Add an Endpoint

Each ACSC endpoint represents an allowed connection through a local ACSC interface to a remote ACSC peer.

In order to set up a working ACSC connection, each side of the connection must be configured with an endpoint to the other side of the connection. You can use the add-endpoint wizard to guide you through the process of adding these two corresponding endpoints; or you can use the manual set-up process described below to add one endpoint at a time.

Use Guided Set-Up Wizard

Follow these steps to use the Connection Wizard to add an endpoint:

Click the Hosts link in the app header.
Find the host containing the interface in the list, and click its name to view the host’s main status page.
Find the interface in the Interfaces panel, and click its name to view the interface’s main status page.
Click the “plus” icon on the right side of the Endpoints panel.
Select the Use guided set-up wizard radio button, then click the Next button.
Follow the instructions from the Connection Wizard documentation.

Configure Manually

Follow these steps to add an endpoint

Click the Hosts link in the app header.
Find the host containing the interface in the list, and click its name to view the host’s main status page.
Find the interface in the Interfaces panel, and click its name to view the interface’s main status page.
Click the “plus” icon on the right side of the Endpoints panel.
Select the Configure manually radio button, then click the Next button.
Fill in the fields of this form as described below:

Peer

Select the peer identity which can be accessed at this endpoint, either by entering the name of a peer already added to ACSC in the Peer field, or by adding a new peer by clicking the New button next to the Peer field. This peer represents the public-key pair used by a remote host to authenticate itself to this host (and corresponds to the “PublicKey” setting in a wg-quick-style configuration file).

You can type part of a name in the Peer field to filter the displayed list of peers from which to choose. Use the up and down arrow keys to highlight a peer from the list, and use the tab or enter key to select the highlighted peer. Only peers not already used by another endpoint of this interface will be listed.

If you click the New button next to the Peer field, an Add Peer dialog will appear, allowing you to register a new peer identity with ACSC. You can then select this peer to use as the remote identity for the endpoint.

Allowed IPs

Enter the individual IP addresses or CIDR blocks that this interface can access through the endpoint, like “10.0.0.0/24, fd00::/64”, in the Allowed IPs field. Separate multiple addresses or blocks with commas, newlines, or other whitespace.

TIP: To send all traffic through this endpoint by default, set the Allowed IPs field to “0.0.0.0/0, ::/0”.

Disallowed IPs

Enter the individual IP addresses or CIDR blocks that should not be sent through this interface, like “10.0.0.123, fd00:0:0:0:1234::/80”, in the Disallowed IPs field. Separate multiple addresses or blocks with commas, newlines, or other whitespace.

Allowed Apps

If you want the ACSC connection to be used only by a few specific applications, enter their process names, like “chrome, firefox, msedge”, in the Allowed Apps field.

You can also specify applications by the full path to their executable file (like “C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe”), or the full path to an ancestor directory (like “C:\Program Files (x86)\Microsoft”).

TIP: Usually you should keep this field empty (so that all applications on the system will use the ACSC connection by default).

Disallowed Apps

If you want to exclude a few specific applications from using the ACSC connection, enter their process names, like “chrome, firefox, msedge”, in the Disallowed Apps field.

IMPORTANT: This field should always include the “acsc-agent-service” application (to ensure that the ACSC control plane and data plane are kept separate).

Hostname

Optionally enter the remote hostname or IP address to which this interface should connect, like “vpn.example.com” or “192.0.2.1”, in the Hostname field (this corresponds to the hostname portion of the “Endpoint” setting in a wg-quick-style configuration file).

TIP: You need to set the hostname on one side of a ACSC connection – either on the endpoint from this host to the remote host, or the corresponding endpoint from the remote host to this host. If the remote host has a static DNS name or IP address, enter it here.

Port

If you entered a hostname or IP address in the Hostname field, enter the destination UDP port on that remote host, like “51820”, in the Port field (this corresponds to the port portion of the “Endpoint” setting in a wg-quick-style configuration file). Otherwise leave this field blank.

Persistent Keepalive

Optionally enter the number of seconds between keepalive packets to send to the endpoint, like “25”, in the Persistent Keepalive field. Leave blank to not send keepalive packets.

TIP: If there is a stateful firewall that doesn’t allow new inbound connections to this host (such as a firewall doing NAT, Network Address Translation) sitting between this host and the remote endpoint, and you want to allow the remote endpoint to initiate new inbound connections to this host (for example, to SSH from the remote endpoint into the host), you will need Persistent Keepalive. A value of “25” (seconds) usually works well for this purpose.

Preshared Key

Optionally enter a randomly-generated, base64-encoded 256-bit key, like “/UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak=”, in the Preshared Key field. Leave blank to not use a preshared key for this endpoint.

ACSC is built on top of WireGuard, which uses X25519 public-key pairs to establish an encrypted connection between two peers. While there are no known practical issues with WireGuard’s public-key cryptography, preshared keys can be used to hedge against potential future issues, such as the ability of quantum computers to break elliptic-curve-based cryptosystems. Additionally, preshared keys are much more practical to rotate frequently than public-key pairs, since preshared keys are simply shared secrets between two endpoints, whereas public-key pairs are used to identify peers globally, to the whole ACSC network.

The preshared key value configured for this endpoint must match exactly the preshared key value for the corresponding endpoint on the remote host.

If the remote host is also an ACSC host, and you have already set up a corresponding endpoint on the remote host with a preshared key, and that key is stored by ACSC, ACSC will automatically use that key for this endpoint too (so you will not have to enter it here). If the corresponding endpoint is configured with a preshared key, but that key is not stored by ACSC, the UI will display the SHA-256 hash for the key, so you can verify that you’ve entered the same key in this endpoint’s Preshared Key field.

If you’ve not set up the corresponding endpoint on the remote host yet, you can generate a new preshared key by clicking the Generate button next to the Preshared Key field.

Socks5 Proxy

Optionally enter the hostname or IP address and port of a SOCKS5 proxy through which this interface should connect, like “proxy.example.com:1080”, in the Socks5 Proxy field.

TIP: Usually you should keep this field empty (unless this endpoint connects to the Anti-Cloud Hub).

Socks5 Proxy Username

If you entered a hostname or IP address in the Socks5 Proxy field, enter the SOCKS5 username to use to connect to it, like “exampleusername”, in the Socks5 Proxy Username field. Otherwise, skip this field.

Socks5 Proxy Password

If you entered a username in the Socks5 Proxy Username field, enter the SOCKS5 password to use to connect to it, like “examplepassword”, in the Socks5 Proxy Password field. Otherwise, skip this field.

Form Submit

Click the Add button to submit the form and queue the creation of the endpoint.

The next time the ACSC agent on the host pings the ACSC management server, the agent will receive the information about the new endpoint, and add it on the host.