All exits operational · 4 liveStage 1 · free · no payment surface
Pricing · stage-1 free · honest stance

One tier.
Zero dollars.

No artificial gating on encryption. No "premium" countries. Stage-1 is a free tier with a hard 10 Mbps cap per peer — kernel-enforced, identical on every exit. A Pro tier ships in stage 2 once a third-party audit and EV code-signing certificate land.

Stage 1 · live

Free

→ 1 device per account · forever-free seat
$0/mo
Honest cap. Real product.
SAVE 100%
  • 10 Mbps per peer (Linux tc htb, kernel-enforced)
  • 4 exits live · all countries unlocked
  • ML-KEM-768 + X25519 hybrid PQC (NIST FIPS 203)
  • WireGuard data plane · ChaCha20-Poly1305
  • 4-layer peer isolation (WG /32 + nft + sysctl + e2e test)
  • In-tunnel unbound DNS resolver
  • WFP-level kill switch · on by default
  • LAN access ON by default — home network keeps working
  • Email + Cloudflare Turnstile + email verification at signup
Download for Windows
Stage 2 · later

Pro

→ Placeholder · not shipping yet
price TBD
No date. We will not pre-sell.
  • Higher per-peer throughput cap (figure TBD)
  • Multi-device on a single account
  • Same PQC stack — no encryption gating
  • Anonymous payment options under evaluation
  • Ships only after: 3rd-party audit (Phase γ)
  • Ships only after: EV code-signing cert ($350/yr)
  • Ships only after: Apple Developer Program ($99/yr)
  • Ships only after: privacy policy + ToS (legal review)
Read the stack
WHAT'S IN THE BOX

Free vs Pro.

Free · stage 1Pro · stage 2
Price$0/moTBD
Devices per account1multi (TBD)
Per-peer throughput10 Mbps caphigher (TBD)
Exits available4 (FR · DE · US×2)4 + future
PQC handshake (ML-KEM-768)
WireGuard data plane
Peer isolation (4 layers)
In-tunnel DNS (unbound)
WFP-level kill switch
LAN access ON by default
Anonymous paymentunder evaluation
3rd-party audit— (Phase γ)required
EV code-signing— (SmartScreen warns)required
PRIVACY STANCE

No payment surface, no PII pile.

Stage-1 takes email + Turnstile signal. No name, no address, no card. We can't disclose what we don't have. Email is for account recovery only — we will publish a privacy policy and warrant canary before stage 2 ships.

ABUSE STANCE

Caps are real, kernel-enforced.

Outbound SMTP (25/465/587) blocked. Per-IP signup throttle (3/hr). 100 GB/day soft-throttle, 500 GB/day hard-disable. Connection-rate cap at 100 new TCP/sec/peer. abuse_reports table for triage. Every cap lives in code, not in a contract you don't read.

FAQ

Plain answers.

No catch — there's no payment infrastructure to charge you with. Stage 1 is a real product on user-owned baremetal: 4 exits, hard 10 Mbps cap per peer, all the privacy invariants. We're earning trust before charging for it. The honest tradeoff is the 10 Mbps cap (kernel-enforced via Linux tc htb) and the 1-device limit. If those don't fit, wait for Pro in stage 2.
A future cryptographically-relevant quantum computer (CRQC) breaks RSA, ECDH, and X25519. Adversaries are already capturing encrypted traffic to decrypt later. We use the NIST-ratified replacement, ML-KEM-768 (FIPS 203), in a hybrid mode with X25519 — both secrets are HKDF-mixed into the WireGuard pre-shared key with canonical ordering. Captured traffic stays unreadable when CRQC ships.
ML-KEM-768 is NIST's recommended security category for general use (≈AES-192-equivalent post-quantum). 1024 buys very little extra security at non-trivial bandwidth cost. The handshake here is bandwidth-sensitive on every connect. Same standard, smarter parameter pick.
Operational metrics yes (per-peer bandwidth counters for the 10 Mbps cap and the daily throttle). Per-flow / per-destination logs no. Auth + signup ledger yes (email, hashed password with Argon2id m=64M t=3 p=4, IP at signup time for the 3/hr throttle). A formal warrant canary lives behind privacy-policy work in stage 2.
No EV code-signing certificate yet. Cost (~$350/yr, e.g. SSL.com) is deferred to right before public-facing launch — we'd rather spend that once across our whole binary distribution. SmartScreen warns; the SHA-256 published on the download page lets you verify the binary independently.
Windows ships now. macOS and Android land in Phase 4. iOS and Linux desktop / CLI are explicitly out of stage-1 scope — no half-shipped clients. The Android app is a fork of the official wireguard-android (GPLv2, Kotlin + GoBackend) so the cryptography is identical to the desktop client.
Stage 1 · free · 4 exits · post-quantum · Windows shipping

Take the stand.

Download free Read the stack