Use case

For activists, NGO staff, and dissidents

Tools for the people doing the actual work, not the people writing about it.

Threat models for activists vary. A US college student organising a protest is not in the same position as a dissident inside Iran or a women's rights worker in Afghanistan. This page describes what Fexyn does; it doesn't replace operational security guidance from groups like Access Now, EFF, or Tactical Tech. When the stakes are high, talk to those people too.

The threat: network observation

Repressive states watch the network. Filters, man-in-the-middle interception, log-everything-and-grep policies. The local ISP knows when you go online and what you connect to. The state knows what the ISP knows. In some countries, "using a VPN" is itself a flag, because the act of switching to encrypted channels stands out.

The work then is two-layered. Encrypt the traffic so nobody can read it. And do it in a way that doesn't announce that traffic is encrypted by a VPN.

VLESS Reality, in one paragraph

Fexyn Stealth (VLESS Reality, run on XRay) wraps your traffic inside a real TLS 1.3 handshake to a real well-known site. The censor watching the wire sees what looks like an ordinary HTTPS connection to microsoft.com or cloudflare.com — including a valid certificate from a real CA. They can't distinguish your VPN session from someone else loading that site.

This is the differentiator that matters in censored environments. NordVPN's "obfuscated servers" and Proton's Stealth protocol both wrap VPN traffic in TLS-shaped padding. Reality goes further: the handshake is genuine, not shaped.

Technical details · Why this matters under DPI

Jurisdiction matters when subpoenas come

Fexyn LLC is a Wyoming, US entity. The US has strong First Amendment protections, warrant requirements that force government data requests through courts, and a long track record of pushback against gag orders.

We do not run servers in countries that compel data-sharing as a condition of operating. The network skips jurisdictions where data is demanded without due process.

We publish a warrant canary and update it monthly. If it stops being updated, ask why.

No browsing-history, DNS-query, or traffic-content logs

We can't hand over what we don't have. The specific commitment: Fexyn does not log browsing history, DNS queries, or traffic content. We keep account, billing, security event, and limited connection counter data — described in detail and with limits on the no-logs policy page. We have not yet completed a third-party audit; we say that openly rather than hide it.

Anonymous-as-possible signup

Email is the only required identifier. Use a pseudonymous one. We don't verify the name on the account.
Pay with cryptocurrency if a card-linked record is a risk. BTC, ETH, USDT, and others are accepted.
Account recovery uses the email on file. If you lose access to that email, recovery is harder by design — that's a feature, not a bug, for activists who don't want unauthorised recovery.

Short-lived certificates — threat-model fit

Devices get seized. People get pressured into unlocking phones. If the seized device has a long-lived VPN credential, the credential is a persistent compromise.

Fexyn issues client certificates valid for 24 hours. Tomorrow, the cert on the seized device is dead. Revoking it is automatic; the next refresh just doesn't happen.

What this page won't claim

That a VPN protects you from a hostile endpoint. If your laptop is compromised, the tunnel is irrelevant.
That Fexyn always works under every national-level filter. Filters update; protocols are an arms race. The trial covers a week, the refund covers the first paid period — try it.
That a VPN replaces Tor for anonymity work. They serve different threat models. Combine them when appropriate.
That we've been audited. We haven't. We will publish results when we are.