[] OCCLUDE
v1.0.0
A network-fingerprint daemon  ·  Linux & Windows  ·  MIT

Disappear into the crowd.

Occlude reshapes the TCP, TLS and HTTP/2 fingerprints your machine emits, in flight, to match a chosen profile—the same shape that millions of other hosts already emit. Open source, no telemetry, signed releases.

$ curl -sSL occlude.sh/install | sh signed releases  ·  no telemetry  ·  no daemon outside its socket
[] your fingerprint
live
Fetching your fingerprint...
[] live status chrome-132 / desktop-linux
up 4d 11h 22m  ·  pid 4127  ·  rss 2.8 MB
emitting
JA4t13d1516h2_8daaf6152771_b0da82dd1658 H21:65536, 3:1000, 4:6291456, 6:262144 p0fs:win:14400:mss=1460:ttl=64 ALPNh2, http/1.1
rewrites / second
142
past 60 s  ·  1.84M since boot
crowd size
11,431,200
hosts emitting this profile · 24 h
quietyou are herebusy
14:22:07.318 TLSClientHello rewritten → ja4 t13d1516h2_8daaf6152771_b0da82dd1658
[ § 01 ]

Synopsis. As a man page would put it.

Name
occludenetwork-fingerprint normaliser
Synopsis
occlude [-c config] [-p profile] start | stop | status | reload
About
A small daemon, roughly 3 MB on disk. No GUI; runs as a system service. Occlude intercepts outbound traffic before it leaves the host and rewrites the fields a passive observer would use to identify your stack, so that on the wire you look like any other machine running the same profile.
See also
live status  ·  occlude-profile(5)  ·  occlude.toml(5)
[ § 02 ]

The surface it normalises. Three layers, real fields, no magic.

TCP
Initial window, MSS, timestamp option, SACK permitted, window scale, TTL. The full p0f-style passive fingerprint is clamped to the profile's distribution so SYN packets aren't betrayed by an unusual wscale=14 or a Linux-ish ttl=64 on a macOS box.
resolves to p0f3:winx
TLS
ClientHello: cipher order, extension order, supported_groups, signature_algorithms, ALPN, key shares, GREASE. Rewrites the handshake so JA3 / JA4 hashes match a real released browser—not a heuristic that says "browser-ish".
resolves to ja4 / ja4_r
HTTP/2
SETTINGS frame values and order, WINDOW_UPDATE, header table size, pseudo-header order (:method :authority :scheme :path), priority frames. Akamai's HTTP/2 fingerprint matches the profile, not your client library.
resolves to akamai-h2
QUIC
Initial packet, transport parameters, version negotiation, ACK frequency. Same idea, applied to HTTP/3. Optional—disable per-profile if your kernel's UDP path can't keep up.
resolves to quic-fp
[ § 03 ]

How a session looks. From curl to the wire.

  curl https://example.com                       # your application, untouched+-----------------------------------------+
  | occlude · netfilter / pf hook         |  # intercept, no proxy
  |   rewrite TCP options ........ p0f3      |
  |   rewrite TLS ClientHello ..... ja4      |
  |   rewrite H2 SETTINGS ......... akamai   |
  +-----------------------------------------+wire  — observer sees a host indistinguishable from
        N=11.4M others currently emitting chrome-132/desktop-linux
[ § 04 ]

Install. Three lines, three platforms.

Linux kernel 5.10+
$curl -sSL occlude.sh/install | sh
Drops a systemd unit. Reads its config from /etc/occlude/profile.toml.
Windows 10 / 11
>winget install occlude
Installs as a Windows service. Configure via %APPDATA%\occlude\profile.toml.
Source Rust nightly
$cargo install occlude
Releases are signed with minisign. Public key in the repo.
[ § 05 ]

What it isn't. Honest about the boundary.

[ no ]

Not a VPN.

Occlude doesn't move your traffic. Pair it with one—your exit IP is still your exit IP.

[ no ]

Not a browser.

Application-level identifiers—cookies, canvas, fonts, audio context—are out of scope. Use a hardened browser for that surface.

[ no ]

Not an anti-fraud bypass.

Occlude doesn't masquerade as a residential proxy or fake device telemetry. If that's your use case, this isn't the tool.

[ no ]

Not a panacea.

If the same IP emits one profile in the morning and another in the afternoon, correlation does the rest. Pick a profile and stay there.

[ § 06 ]

Pricing. Free for TCP. Pro for the full stack.

Free
€0 / forever
  • TCP/IP fingerprint normalisation
  • p0f3-compatible profiles
  • CLI + systemd integration
  • Community profiles
  • Open source (MIT)
Install
Pro
€8.50 / month
or €69/year save 32%
  • Everything in Free
  • TLS ClientHello rewriting (JA4)
  • HTTP/2 SETTINGS normalisation
  • Browser profiles (Chrome, Firefox, Edge)
  • Automatic profile updates
  • Priority support
Get Pro
[ § 07 ]

Why it exists.

A passive observer doesn't need to read your packets to know who you are. The shape of your handshakes, the rhythm of your ACKs, the order of fields you've never heard of—these identify you across resets, across networks, across years. Occlude doesn't hide you. It dilutes you into a population that's already there. — from the README, 2026