Security at Fexyn

Multi-Protocol Encryption

Fexyn VPN supports three VPN protocols, each selected for specific security properties. All protocols use modern, audited cryptographic primitives.

Split-Privilege Architecture

The desktop client uses a split-privilege design separating the user-facing application from privileged network operations. The user interface runs at standard user privileges while a separate SYSTEM-level service manages tunnel creation, routing table modifications, and firewall rules. This eliminates the need for UAC prompts and limits the blast radius of any potential vulnerability in the UI layer.

Kill Switch

The Fexyn kill switch uses Windows Filtering Platform (WFP) sublayer rules to block all non-VPN traffic at the network stack level. It engages before the tunnel is established and persists across process crashes, service restarts, and system reboots. DNS, IPv6, and LLMNR/NetBIOS leak vectors are blocked independently to prevent any traffic from bypassing the tunnel.

Infrastructure Security

Our VPN server infrastructure follows defense-in-depth principles:

• Dedicated bare-metal servers with full-disk encryption and no shared tenancy
• Agent API secured with TLS mutual authentication and per-server bearer tokens
• Strict iptables firewall rules with default-deny policy and only protocol-specific ports exposed
• Hardened systemd service units with ProtectSystem/ProtectHome/NoNewPrivileges
• No logging of VPN traffic content or DNS queries on any server

Authentication and Identity

User authentication is managed through Keycloak with support for TOTP-based two-factor authentication. Device identity is verified using Ed25519 cryptographic signatures. API sessions use short-lived JWTs with automatic rotation. Enterprise customers can integrate their existing SSO provider through SAML or OIDC.

Credential Management

VPN credentials are short-lived by design. WireGuard keys are rotated per-session. OpenVPN certificates are issued with a 24-hour validity period via Vault PKI, eliminating the need for certificate revocation lists. XRay VLESS uses per-connection UUIDs with server-side validation. No long-lived secrets are stored on the client beyond the session lifecycle.

Software Supply Chain

All Fexyn-built binaries are signed with Azure Trusted Signing (Authenticode). The auto-update system uses dual-layer verification with Ed25519 signatures on the update manifest and Authenticode signatures on the downloaded binary. SHA-256 checksums are verified before installation. Third-party dependencies are audited and pinned to known-good versions.

Traffic Verification

Every VPN connection is verified through a three-tier system: (1) public IP verification confirms traffic exits through the VPN server, (2) traceroute analysis confirms the first hop is the tunnel gateway, and (3) interface-bound probes confirm connectivity through the tunnel adapter. A connection is only reported as active after all three checks pass.

Reporting Vulnerabilities

If you discover a security vulnerability in Fexyn VPN, please report it responsibly by emailing security@fexyn.com. We take all reports seriously and will acknowledge receipt within 24 hours. We do not pursue legal action against researchers who report vulnerabilities in good faith.

Transparency

We believe trust is built through transparency. The following resources document our commitments to user privacy and data protection.

• No-Logs Policy — What we do and don't collect, in plain language
• Download Verification — How to confirm the Windows installer is authentic
• Warrant Canary — Updated monthly
• Privacy Policy
• Data Processing Agreement
• IP Address & Leak Test Tool — Check your IP and test for WebRTC leaks