Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
This branch is 670 commits ahead, 738 commits behind snabbco:master.

Latest commit



Failed to load latest commit information.
Latest commit message
Commit time


🚧 🚧 🚧 🚧

Vita is a high-performance IPsec VPN gateway designed with medium and large network operators in mind. It is written in a high-level language (Lua) and achieves high performance via networking in userspace, i.e. bypassing the kernel network stack.

Project goals

  • Provide a low-cost, open source solution to network traffic encryption at scale

  • Support stand-alone operation as well as SAs established by third-party software such as StrongSwan

  • Be as fast as possible on generic x86 CPUs, handle 10 Gbps line rate at 60 byte packets and more

  • Avoid vendor lock-in and mandatory, complex dependencies while embracing network operator standards such as NETCONF/YANG

  • Keep it all simple, maintainable, and modular

  • Use strong, modern cryptographic primitives and protocols


Vita is in its early “tech-demo” stage of development and not ready for production yet!


  • ~3 Mpps (or ~5 Gbps of IMIX traffic) per CPU core on modern commodity x86 hardware

  • Scales linearly with CPU cores using RSS and VMDQ

  • Implements IPsec for IPv4 and IPv6, specifically IP Encapsulating Security Payload (ESP) in tunnel mode

  • Uses optimized AES-GCM 128-bit encryption based on a reference implementation by Intel for their AVX2 (generation-4) processors

  • Automated key exchange (AKE) and rotation, with perfect forward secrecy (PFS) and seamless, packet loss-free rekeying

  • Simple, minimal, and modern AKE protocol based on Noise (audit welcome, see

  • Can act also as a pure data-plane and consume SAs established by other means

  • Configuration and runtime state modelled by a native YANG schema. Supports, dynamic reconfiguration via NETCONF RPCs (update routes while running)

  • Strong observability (access relevant statistics of a running Vita node via NETCONF get-state RPCs) and full ICMP visibility (tunnel appears as two hops in traceroute, PMTUD support, all inbound ICMP messages are logged)

  • Written in Lua—a simple, high-level programming language—and x86 assembly





Getting started

Vita runs on any modern Linux/x86-64 distribution. You will need a compatible x86 CPU with support for AES-NI and AVX-2. For network interfaces you have the following supported options:

  • Intel chipsets i210, i350, and 82599
  • Intel AVF capable VFs e.g. from a X710 and XL710
  • Linux XDP capable interfaces

Important note: Snabb needs Linux to be booted with iommu=off for its native device drivers to function.

$ git clone
$ cd vita
$ RECIPE=Makefile.vita make -j
$ sudo src/vita --help

Setting RECIPE=Makefile.vita causes a release build to be built (as opposed to a test build.)

The vita binary is stand-alone, includes useful auxiliary applications (like snabb top and snabb pci_bind), and can be copied between machines.

For example, to install Vita and the Snabb monitoring tool on the local machine:

$ sudo cp src/vita /usr/local/bin/vita
$ sudo ln -s vita /usr/local/bin/snabb-top


End-to-end benchmarking procedures are documented in


Vita is a high-performance L3 VPN gateway you can use to interconnect your networks. Vita acts as a tunnel between your local, private network and any number of remote Vita gateways. With it, nodes spread across your outposts can communicate with each other with confidentiality and authenticity ensured at the network layer.

Vita is probably more efficient at encapsulating traffic than your application servers. You can free cycles for your application by offloading your packet encryption and authentication workload to Vita.

a mesh of Vita gateways forms a VPN

A Vita network can be as small as two nodes with a single route, and as large as you like. For each pair of Vita gateways, a separate secure tunnel (route) can be established—“can be” because a Vita network does not need to be a full mesh, instead arbitrary hierarchies are supported on a route-by-route basis. Each route uses a pre-shared super key that is installed on both ends of the route. These keys need to be configured only once, and only need renewal when compromised, in which case the breach will affect only the route in question. The actual keys used to encrypt the traffic are ephemeral, and negotiated by Vita automatically, with no manual intervention required.

Deploying Vita is easy, and not invasive to your existing infrastructure. It can be as simple as adding an entry to the IP routing table of your default gateway, to ensure that packets to destinations within your private network are routed over an extra hop: the Vita gateway. Whether Vita forwards the encapsulated packets back to your default gateway, or directly to your modem depends on your setup, and is freely configurable.

private traffic is routed over a Vita gateway, and encapsulated before it is transmitted over the Internet

To configure a Vita route, you need to specify the address prefix of the destination subnetwork, and the public IP address of the target Vita gateway (in addition to the pre-shared key). At the other end, you specify the source prefix and gateway address in symmetry. You can even add and remove routes while Vita is running, without affecting unrelated routes.

Powered by


Snabb is a simple and fast packet networking toolkit with a wonderful community.

Sponsored by


NLnet funded Vita development in 2018/2019 with their generous donation. 🙇‍♂️


No packages published


  • Lua 45.9%
  • C 41.4%
  • Assembly 4.9%
  • HTML 2.1%
  • NASL 1.8%
  • Shell 1.4%
  • Other 2.5%