TCP-Native VPN. Works Where UDP Doesn't.
Konduit is a modern VPN built around a single principle: TCP transport that works when UDP is blocked.
WireGuard is excellent — until your ISP throttles or blocks UDP. Konduit solves that without the complexity of OpenVPN or the fragility of UDP-wrapping hacks. It runs fully in userspace, requires no elevated privileges, and gets out of your way.
Why Konduit?
Most VPNs treat TCP as a fallback. Konduit is designed for TCP from the ground up, which means:
- No HEAD-OF-LINE blocking from tunneling UDP into TCP
- Reliable behaviour on restrictive corporate and mobile networks
- WireGuard-level simplicity without the UDP dependency
Features
- TCP-native protocol — designed for TCP, not retrofitted
- Server-controlled routing — administrators enforce routing policy; clients cannot bypass it
- Userspace implementation — no kernel modules, no root required
- Hot config reload — update server configuration without dropping connections
- QR code provisioning — scan once, connect instantly
- Cross-platform — Linux, macOS, Android, iOS
- Modern cryptography — X25519 key exchange, ChaCha20-Poly1305 data channel
- Stealth mode — port 443 deployment with decoy proxy for hostile network environments
- Memory safe — written entirely in Rust
Download
Releases are published on the Releases page. Each release includes:
| Binary | Purpose |
|---|---|
konduit-server |
VPN server |
konduit |
CLI client (Linux) |
konduit-ctl |
Server provisioning tool |
Linux (CLI)
# Download konduit and konduit-ctl from the Releases page, then:
chmod +x konduit konduit-ctl
# Bootstrap a server
echo "your secret mantra" | ./konduit-ctl bootstrap -l vpn.example.com:443 -p -
# Connect a client
./konduit connect --config client.toml
macOS · Android · iOS
Coming soon.
Server Setup
- Server Quickstart — install, provision, NAT setup for iptables and firewalld
- Stealth Mode Setup — HAProxy TCP passthrough + camouflage configuration
Architecture
Flutter UI (Dart)
│
flutter_rust_bridge (FFI)
│
Konduit engine (Rust)
├── TUN device (userspace)
├── TCP tunnel protocol
├── Key exchange (X25519)
└── Route manager
| Layer | Technology |
|---|---|
| UI | Flutter / Dart |
| Core engine | Rust (Tokio async) |
| FFI bridge | flutter_rust_bridge |
| Cryptography | ring / rustls |
| TUN device | tun crate (userspace) |
Openness Model
The konduit-platform crate is published here for transparency and security audit. It contains the cryptographic primitives, connection statistics, and platform networking layer (TUN device, DNS, routes) — everything an auditor needs to verify what runs on your machine. It is licensed under the PolyForm Noncommercial License 1.0.0 — free to read, study, and use for noncommercial purposes.
The VPN server, management UI, and stealth-mode protocol are proprietary. Keeping stealth mechanisms private makes automated DPI fingerprinting significantly harder. Source review under NDA is available for enterprise partners.
Security
No UDP dependency: Konduit does not require UDP at any layer.
Key storage: Private keys are stored in the OS secure enclave on every platform (iOS Keychain, macOS Keychain, Android Keystore). They are never written to disk in plaintext.
Stealth mode: On port 443, failed or unrecognized handshakes are proxied transparently to a configurable decoy service. From the outside, the server is indistinguishable from a standard HTTPS endpoint.
Support
Bug reports: Use the in-app reporting feature or open an issue in this repository.
Security vulnerabilities: Do not open a public issue. Contact the maintainer directly at the address shown in the application's About screen.
Contributing: Core development is handled internally. We do not currently accept external pull requests.
About
Created by Eugen Kaparulin.
Official binaries distributed by K-Ops Oy.
© Eugen Kaparulin. All rights reserved.
konduit-platform is published under the PolyForm Noncommercial License 1.0.0.
All other parts of Konduit are proprietary.