● Windows client live · build 2026-05-07SHA-256 verified · 10.15 MB · WireGuard bundled

Apps · stage-1 · Windows live · macOS+Android Phase 4

Windows now. More to come.

One identity. One free seat. The Windows client ships today — self-contained, WireGuard bundled, no separate driver install. macOS and Android land in Phase 4. iOS, Linux desktop, and a Linux CLI are explicitly out of stage-1 scope — no half-shipped clients.

Windows

10 / 11 · x64 · privileged service + UI

↓ download · 10.15 MB · SHA-256 →

macOS

14.0+ · Apple Silicon + Intel

phase 4 · port from Wails Win build

Android

10+ · Kotlin · GoBackend

phase 4 · fork of wireguard-android

iOS

out of stage-1 scope

no plan

Linux desktop

out of stage-1 scope

use wg-quick directly

Linux CLI

cut entirely from stage 1

no plan

TV / router

out of stage-1 scope

no plan

Browser ext.

out of stage-1 scope

no plan

● WHAT IT LOOKS LIKE

One click. Connected.

A connect button bigger than the rest of the UI. We don't bury the thing you came to do — and the privileged service does the dangerous parts so the UI never needs admin rights at click-time.

→ Connect

→ Exits

→ LAN access

→ Diagnostics

→ Account

→ Settings

CONNECTED · PQC ACTIVE · WFP KILL SWITCH

Paris · FR

100.64.0.X → 172.99.189.166 · WG re-keys 120 s

CAP

10 Mbps

PEERS

/32 isolated

DNS

100.64.0.1 tunnel

● INSTALL · WINDOWS

Three steps. One binary.

Download the installer from dl.standvpn.com (10.15 MB)..\StandVPN-amd64-installer.exe

Verify the SHA-256 (recipe on the download page).(Get-FileHash -Algorithm SHA256 .\StandVPN-amd64-installer.exe).Hash.ToLower()

Run installer. NSIS does 8 phases including registering StandVPNService with the SCM. Sign in. Click Connect.net start StandVPNService # already done by installer

SmartScreen will warn until we ship an EV code-signing cert (deferred to pre-public-launch). Verify by SHA-256 in the meantime.

● BUILT INTO THE WINDOWS CLIENT

Power, not prompts.

→ 01 · LIVE

Kill switch always on.

WFP-level filters from wireguard-windows engage automatically when AllowedIPs covers 0.0.0.0/0. Drop the tunnel, drop the network — packets do not leak.

→ 02 · LIVE

LAN access ON by default.

Traffic to RFC1918 ranges (10/8, 172.16/12, 192.168/16) bypasses the tunnel. Your printer, NAS, smart-home hub keep working. Toggle off in one click.

→ 03 · LIVE

Privileged service split.

UI runs as your user. The dangerous parts (interface management, firewall, Wintun) live in StandVPNService behind a named-pipe ACL with caller-identity checks (audit-fix C1).

→ 04 · LIVE

WireGuard bundled.

The privileged service ships wireguard-go statically linked. No separate WireGuard for Windows install. No driver. No second installer. One binary, 10.15 MB.

→ 05 · PHASE β

Auto-reconnect.

On network change, sleep/resume, or VPN drop, the service re-handshakes without user action. MTU fallback included for hostile NATs.

→ 06 · LATER

Multihop · split-tunnel · obfuscation.

Out of stage-1 scope. Listed here so it is visible we cut these — not so we can claim them.

Free · Windows shipping · self-contained installer

Install. Click. Stand.

Download for Windows →PQC stack →