4 exits live · FR · DE · US×2 · build 2026-05-07 Stage-1 free tier · open repo · read the stack →
Post-quantum · ML-KEM-768 hybrid · stage-1 build

A VPN that won't be readable when quantum lands.

StandVPN is a free, post-quantum-ready VPN built on WireGuard. Every tunnel uses a hybrid ML-KEM-768 + X25519 key exchange (NIST FIPS 203), so traffic captured today stays unreadable when a CRQC ships.

Download for Windows How the handshake works
No credit card · no payment surface in stage 1 1 device per account · 10 Mbps per peer No third-party audit yet — that's Phase γ
standvpn · session · paris-fr ● connected
Throughput · per-peer cap
10Mbps
Key exchange
PQC ML-KEM-768 + X25519
Tunnel
WG ChaCha20-Poly1305
Exits live
4 FR · DE · US×2
Handshake transcript · simplified
// hybrid pqc handshake (NIST FIPS 203) x25519(client, server) shared_classical ml_kem_768.encapsulate(server.pq_pub) shared_pqc hkdf_sha256(classical || pqc, "standvpn/wg-psk") psk wg.handshake(psk, peer) established
peer isolation · 4 layers · in-tunnel DNS WG re-keys every 120 s · forward-secret
Stage-1 fleet · user-owned Proxmox baremetal · CGNAT 100.64.0.0/10 · /16 per exit
PARISfr · 172.99.189.166 · cp+agent
FRANKFURTde · 216.106.187.194 · LXC · Xeon
ASHBURN-1us-va · 66.163.122.37
ASHBURN-2us-va · 66.163.122.60
WHY POST-QUANTUM, WHY NOW

Encryption you trust today is being recorded.

"Harvest now, decrypt later" is real. Adversaries with quantum programmes are storing encrypted traffic to break the day a cryptographically-relevant quantum computer ships. We use the NIST-ratified replacement — already, today, on every tunnel.

PQ
→ 01 / KEY EXCHANGE

ML-KEM-768 + X25519, hybrid

NIST FIPS 203. Both secrets are mixed into the WireGuard PSK via HKDF-SHA256. Classical security floor + quantum-resistant ceiling.

→ 02 / PEER ISOLATION

4-layer enforcement

WG AllowedIPs=/32 + nftables FORWARD drop wg0→wg0 + sysctl + automated end-to-end test. Other peers cannot route to you, ever.

DNS
→ 03 / IN-TUNNEL DNS

Unbound on 100.64.X.1

Every exit runs its own resolver inside the tunnel. OS DNS is firewall-blackholed by the client, so DNS leaks are structurally impossible.

KS
→ 04 / KILL SWITCH

WFP-level, on by default

Engages automatically when the tunnel covers 0.0.0.0/0. No bypass. Drop the tunnel, drop the network — packets do not leak.

LAN
→ 05 / LAN STAYS UP

Home network preserved

By default, traffic to RFC1918 ranges (10/8, 172.16/12, 192.168/16) bypasses the tunnel — your printer, NAS, and Roomba still work.

10M
→ 06 / 10 Mbps PER PEER

Linux tc htb, kernel-enforced

Stage-1 free tier is rate-limited at peer-add time. Honest cap, hard limit, no fair-use clauses. Lifts when a paid tier ships.

THE HANDSHAKE

Hybrid by design.
Forward-secret by WireGuard.

We do not replace classical cryptography — we mix it. Each session runs an X25519 exchange, encapsulates a quantum-resistant secret with ML-KEM-768, and feeds both into the WireGuard pre-shared key via HKDF-SHA256.

  • NIST FIPS 203 ratified algorithm (ML-KEM-768)
  • WireGuard re-keys every 120 s — forward secrecy stays
  • HKDF-SHA256 with canonical secret ordering (audit-fix C2)
  • Pre-shared key never traverses the wire
# 1. classical handshake (X25519, RFC 7748) client.eph = x25519_keygen() classical = x25519_dh(client.priv, server.pub) # 2. post-quantum encapsulation (NIST FIPS 203) ct, pqc = ml_kem_768.encapsulate(server.pq_pub) # 3. derive WireGuard PSK — canonical order (C2) psk = hkdf_sha256(classical || pqc, info="standvpn/wg-psk/v1") # 4. open the WireGuard data plane wg.peer_add(peer=server, preshared_key=psk) wg.handshake() → established · forward-secret · ChaCha20-Poly1305
THE FLEET

Four exits.
User-owned baremetal.

No anycast magic, no resold-VPS supply chain. Each exit is a privileged LXC on Proxmox baremetal the operator owns, with a dedicated public IP and the WireGuard kernel module on a tuned 6.8 kernel.

  • 4 exits · 3 countries (FR · DE · US-Virginia ×2)
  • 10 Mbps per peer (Linux tc htb, kernel-enforced)
  • CGNAT 100.64.0.0/10 fleet-reserved · /16 per exit
  • cp ↔ agent over TLS with per-server SHA-256 cert pinning
standvpn · fleet topology
ASHBURN ×2 PARIS · FRANKFURT
PER-EXIT POSTURE · STAGE 1

Honest caps.
Same on every exit.

No "premium" countries, no upsell tiers on encryption. The 10 Mbps stage-1 free-tier cap is identical across all four exits, kernel-enforced via Linux tc htb at peer-add time.

Paris · FR cp+agent · AMD · 172.99.189.166
10 Mbps cap
Frankfurt · DE LXC · Xeon Silver 4116 (AVX-512)
10 Mbps cap
Ashburn-1 · US-VA LXC · 66.163.122.37
10 Mbps cap
Ashburn-2 · US-VA LXC · 66.163.122.60
10 Mbps cap
NIST FIPS 203 · ML-KEM-768 WIREGUARD KERNEL FAST-PATH (LINUX 6.8) RFC 6598 CGNAT · 100.64.0.0/10 ARGON2ID m=64M t=3 p=4 HKDF-SHA256 · CANONICAL SECRET ORDER WFP-LEVEL KILL SWITCH NIST FIPS 203 · ML-KEM-768 WIREGUARD KERNEL FAST-PATH (LINUX 6.8)
STAGE-1 PRICING

Free, while we earn your trust.

No billing surface in stage 1. Sign up with email, verify, install, connect. Paid tiers ship in stage 2 once the audit work and EV code-signing land.

Stage 1

Free

→ 1 device · email + Turnstile + verify
$0/mo · forever-free seat
Honest cap. Real product. No payment surface.
  • 10 Mbps per peer (Linux tc htb)
  • 4 exits · all countries unlocked
  • ML-KEM-768 + X25519 hybrid PQC
  • WFP-level kill switch · 4-layer peer isolation
  • In-tunnel unbound DNS resolver
  • LAN access ON by default — home network keeps working
Download for Windows
Stage 2 · later

Pro

→ Placeholder · not shipping yet
Lifts the 10 Mbps cap. No date.
  • Higher per-peer throughput (TBD)
  • Multi-device on one account
  • Same PQC stack — no encryption gating
  • Ships when 3rd-party audit + EV cert land
  • Anonymous payment options under evaluation
See the honest plan
BUILD RECEIPTS · STAGE 1

No press quotes. Just commits.

Every claim on this site links back to a file or commit in the open repo. If a number here doesn't match the source, the source wins.

PHASE α · CLOSED 2026-05-07

10/10 audit findings fixed

Pre-beta security blocker bundle: TLS pinning, IPAM race fix, allowlist sanitization, atomic Connect state, pipe ACL caller-identity, atomic file writes, LAN-default-on.

docs/fixes-registry.md
SMOKE MATRIX · 2026-05-07

4-exit Windows × ALL PASS

Connect → handshake → traffic → disconnect on Paris · Frankfurt · Ashburn-1 · Ashburn-2. Real-IP confirmation via am.i.mullvad.net/json on each.

tools/e2e/windows/4-exit-matrix.ps1
CGNAT MIGRATION · 2026-05-04

100.64.0.0/10 fleet pool

Migrated off 10.64.0.0/16 after a real bug where LAN-access excluded the tunnel resolver from the tunnel itself. RFC 6598 doesn't collide with consumer LANs.

CLAUDE.md · §Tunnel addressing
Free · post-quantum · Windows shipping · macOS+Android in Phase 4

Stand up your privacy. Today.

Download StandVPN — free Read the stack