Quantum Pipes
Tunnel Security

Double-Encrypted.
Quantum-Resistant. Stateless.

Two independent encryption layers protect every byte in transit. The relay sees nothing. Quantum computers change nothing.Break one layer, the other still holds.

2
Encryption layers
ML-KEM-768
Key exchange
0
Keys on relay
Instant
Revocation
Learn About Tunnel
Defense in Depth

Two Layers. Two Algorithms. Zero Overlap.

If either encryption layer is compromised, the other continues protecting your data independently.

Outer: WireGuard (ChaCha20-Poly1305)
Inner: PQ TLS 1.3 (AES-256-GCM)
Your Data
Plaintext only exists at endpoints

Outer Layer: WireGuard

Key ExchangeCurve25519 (ECDH)
EncryptionChaCha20-Poly1305
HashBLAKE2s
PurposeFast, proven tunnel encryption

Inner Layer: PQ TLS 1.3

Key ExchangeX25519 + ML-KEM-768 (hybrid)
EncryptionAES-256-GCM
HashSHA3-256
PurposeQuantum-resistant application security
Zero-Knowledge Relay

The Relay Sees Nothing.

The relay server forwards encrypted packets between peers. It holds zero encryption keys. If an attacker compromises the relay, they capture only opaque, encrypted data.

QP Relay (compromised)
Attacker sees: encrypted WireGuard packets. No keys. No metadata. No content.
Typical VPN (compromised)
Attacker sees: all traffic in plaintext. Browsing history. Credentials. Everything.
Peer A (your instance)
Holds private keys
Stateless Relay
Zero keys. Forwards packets only.
Peer B (remote instance)
Holds private keys
Quantum Threat

Harvest Now, Decrypt Later

Nation-states are recording encrypted traffic today, planning to decrypt it with quantum computers tomorrow. This is not theoretical; it is active intelligence doctrine.

1.

Record

Adversaries capture and store encrypted traffic from fiber taps, compromised routers, and cloud providers.

2.

Wait

They store petabytes of encrypted data, waiting for cryptographically relevant quantum computers (estimated 2030s).

3.

QP Defeats This

Hybrid X25519 + ML-KEM-768 key exchange means even captured traffic remains encrypted against future quantum attacks.

peer-management
# Add a new peer
$ ./scripts/tunnel-add-peer.sh alice
[tunnel] Generating Curve25519 keypair...
[tunnel] Creating peer configuration...
[tunnel] QR code generated: /tmp/alice-peer.png
[tunnel] Peer "alice" added successfully.
# Instantly revoke access
$ ./scripts/tunnel-remove-peer.sh alice
[tunnel] Removing peer "alice"...
[tunnel] WireGuard config reloaded.
[tunnel] Peer "alice" revoked. Effective immediately.
Peer Management

Add in Seconds. Revoke Instantly.

Peer management is a single command. Add a peer, scan a QR code, connect. Revocation is immediate: the peer's keys are removed from the WireGuard configuration and reloaded in place.

One command to add a peer with QR code
Compatible with any WireGuard client
Instant revocation, no key rotation needed
Automatic key rotation on schedule

Encrypt Everything.
Trust Nothing.

Double encryption. Stateless relay. Post-quantum key exchange. Network security that is ready for threats that do not exist yet.

Explore TunnelBack to Security
NIST Level 3 WireGuard protocol Instant key rotation