TCP-Native VPN. Works Where UDP Doesn't.
Konduit is a modern VPN built around a single principle: TCP transport that works when UDP is blocked.
WireGuard is excellent — until your ISP throttles or blocks UDP. Konduit solves that without the complexity of OpenVPN or the fragility of UDP-wrapping hacks. It runs fully in userspace, requires no elevated privileges, and gets out of your way.
Why Konduit?
Most VPNs treat TCP as a fallback. Konduit is designed for TCP from the ground up, which means:
- No HEAD-OF-LINE blocking from tunneling UDP into TCP
- Reliable behaviour on restrictive corporate and mobile networks
- WireGuard-level simplicity without the UDP dependency
Features
- TCP-native protocol — designed for TCP, not retrofitted
- Server-controlled routing — administrators enforce routing policy; clients cannot bypass it
- Userspace implementation — no kernel modules, no root required
- Hot config reload — update server configuration without dropping connections
- QR code provisioning — scan once, connect instantly
- Cross-platform — Linux, macOS, Android, iOS
- Modern cryptography — X25519 key exchange, ChaCha20-Poly1305 data channel
- Stealth mode — port 443 deployment with decoy proxy for hostile network environments
- Memory safe — written entirely in Rust
Download
Releases are published on the Releases page.
Linux (CLI)
# Download konduit-cli from the Releases page, then:
chmod +x konduit-cli
./konduit-cli connect --server vpn.example.com:443 --peer-id mydevice --psk YOUR_PSK
macOS · Android · iOS
Coming soon.
Architecture
Flutter UI (Dart)
│
flutter_rust_bridge (FFI)
│
Konduit engine (Rust)
├── TUN device (userspace)
├── TCP tunnel protocol
├── Key exchange (X25519)
└── Route manager
| Layer | Technology |
|---|---|
| UI | Flutter / Dart |
| Core engine | Rust (Tokio async) |
| FFI bridge | flutter_rust_bridge |
| Cryptography | ring / rustls |
| TUN device | tun crate (userspace) |
Openness Model
The konduit-platform crate is published here for transparency and security audit. It contains the cryptographic primitives, connection statistics, and platform networking layer (TUN device, DNS, routes) — everything an auditor needs to verify what runs on your machine. It is licensed under the PolyForm Noncommercial License 1.0.0 — free to read, study, and use for noncommercial purposes.
The VPN server, management UI, and stealth-mode protocol are proprietary. Keeping stealth mechanisms private makes automated DPI fingerprinting significantly harder. Source review under NDA is available for enterprise partners.
Security
No UDP dependency: Konduit does not require UDP at any layer.
Key storage: Private keys are stored in the OS secure enclave on every platform (iOS Keychain, macOS Keychain, Android Keystore). They are never written to disk in plaintext.
Stealth mode: On port 443, failed or unrecognized handshakes are proxied transparently to a configurable decoy service. From the outside, the server is indistinguishable from a standard HTTPS endpoint.
Support
Bug reports: Use the in-app reporting feature or open an issue in this repository.
Security vulnerabilities: Do not open a public issue. Contact the maintainer directly at the address shown in the application's About screen.
Contributing: Core development is handled internally. We do not currently accept external pull requests.
About
Created by Eugen Kaparulin.
Official binaries distributed by Konduit Oy.
© Eugen Kaparulin. All rights reserved.
konduit-platform is published under the PolyForm Noncommercial License 1.0.0.
All other parts of Konduit are proprietary.