Security

Security Without Compromise

Multiple layers of cryptographic protection, a strict zero-logs architecture, and open-source protocols you can verify.

Zero-logs architectureNothing to hand over

Open-source protocolsFully auditable

Self-hosted serversNo cloud provider

TLS 1.3 RealityUndetectable traffic

AES-256-GCM / ChaCha20Military-grade encryption

No metadata retentionOnly what billing needs

Encryption

AES-256-GCM

Military-grade symmetric encryption used by Shadowsocks 2022 and legacy protocols. The gold standard for bulk data encryption.

ChaCha20-Poly1305

High-performance stream cipher used by WireGuard and AmneziaWG. Faster than AES on mobile devices without hardware acceleration.

TLS 1.3 + XTLS Reality

VLESS and Trojan use TLS 1.3 with the Reality extension. Traffic fingerprint mimics real HTTPS connections to legitimate domains — undetectable by passive DPI.

QUIC (Hysteria2)

Hysteria2 is built on QUIC with custom congestion control. UDP-based transport with TLS 1.3 inside — resistant to TCP fingerprinting.

No-Logs Policy

No activity logs

We do not log which websites you visit, which services you use, or what data you transfer. Your browsing history is never written to disk.

No connection logs

Connection timestamps, session durations, and IP addresses are not recorded. We cannot tell you when you last connected — because we do not track it.

Minimal metadata

We retain only what is technically necessary: your account email, subscription status, and total bandwidth consumed for billing. Nothing else.

Self-hosted DNS filtering

Per-device AdGuard Home DNS runs on our own infrastructure. DNS queries are filtered locally and not forwarded to third-party resolvers.

Protocol Security

VLESS + Reality

No shared PSK between server and client. Each connection is independently authenticated. Reality extension steals a real TLS certificate fingerprint from a target website.

AmneziaWG

WireGuard with obfuscated packet headers. Junk bytes (jc, jmin, jmax) and init header obfuscation (s1, s2) defeat statistical WireGuard detection. Header fields h1–h4 prevent fingerprinting.

Trojan

Traffic is indistinguishable from TLS 1.3 to a legitimate HTTPS server. If an incorrect password is presented, the proxy falls through to a real web server — no detectable VPN error response.

Shadowsocks 2022

AEAD-only, no legacy RC4/CFB modes. Session-based nonces prevent replay attacks. No identifiable packet structure — each packet appears random to a passive observer.

Infrastructure

Self-hosted bare metal

We rent and manage our own physical or dedicated virtual servers. No shared cloud hypervisors, no multi-tenant risk, no cloud provider snooping.

No third-party dependencies

sing-box, AmneziaWG, and mtg v2 are open-source protocol engines running directly on our servers. No commercial VPN software with opaque internals.

Hardened server configuration

All servers run UFW firewalls, non-standard SSH ports, fail2ban, dedicated service users (no root), and automated security updates.

Encrypted admin settings

Admin credentials and API keys are Fernet-encrypted at rest in the database. The encryption key is derived via HKDF-SHA256 and never stored alongside the data.

Anti-DPI Technology

TLS fingerprint mimicry

VLESS+Reality presents the exact TLS fingerprint of a chosen target domain (e.g., a CDN provider). DPI systems cannot distinguish this from legitimate HTTPS traffic to that domain.

HTTPS camouflage

Trojan wraps all traffic in a valid TLS session. The server hostname matches a real HTTPS site. Incorrect connections are proxied to that real site as a decoy.

WireGuard obfuscation

AmneziaWG randomizes the WireGuard handshake headers and adds configurable junk packets. The standard WireGuard DPI signature is completely eliminated.

QUIC transport

Hysteria2 uses QUIC (UDP-based), which is significantly harder to fingerprint than TCP-based protocols. Many DPI systems cannot inspect QUIC traffic at line rate.