Security
Download verification
How to download Fexyn VPN safely and confirm the installer is the one we built.
Where to download Fexyn from
The only official source for the Fexyn VPN Windows installer is the download page on this domain:
- https://fexyn.com/download — the public download page
- https://updates.fexyn.com/fexyn-vpn-setup.exe — the canonical installer URL the page links to
We do not publish Fexyn on third-party download mirrors, software bundlers, or torrent sites. If you find a Fexyn installer on any other host, treat it as untrusted until you have verified the signature using the steps below.
Verify the Authenticode signature on Windows
Every Fexyn-built Windows binary is signed with Microsoft Authenticode through Azure Trusted Signing. The signature is embedded in the installer itself — you do not need a separate checksum file to verify it.
- Right-click the downloaded
fexyn-vpn-setup.exeand choose Properties. - Open the Digital Signatures tab. If the tab is missing, the file is not signed and should not be installed.
- Select the signature in the list and click Details. Confirm the signer name shown is Fexyn LLC.
- Click View Certificate and confirm the certificate is valid and issued by Microsoft Identity Verification CA.
Windows SmartScreen will also check the signature when you first run the installer. A signed installer from Fexyn LLC will not show a "Publisher: Unknown" warning.
Verify with PowerShell
If you prefer a command line check, run this from PowerShell in the folder where you downloaded the installer:
Get-AuthenticodeSignature .\fexyn-vpn-setup.exe |
Select-Object Status, SignerCertificateYou should see Status : Valid and a certificate subject containing Fexyn LLC. Any other status — NotSigned, HashMismatch, UnknownError — means the file should not be installed.
SHA-256 checksum
We are working on publishing a per-release SHA-256 checksum on the changelog page so you can compare it against your downloaded file. Until that is live, the embedded Authenticode signature is the authoritative authenticity check — it is cryptographically tied to the build pipeline and any modification breaks the signature.
In the meantime, you can compute the hash of your installer yourself. From PowerShell:
Get-FileHash .\fexyn-vpn-setup.exe -Algorithm SHA256Or from a regular Command Prompt (cmd.exe):
certutil -hashfile fexyn-vpn-setup.exe SHA256When the changelog publishes per-release hashes, both values should match exactly.
Auto-update integrity
Once Fexyn is installed, app updates are delivered through a dual-layer verification system. Every update manifest is signed with Ed25519 keys held by Fexyn, and every downloaded binary must also pass the Authenticode signature check before the installer will replace the running app. SHA-256 checksums are verified before any installation step runs.
If any of those checks fail, the update is rejected and the installed version keeps running — the app will not silently install an unverified binary.
If a verification check fails
- Do not run the installer. Delete the file.
- Re-download from fexyn.com/download. An interrupted download can produce a broken file with no signature; a fresh download usually resolves it.
- If the second download still fails verification, email security@fexyn.com with the file size, the source URL, and a screenshot of the signature dialog. We take supply-chain reports seriously and will respond within 24 hours.
Last reviewed: April 2026. Verification commands and the Authenticode signing process are stable across releases; the changelog will note any change to the SHA-256 publishing cadence.
Related reading
- Security overview — protocols, kill switch, infrastructure
- Download Fexyn for Windows
- Changelog — release notes
- No-logs policy
Found a security issue with the download or update pipeline? Email security@fexyn.com. For general questions, contact support@fexyn.com.