Quantum Pipes
Secure Boundary • WireGuard + PQ TLS

Post-Quantum Encrypted.
Double-Layered.
Split-Tunnel Routed.

Tunnel connects remote teams to your on-prem AI without exposing a single port to the internet. WireGuard wrapped in post-quantum TLS. The relay sees nothing.

quantum-pipes/tunnel
Encrypted
WireGuardX25519 · ChaCha20-Poly1305 · BLAKE2s · HKDFPQ-Hybrid TLS 1.3X25519MLKEM768 · AES-256-GCM · Ed25519RelayForwards encrypted packets. Holds zero keys.
Click a layer to inspect
double-encryption active
9
CLI Commands
57
Concurrent Services
370+
Tests
Zero
Cloud Dependencies
Topology

Star Topology. Stateless Relay.
Split Tunnel.

Click a node to inspect it. All traffic flows through a stateless relay that forwards encrypted packets without decryption.

RelayTargetPeer APeer BPeer C

Star, Not Mesh

No peer-to-peer complexity, no N-squared key management.

Split-Tunnel

Only QP traffic routes through the tunnel. Regular internet goes direct.

NAT Traversal

WireGuard punches through NATs and firewalls automatically.

244 Peers

10.7.0.0/24 supports up to 244 unique peers per tunnel.

One Command

Expose a Service in One Command

Click Run to watch the entire exposure pipeline execute in real time.

terminal
$ tunnel-open --name hub --to localhost:3000

Port pool: 8443-8499 (57 concurrent services)

CLI

Nine Commands. Complete Control.

Every tunnel operation maps to a single, auditable CLI command. Click any command to see flags and usage.

Provision relay (local, SSH, DigitalOcean, or generate script)

Flags
--provider local|ssh|do|script
Example
$ tunnel-setup-relay --provider local --domain relay.example.com

Target joins relay with endpoint and public key

Flags
--endpoint <ip:port> --pubkey <key>
Example
$ tunnel-join --endpoint 198.51.100.1:51820 --pubkey aB3d...7xYz=

Add remote peer with QR code config generation

Flags
--name <peer>
Example
$ tunnel-add-peer --name alice

Revoke peer access and archive config

Flags
--name <peer>
Example
$ tunnel-remove-peer --name alice --archive

Live WireGuard peer status, handshakes, and transfer stats

Flags
(no flags required)
Example
$ tunnel-status
  peer-alice: 10.7.0.10 ✓ last handshake 12s ago, tx 4.2MB rx 1.8MB

Relay key rotation with dry-run and backup

Flags
--dry-run --backup
Example
$ tunnel-rotate-keys --dry-run
  [DRY RUN] Would generate new relay keypair and re-key 3 peers

Expose local service over tunnel with PQ TLS

Flags
--name <svc> --to <host:port>
Example
$ tunnel-open --name hub --to localhost:3000

Stop service exposure and archive certificates

Flags
--name <svc>
Example
$ tunnel-close --name hub
  ✓ Stopped proxy, archived certs, removed firewall rule

List active services with process status

Flags
(no flags required)
Example
$ tunnel-list
  hub      :8443  ✓ running  pid:4821  cert expires: 2027-03-05
Peers

Add a Peer in Seconds

One command generates keys, allocates an IP, creates the config, and produces a QR code.

terminal
$ tunnel-add-peer --name alice
Run the command to see config output
Hardened

Security in Every Line

Defense-in-depth practices baked into every script and configuration file.

Strict peer name validation (alphanumeric, hyphens, underscores only)
No eval anywhere in codebase
umask 077, private keys mode 600
set -euo pipefail with ERR trap writing to audit log
Token masking in all log output
Idempotent scripts (safe to re-run)
Optional Capsule audit chain integration
audit.log
Recording
{"action":"tunnel_open","name":"hub","port":8443,"timestamp":"2026-03-05T14:32:01Z"}
{"action":"peer_add","peer":"alice","ip":"10.8.0.10","timestamp":"2026-03-05T14:33:15Z"}
{"action":"key_rotate","peers_rekeyed":3,"timestamp":"2026-03-05T15:00:00Z"}
{"action":"tunnel_close","name":"metrics","port":8444,"timestamp":"2026-03-05T16:12:30Z"}
{"action":"peer_remove","peer":"bob","archived":true,"timestamp":"2026-03-05T17:45:00Z"}
All tokens masked · Capsule chain integration optional

Night and Day

Remote access with Tunnel versus without.

Without Tunnel

  • Ports exposed to internet

    Every service is a target for port scanners.

  • Single encryption layer

    One compromised key exposes all traffic.

  • Manual VPN setup

    Hours of configuration per peer, per device.

  • No audit trail

    Who connected when? You'll never know.

  • Complex key management

    N-squared keys for mesh, manual rotation.

  • Relay sees traffic

    Traditional VPN gateways decrypt and re-encrypt.

With Tunnel

  • Zero exposed ports

    All traffic enters through the WireGuard tunnel only.

  • Double encryption

    WireGuard + PQ-Hybrid TLS 1.3 in parallel.

  • One command setup

    tunnel-add-peer --name alice. Done.

  • Capsule audit trail

    Every connection, rotation, and exposure is recorded.

  • Automated key rotation

    tunnel-rotate-keys with dry-run and backup.

  • Relay sees nothing

    Stateless forwarder with zero cryptographic keys.

Compliance

Regulations Demand Encrypted Transport.
Tunnel Delivers It.

Double-layer encryption, per-service isolation, and cryptographic audit trails map directly to what frameworks require.

HIPAA

§164.312(b)
Requires

Audit controls for ePHI transmission and access logging

Tunnel Answer

Encrypted PHI transmission with double-layer cryptography and per-service firewall isolation

CMMC

Level 2 / CUI
Requires

CUI protection in defense supply chains with encrypted transport

Tunnel Answer

Post-quantum encrypted tunnel with stateless relay ensures CUI never traverses an unprotected link

FedRAMP

AC-17 / SC-8
Requires

Remote access and transmission confidentiality for federal systems

Tunnel Answer

WireGuard + PQ-Hybrid TLS meets FIPS-aligned cryptographic requirements for federal authorization

SOC 2

CC6.1 / CC6.6
Requires

Trust services criteria for availability, confidentiality, and network security

Tunnel Answer

Per-service certificates, automated firewall rules, and capsule audit integration for continuous compliance

Built For Teams That Need Zero Exposure

🌐

Remote Teams

Connect distributed offices to the AI stack without VPN complexity.

🏥

Healthcare

HIPAA-compliant remote access to on-prem patient AI systems.

🛡️

Defense

CMMC-ready encrypted tunnel for CUI protection.

💻

Developers

tunnel-open, tunnel-close. That's the API.

🔒

Security Teams

Double encryption, stateless relay, per-service firewall rules.

🏢

MSPs

Multi-provider relay setup for different client deployments.

Connect Your Team.
Zero Exposure.

Post-quantum encrypted tunnels, zero open ports, complete audit trails. Deploy on your hardware in minutes.

Post-QuantumDouble EncryptionZero Exposed PortsApache 2.0370+ Tests