Technology · stage-1 stack

Defence-grade.
Future-proof. Verifiable.

A free, post-quantum-ready VPN built on WireGuard. Hybrid ML-KEM-768 + X25519 mixed into the WireGuard PSK. No closed components — every claim links to a file in the open repo.

Inspect the stack →Audit posture (honest) →

● THE STACK

Seven layers. All open.

App / desktop client

Wails v2 (Go + React/Vite/TS) · privileged service · named-pipe IPC

apps/desktop/

Control plane

Go · chi · sqlc · Postgres · Argon2id m=64M t=3 p=4 · Turnstile · email verify

PQC handshake

ML-KEM-768 + X25519 · HKDF-SHA256 → WireGuard PSK · canonical secret order (fix C2)

FIPS 203

Tunnel data plane

Server: Linux 6.8 in-kernel WireGuard · Client: wireguard-go (statically linked)

10 Mbps cap

Exit agent + addressing

Go agent · wgctrl-go · tc htb 10 Mbps · CGNAT 100.64.0.0/10 · /16 per exit · unbound DNS

server/exit-agent/

Network & isolation

nftables FORWARD wg0→wg0 drop · sysctl · IPv6 disabled in tunnel · WFP kill switch (Win)

4-layer isolation

Hardware & physical

Privileged LXC on user-owned Proxmox baremetal · dedicated public IP per LXC · no commercial VPS

Owned metal

● HANDSHAKE · SIMPLIFIED

PQC hybrid key derivation.

# 1. classical handshake (X25519, RFC 7748) client.eph = x25519_keygen() classical = x25519_dh(client.priv, server.pub) # 2. post-quantum encapsulation (NIST FIPS 203) ct, pqc = ml_kem_768.encapsulate(server.pq_pub) # 3. mix into the WireGuard PSK # canonical order classical || pqc (audit-fix C2) psk = hkdf_sha256(classical || pqc, info="standvpn/wg-psk/v1") # 4. WireGuard does the rest wg.peer_add(peer, preshared_key=psk) wg.handshake() # Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s → established · re-keys every 120 s · forward-secret

● CRYPTOGRAPHIC SPECIFICATIONS

The primitives.

Key encapsulation

ML-KEM-768NIST FIPS 203

Classical companion

X25519RFC 7748

Symmetric AEAD

ChaCha20Poly1305 · RFC 8439 · 256-bit

PSK derivation

HKDF-SHA256RFC 5869 · canonical order

Tunnel

WireGuardLinux 6.8 kernel · wireguard-go

Forward secrecy

AlwaysWG re-keys every 120 s

Password hashing

Argon2idm=64MiB · t=3 · p=4 · 166ms

Bot defence

TurnstileCloudflare · signup throttle 3/hr/IP

● ROADMAP

The cliff is real. We've already started climbing.

2025

NIST ratifies

FIPS 203 (ML-KEM) · FIPS 204 (ML-DSA) · FIPS 205 (SLH-DSA) published. Hybrid PQC becomes deployable.

2026-Q1

Phase 1–2 build

Control plane · exit agent · co-located test exit · peer isolation · DNS-leak end-to-end tests.

May '26

Phase α closed

10/10 audit findings fixed. 4-exit Windows smoke matrix all-pass. Stage-1 free tier ready for private beta.

2026-Q3

Phase β · γ

Service Recovery · auto-reconnect · sleep/resume · MTU fallback. 3rd-party audit + EV code-signing cert.

2031

RSA falls

RSA-2048 expected break at scale. Anything not encrypted with PQC becomes effectively plain text.

● AUDIT & ASSURANCE · HONEST POSTURE

Trust is earned, not claimed.

● INTERNAL AUDITS · STAGE 1

What we have done.

Two internal audit passes (server-side and client-side) drove the Phase α blocker bundle. Every finding is tracked through to a commit, with a regression test where applicable.

SERVER AUDIT V2CLOSED · 2026-05-06

CLIENT AUDITCLOSED · 2026-05-07

PHASE α · 10 BLOCKER FIXESCLOSED · 2026-05-07

FLEET RIGHT-SIZING + CGNATCLOSED · 2026-05-07

4-EXIT WINDOWS SMOKE MATRIXPASS · 2026-05-07

● WHAT WE DON'T HAVE YET

Honest TODO.

No third-party crypto audit yet — that's a Phase γ milestone. We won't claim Cure53 / Trail of Bits / SOC 2 / ISO until they have actually happened. Same for the warrant canary.

3RD-PARTY CRYPTO AUDITTODO · PHASE γ

EV CODE-SIGNING CERTTODO · PRE-PUBLIC LAUNCH

APPLE DEVELOPER PROGRAMTODO · WHEN macOS SHIPS

WARRANT CANARY (PGP)PLANNED · STAGE 2

Defence-grade.Future-proof. Verifiable.