Guardian (Gateway)
Guardian - Travel Companion
1.5GB RAM · $75 · Take Control of Your Security, Anywhere You Go
Guardian transforms a Raspberry Pi into your personal security gateway. Connect to any network - hotel WiFi, coffee shops, airports - with complete visibility into what’s being blocked and why.
No black boxes. No hidden decisions. No data leaving your device.
What Guardian Enables
| Capability | Description |
|---|---|
| Secure WiFi Hotspot | Create protected network bubble |
| L2-L7 Detection | Monitor threats at every layer |
| dnsXai Protection | AI-powered DNS filtering with explanations |
| Mesh Networking | Join collective defense |
| Full Dashboard | See everything happening |
Best For
- Travelers and remote workers
- Home network protection
- Personal privacy gateway
- Learning cybersecurity
- Small team deployments
Hardware Requirements
| Resource | Minimum | Recommended |
|---|---|---|
| Platform | Raspberry Pi 4 (2GB) | Raspberry Pi 5 (4GB) |
| RAM | 1.5GB | 2-4GB |
| Storage | 16GB microSD | 32GB+ A2-rated |
| Network | 1x WiFi + USB WiFi | 2x WiFi interfaces |
Approximate cost: ~$75-100
Installation
# Clone and installgit clone https://github.com/hookprobe/hookprobe.gitcd hookprobesudo ./install.sh --tier guardianThe installer handles everything:
- System packages (hostapd, dnsmasq, napse)
- Python dependencies
- WiFi configuration
- Service setup
After installation:
- Connect to HookProbe-Guardian WiFi
- Open http://192.168.4.1:8080
The Guardian Promise
Traditional Security: Guardian (Transparent):"Something was blocked" → "ads.tracker.com blocked: ML confidence 94%, Category: ADVERTISING, Reason: High entropy (4.2), CNAME resolves to demdex.net"Every decision is explainable. Every action is auditable.
Architecture
┌─────────────────────────────────────────────────────────────────┐│ YOUR SECURE BUBBLE │├─────────────────────────────────────────────────────────────────┤│ ││ Untrusted WiFi ──► Guardian ──► Your Devices ││ (Hotel/Airport) │ (Laptop, Phone, Tablet) ││ │ ││ ┌────┴────┐ ││ │ You see │ ││ │ everything │ ││ └─────────┘ ││ ││ What Guardian shows you: ││ - Every blocked threat and why ││ - Every DNS query classification ││ - Every suspicious activity ││ - Real-time security score ││ │└─────────────────────────────────────────────────────────────────┘Web Dashboard
Access at http://192.168.4.1:8080
Dashboard Tab
- QSecBit Score with full breakdown
- Network status - connected devices
- Threat summary - recent detections
Security Tab
- L2-L7 threat breakdown - every layer visible
- Mobile network trust - understand your risk
- IDS alerts - NAPSE explanations
- XDP stats - kernel-level metrics
DNS Protection Tab
- Every blocked domain with reason
- ML classification scores
- CNAME chain visibility
- Whitelist controls
Devices Tab
- Connected devices
- MAC addresses
- Connection history
- Export capability
Security Stack
| Component | Purpose | Transparency |
|---|---|---|
| dnsXai | DNS protection | Every block explained |
| NAPSE | IDS/NSM/IPS | Alert details visible |
| XDP/eBPF | DDoS protection | Stats and rules shown |
| Layer Detector | L2-L7 analysis | Reasoning exposed |
| Mesh Agent | Collective intel | Contribution visible |
L2-L7 Detection
Guardian monitors every network layer:
| Layer | Detects | Example Alert |
|---|---|---|
| L2 | ARP Spoofing, Evil Twin | ”MAC changed for gateway” |
| L3 | IP Spoofing, ICMP Flood | ”Unusual ICMP traffic” |
| L4 | Port Scans, SYN Flood | ”50 connections to ports” |
| L5 | SSL Stripping | ”TLS downgrade attempt” |
| L7 | SQL Injection, XSS | ”Suspicious query blocked” |
dnsXai - Explainable DNS
Every DNS decision is transparent:
{ "domain": "suspicious-tracker.com", "decision": "BLOCKED", "confidence": 0.92, "category": "TRACKING", "features": { "shannon_entropy": 4.2, "ad_pattern_score": 0.15, "cname_uncloaked": "adobe.demdex.net" }, "explanation": "High entropy domain resolving to known tracker"}Mesh Participation
Guardian connects to the global mesh:
What Guardian shares:
- Anonymized threat signatures
- ML weight updates
- Attack patterns (source removed)
What Guardian NEVER shares:
- Your IP address
- Your DNS queries
- Your browsing history
You benefit from global intelligence while keeping privacy.
QSecBit Scoring
Real-time security score:
Qsecbit = 0.30×threats + 0.20×mobile + 0.25×ids + 0.15×xdp + 0.02×network + 0.08×dnsxai
Current Score: 0.32 (GREEN)├── Threats: 0.10 (low activity)├── Mobile: 0.15 (trusted network)├── IDS: 0.08 (no alerts)├── XDP: 0.12 (normal traffic)├── Network: 0.05 (stable)└── dnsXai: 0.18 (ads blocked)Management
# Check statushookprobe-ctl status
# View logshookprobe-ctl logs -f
# Check healthhookprobe-ctl health
# View metricshookprobe-ctl metricsTroubleshooting
Can’t connect to hotspot?
systemctl status hostapdjournalctl -u hostapd -n 50Understand a block?
Dashboard → DNS Protection → Click domain for details
Whitelist a domain?
Dashboard → DNS Protection → Whitelist
Guardian vs Fortress
| Feature | Guardian | Fortress |
|---|---|---|
| Use Case | Travel, personal | Business, permanent |
| Network | Single | Multi-VLAN |
| Complexity | Simple | Advanced |
| Setup Time | 5 minutes | 30+ minutes |
| Transparency | Full | Full |
Upgrade Path
Ready for VLAN segmentation?
sudo ./install.sh --tier fortress --migrateFortress adds:
- VLAN segmentation
- OpenFlow SDN
- NAPSE IDS/NSM/IPS engine
- AEGIS AI orchestrator
- Local ML inference
Next Steps
- Fortress - Upgrade for business networks
- Configuration - Customize Guardian
- dnsXai Details - DNS protection deep dive
AI Intelligence (HIP)
Guardian integrates the HookProbe Intelligence Platform (HIP):
- Hardware Detection: Auto-detects NPU accelerators (RPi AI HAT, Coral TPU) via
core/brain/hw_detect.py - Inference Bridge: Unified classification API with tier-aware backend selection
- Local LLM: Optional SmolLM-135M (80MB) for edge alert triage
- HYDRA Lite: Lightweight threat feed sync + event consumer (100-200MB overhead)
hookprobe-ctl hw-info # Check detected hardwarehookprobe-ctl brain-info # Check inference bridge statusSee Brain & NPU Detection for details.