Konduit

**TCP-Native VPN. Works Where UDP Doesn't.** [![License: Proprietary](https://img.shields.io/badge/license-Proprietary-red)](LICENSE) [![Platform](https://img.shields.io/badge/platform-Linux%20%7C%20macOS%20%7C%20Android%20%7C%20iOS-lightgrey)]() [![Status](https://img.shields.io/badge/status-Beta-orange)]()
--- Konduit is a modern VPN built around a single principle: **TCP transport that works when UDP is blocked.** WireGuard is excellent — until your ISP throttles or blocks UDP. Konduit solves that without the complexity of OpenVPN or the fragility of UDP-wrapping hacks. It runs fully in userspace, requires no elevated privileges, and gets out of your way. ## Why Konduit? Most VPNs treat TCP as a fallback. Konduit is designed for TCP from the ground up, which means: - No HEAD-OF-LINE blocking from tunneling UDP into TCP - Reliable behaviour on restrictive corporate and mobile networks - WireGuard-level simplicity without the UDP dependency ## Features - **TCP-native protocol** — designed for TCP, not retrofitted - **Server-controlled routing** — administrators enforce routing policy; clients cannot bypass it - **Userspace implementation** — no kernel modules, no root required - **Hot config reload** — update server configuration without dropping connections - **QR code provisioning** — scan once, connect instantly - **Cross-platform** — Linux, macOS, Android, iOS - **Modern cryptography** — X25519 key exchange, ChaCha20-Poly1305 data channel - **Stealth mode** — port 443 deployment with decoy proxy for hostile network environments - **Memory safe** — written entirely in Rust ## Download Releases are published on the [Releases](../../releases) page. ### Linux (CLI) ```bash # Download konduit-cli from the Releases page, then: chmod +x konduit-cli ./konduit-cli connect --server vpn.example.com:443 --peer-id mydevice --psk YOUR_PSK ``` ### macOS · Android · iOS Coming soon. ## Architecture ``` Flutter UI (Dart) │ flutter_rust_bridge (FFI) │ Konduit engine (Rust) ├── TUN device (userspace) ├── TCP tunnel protocol ├── Key exchange (X25519) └── Route manager ``` | Layer | Technology | |---|---| | UI | Flutter / Dart | | Core engine | Rust (Tokio async) | | FFI bridge | flutter_rust_bridge | | Cryptography | ring / rustls | | TUN device | tun crate (userspace) | ## Openness Model The [`konduit-platform`](./konduit-platform) crate is published here for transparency and security audit. It contains the cryptographic primitives, connection statistics, and platform networking layer (TUN device, DNS, routes) — everything an auditor needs to verify what runs on your machine. It is licensed under the [PolyForm Noncommercial License 1.0.0](LICENSE) — free to read, study, and use for noncommercial purposes. The VPN server, management UI, and stealth-mode protocol are proprietary. Keeping stealth mechanisms private makes automated DPI fingerprinting significantly harder. Source review under NDA is available for enterprise partners. ## Security **No UDP dependency:** Konduit does not require UDP at any layer. **Key storage:** Private keys are stored in the OS secure enclave on every platform (iOS Keychain, macOS Keychain, Android Keystore). They are never written to disk in plaintext. **Stealth mode:** On port 443, failed or unrecognized handshakes are proxied transparently to a configurable decoy service. From the outside, the server is indistinguishable from a standard HTTPS endpoint. ## Support **Bug reports:** Use the in-app reporting feature or open an issue in this repository. **Security vulnerabilities:** Do not open a public issue. Contact the maintainer directly at the address shown in the application's About screen. **Contributing:** Core development is handled internally. We do not currently accept external pull requests. --- ## About Created by **Eugen Kaparulin**. Official binaries distributed by **Konduit Oy**. © Eugen Kaparulin. All rights reserved. [`konduit-platform`](./konduit-platform) is published under the [PolyForm Noncommercial License 1.0.0](LICENSE). All other parts of Konduit are proprietary.