Skip to content

OBP — Operator Bridge Proxy — primer

Help Center primer for OBP — the daemon that runs on your notebook and gives an air-gapped bench short, supervised Internet access. Pairs with ADR 0022.

What it does

Your bench is intentionally air-gapped. But sometimes the bench needs to fetch something from the Internet (Tranco URL list, NGFW catalog refresh, self-upgrade artifact). OBP runs on your notebook, accepts a time-boxed reverse tunnel from the bench's GATEWAY.Art MÓDULO, and forwards approved requests to a hard-coded allowlist.

When you close the laptop or the session expires, the bench is back to fully air-gapped. No autonomous Internet access ever.

When to use

  • Monthly Tranco URL list refresh (PURE Discovery Hub source E)
  • Quarterly NGFW catalog refresh (vendor docsite scrape)
  • Self-Upgrade channel poll (when you choose to)
  • PURE PVI internet-direct probes (rare)

When NOT to use

  • Any traffic to non-allowlisted destinations — OBP blocks these
  • Long-running Internet connections — sessions are 30 min max
  • Streaming content / video / large file downloads — by design, OBP throughput is low

How to install

Download the cosign-signed installer for your OS from https://download.tlsstress.art/obp/: - obp-installer.dmg (macOS) - obp-installer.msi (Windows) - obp-installer.deb / .rpm (Linux)

Verify signature: 

cosign verify-blob obp-installer.dmg \
  --signature obp-installer.dmg.sig \
  --key https://tlsstress.art/cosign.pub

Run the installer. Daemon starts on boot, listens on localhost only.

How to authorize a session

  1. Connect notebook to OOBI mgmt segment + corporate Wi-Fi simultaneously (typical: USB-C dock or two NICs)
  2. Open the bench dashboard → /admin/obp/authorize
  3. Click "Authorize OBP session for 30 minutes"
  4. OBP daemon shows a system tray notification confirming the session is active
  5. Bench MÓDULOs (specifically CLONER) can now egress to Internet via your laptop until the session expires

What's allowed

Hard-coded allowlist, signed at OBP build time:

Destination Why
upgrade.tlsstress.art Self-Upgrade channel poll
tranco-list.eu Curated URL list refresh
umbrella.cisco.com DNS list (auth-required)
majestic.com Million list
Vendor docsites (FortiOS / PAN-OS / Cisco / Juniper / etc.) Catalog refresh
*.routeviews.org BGP saturation real Internet snapshots
ntp.tlsstress.art NTP source

Anything else → blocked, logged.

What's NOT allowed

  • Operator's own internal corp servers (use a different mechanism)
  • General web browsing
  • Streaming media / large file downloads
  • DNS over HTTPS (uses standard system DNS)

Audit trail

Every byte forwarded is summarized in the bench audit log: - Timestamp - Destination (hostname only — no path/query) - Bytes transferred - Originating MÓDULO

Compliance evidence for SOC 2 / ISO 27001.

Common questions

Can I edit the allowlist? No. The allowlist is signed at build time. Allowlist changes require a new signed OBP release.

Does OBP decrypt my traffic? No. TLS passthrough only — OBP doesn't terminate TLS, doesn't inject certs, doesn't see plaintext.

What if my notebook's WiFi drops mid-session? The bench detects the broken tunnel within ~5s and surfaces an error in the dashboard. The current operation (e.g. CLONER catalog refresh) returns an actionable error.

Does the daemon need root? Only at install time (to bind the reverse tunnel listener). Daemon then drops to user obp.

Can multiple operators authorize concurrently? No. Single active session per bench. Operator B's authorization fails until operator A's session expires.