that resolves custom domains to localhost. This allows you to use memorable domain names instead of localhost:3000.

Terminal
beam 3000 --domain myapp.local

When you specify a domain, the DNS server binds to port 5354 (configurable) and responds to queries for that domain with 127.0.0.1. Your system's resolver needs to be configured to use Beam's DNS server for local domains.

Platform-Specific Configuration

  • macOS: Beam can automatically create /etc/resolver/local files
  • Linux: Requires manual configuration of systemd-resolved or dnsmasq
  • Windows: Requires hosts file entry or DNS proxy configuration

The DNS server only responds to queries for domains you've configured. All other queries are passed through to your system's default resolver.

Dual-Mode Operation

Beam supports running local and Tor access simultaneously. This is useful during development when you need fast local access for yourself but also want to share with teammates or test webhooks.

Terminal
beam 3000 --domain myapp.local --dual

Dual-Mode Operation

LOCAL ACCESS
Browser
myapp.local
Local DNS
127.0.0.1
GLOBAL ACCESS
Tor Browser
xyz.onion
Tor Network
(3 hops)
Tunnel Daemon
Your App
(Port 3000)

Local Mode Benefits

  • Zero additional latency
  • Works offline
  • Custom domain names
  • No Tor setup required

Tor Mode Benefits

  • Global accessibility
  • IP anonymization
  • End-to-end encryption
  • Works through firewalls

Request Flow

Understanding how requests flow through Beam helps with debugging and optimization. Here's what happens when a request arrives:

Local Request

  1. Browser requests http://myapp.local
  2. System resolver queries Beam's DNS server on port 5354
  3. DNS server returns 127.0.0.1
  4. Browser connects to Beam's HTTP proxy
  5. Proxy forwards request to your app on port 3000
  6. Response flows back through the same path

Tor Request

  1. Client connects to your .onion address via Tor
  2. Traffic is encrypted and routed through 3 Tor relays
  3. Traffic reaches Beam's hidden service endpoint
  4. Daemon decrypts and forwards to your app on port 3000
  5. Response is encrypted and sent back through Tor

Security Architecture

Beam implements a zero-trust security model. Key security properties include:

  • No central server: Traffic never passes through Beam-operated infrastructure
  • End-to-end encryption: TLS 1.3 for local HTTPS, Tor encryption for remote access
  • No data collection: Beam doesn't log requests, store analytics, or phone home
  • Local key storage: Cryptographic keys stored in ~/.beam/ with filesystem permissions
  • Perfect forward secrecy: Session keys are ephemeral; past traffic can't be decrypted if keys are later compromised

For a deeper dive into Beam's security model, see the Security documentation.

Related Documentation