konduit/konduit-public
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
1e08ba34f08b77031e171ccc1b36d79d825ac852
konduit-public/README.md
E. Kaparulin 1e08ba34f0 Documentation update
2026-06-09 08:18:12 +03:00

128 lines
4.8 KiB
Markdown
Raw Blame History

<div align="center">
<img src="logo-horizontal.svg" alt="Konduit" height="52"/>
<br/><br/>
**TCP-Native VPN. Works Where UDP Doesn't.**
[![License: Proprietary](https://img.shields.io/badge/license-Proprietary-red)](LICENSE)
[![Platform](https://img.shields.io/badge/platform-Linux%20%7C%20macOS%20%7C%20Android%20%7C%20iOS-lightgrey)]()
[![Status](https://img.shields.io/badge/status-Beta-orange)]()
</div>
---
Konduit is a modern VPN built around a single principle: **TCP transport that works when UDP is blocked.**
WireGuard is excellent — until your ISP throttles or blocks UDP. Konduit solves that without the complexity of OpenVPN or the fragility of UDP-wrapping hacks. It runs fully in userspace, requires no elevated privileges, and gets out of your way.
## Why Konduit?
Most VPNs treat TCP as a fallback. Konduit is designed for TCP from the ground up, which means:
- No HEAD-OF-LINE blocking from tunneling UDP into TCP
- Reliable behaviour on restrictive corporate and mobile networks
- WireGuard-level simplicity without the UDP dependency
## Features
- **TCP-native protocol** — designed for TCP, not retrofitted
- **Server-controlled routing** — administrators enforce routing policy; clients cannot bypass it
- **Userspace implementation** — no kernel modules, no root required
- **Hot config reload** — update server configuration without dropping connections
- **QR code provisioning** — scan once, connect instantly
- **Cross-platform** — Linux, macOS, Android, iOS
- **Modern cryptography** — X25519 key exchange, ChaCha20-Poly1305 data channel
- **Stealth mode** — port 443 deployment with decoy proxy for hostile network environments
- **Memory safe** — written entirely in Rust
## Download
Releases are published on the [Releases](../../releases) page. Each release includes:
| Binary | Purpose |
|---|---|
| `konduit-server` | VPN server |
| `konduit` | CLI client (Linux) |
| `konduit-ctl` | Server provisioning tool |
### Linux (CLI)
```bash
# Download konduit and konduit-ctl from the Releases page, then:
chmod +x konduit konduit-ctl
# Bootstrap a server
echo "your secret mantra" | ./konduit-ctl bootstrap -l vpn.example.com:443 -p -
# Connect a client
./konduit connect --config client.toml
```
### macOS · Android · iOS
Coming soon.
## Server Setup
- [Server Quickstart](docs/server-quickstart.md) — install, provision, NAT setup for iptables and firewalld
- [Stealth Mode Setup](docs/stealth-setup.md) — HAProxy TCP passthrough + camouflage configuration
## Architecture
```
Flutter UI (Dart)
flutter_rust_bridge (FFI)
Konduit engine (Rust)
├── TUN device (userspace)
├── TCP tunnel protocol
├── Key exchange (X25519)
└── Route manager
```
| Layer | Technology |
|---|---|
| UI | Flutter / Dart |
| Core engine | Rust (Tokio async) |
| FFI bridge | flutter_rust_bridge |
| Cryptography | ring / rustls |
| TUN device | tun crate (userspace) |
## Openness Model
The [`konduit-platform`](./konduit-platform) crate is published here for transparency and security audit. It contains the cryptographic primitives, connection statistics, and platform networking layer (TUN device, DNS, routes) — everything an auditor needs to verify what runs on your machine. It is licensed under the [PolyForm Noncommercial License 1.0.0](LICENSE) — free to read, study, and use for noncommercial purposes.
The VPN server, management UI, and stealth-mode protocol are proprietary. Keeping stealth mechanisms private makes automated DPI fingerprinting significantly harder. Source review under NDA is available for enterprise partners.
## Security
**No UDP dependency:** Konduit does not require UDP at any layer.
**Key storage:** Private keys are stored in the OS secure enclave on every platform (iOS Keychain, macOS Keychain, Android Keystore). They are never written to disk in plaintext.
**Stealth mode:** On port 443, failed or unrecognized handshakes are proxied transparently to a configurable decoy service. From the outside, the server is indistinguishable from a standard HTTPS endpoint.
## Support
**Bug reports:** Use the in-app reporting feature or open an issue in this repository.
**Security vulnerabilities:** Do not open a public issue. Contact the maintainer directly at the address shown in the application's About screen.
**Contributing:** Core development is handled internally. We do not currently accept external pull requests.
---
## About
Created by **Eugen Kaparulin**.
Official binaries distributed by **[K-Ops Oy](https://k-ops.eu)**.
© Eugen Kaparulin. All rights reserved.
[`konduit-platform`](./konduit-platform) is published under the [PolyForm Noncommercial License 1.0.0](LICENSE).
All other parts of Konduit are proprietary.
[Privacy Policy](docs/privacy-policy.md)
Reference in New Issue View Git Blame Copy Permalink