ISO/IEC 27001:2022 specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Annex A provides a reference set of controls. QP Tunnel provides infrastructure-level capabilities that support controls in the organizational, people, physical, and technological control categories for secure remote access.
| Control | Title | How Tunnel Addresses It |
|---|---|---|
| A.8.1 | User endpoint devices | Each peer device receives a unique Curve25519 keypair, preshared key, and tunnel IP. WireGuard configs are generated per-device. Revoked devices are immediately removed from the live interface. |
| A.8.5 | Secure authentication | Tunnel authentication uses cryptographic keypairs, not passwords. Each peer has a unique keypair + preshared key. The WireGuard protocol requires valid cryptographic handshake before any traffic flows. |
| A.8.9 | Configuration management | peers.json and services.json maintain the authoritative state. tunnel-rotate-keys.sh defaults to dry-run mode. Key backups are created automatically. All state lives in ~/.config/${TUNNEL_APP_NAME}/ with documented structure. |
| A.8.15 | Logging | Every operation writes a structured JSON entry to audit.log with timestamp, action, status, message, and user. Error traps capture failures with script name and line number. Token values are masked. |
| A.8.16 | Monitoring activities | tunnel-status.sh provides live peer status: handshake time, endpoint address, data transfer, connection state. WireGuard handshakes occur every two minutes during active traffic. |
| A.8.20 | Networks security | The relay server acts as a managed network access control point. Split-tunnel routing sends only VPN subnet traffic (10.8.0.0/24) through the relay. NAT and IP forwarding are configured on the relay. |
| A.8.21 | Security of network services | WireGuard encrypts all tunnel traffic. tunnel-open adds PQ TLS 1.3 for exposed services. Exposed ports bind to the tunnel interface only. Firewall rules restrict access to the tunnel subnet. |
| A.8.24 | Use of cryptography | WireGuard: Curve25519/ChaCha20-Poly1305/BLAKE2s. PQ TLS: X25519MLKEM768/AES-256-GCM. Internal CA: Ed25519. Audit sealing: SHA3-256 + Ed25519. All keys stored with mode 600. |
| A.8.25 | Secure development lifecycle | Zero use of eval in the codebase. Input validation via strict regex ([a-zA-Z0-9_-]). set -euo pipefail with ERR traps. 420+ tests across unit, integration, and smoke tiers. |
| A.8.26 | Application security requirements | Per-service TLS certificates signed by an internal Ed25519 CA. Caddy reverse proxy configured for TLS 1.3 with ML-KEM-768 hybrid key exchange. Certificate SANs include tunnel IP and service name. |
| Control | Title | How Tunnel Addresses It |
|---|---|---|
| A.5.15 | Access control | Peer access is explicit and named. tunnel-add-peer.sh grants access, tunnel-remove-peer.sh revokes immediately. No implicit trust, no wildcard access. Revoked peers are archived with timestamps. |
| A.5.23 | Information security for use of cloud services | Relay setup supports multiple providers (SSH, local, DigitalOcean, script output). White-label support via TUNNEL_APP_NAME enables agency-specific branding. Air-gap compatible with zero runtime internet dependencies. |
| A.5.28 | Collection of evidence | audit.log provides structured JSON records. Capsule Protocol integration provides tamper-evident sealing with SHA3-256 + Ed25519. Hash chain verification confirms completeness. Revoked peer configs are archived, never deleted. |
| Layer | Algorithm | Standard | PQ Status |
|---|---|---|---|
| WireGuard (outer) | Curve25519 / ChaCha20-Poly1305 / BLAKE2s | Not FIPS-validated | Classical only |
| PQ TLS (inner) | X25519MLKEM768 / AES-256-GCM | FIPS 203, AES | Post-quantum hybrid |
| Internal CA | Ed25519 | FIPS 186-5 | Classical |
| Audit sealing | SHA3-256 + Ed25519 | FIPS 202, FIPS 186-5 | Classical (FIPS-approved) |
Key management: tunnel-rotate-keys.sh provides key rotation with dry-run safety, automatic backup, and audit logging. Per-peer keys are unique and generated at creation. All key files use umask 077 (mode 600, owner-only read).
- Encrypted remote access with unique cryptographic identity per peer
- Managed network access control point (relay server)
- Double encryption for exposed services (WireGuard + PQ TLS)
- Structured audit logging with optional tamper-evident sealing
- Immediate peer revocation with archival
- Key rotation with dry-run verification and automatic backup
- Firewall isolation binding exposed services to tunnel subnet
- Input validation, defensive scripting, comprehensive test coverage
- Air-gap compatible operation with zero telemetry
The following ISO 27001 controls are outside the tunnel's scope:
- A.5.1 through A.5.14 Information security policies, roles, segregation of duties: organizational
- A.5.29 through A.5.37 Supplier relationships, business continuity, legal compliance: organizational
- A.6 People controls: HR security, awareness, disciplinary process
- A.7 Physical controls: physical security perimeters, equipment protection
- A.8.2 through A.8.4 Privileged access rights, information access restriction: application-level
- A.8.6 through A.8.8 Capacity management, malware protection, vulnerability management: infrastructure-level
- A.8.10 through A.8.12 Information deletion, data masking, data leakage prevention: application-level
- User identity management and multi-factor authentication: application-level
- FIPS-validated outer encryption: use IPsec with FIPS-validated modules if required