Use case

A VPN for remote work that doesn't fight you

For people who work from cafés, hotels, and second apartments and need security that stays out of the way.

The problem with most consumer VPNs at work

They prompt you. UAC dialogs every connect. Driver re-installation warnings. Random reconnect popups in the middle of a Zoom call. This is what happens when a VPN client runs entirely in user space and has to ask the OS for kernel privileges every time the tunnel changes.

Fexyn splits the desktop client into two pieces: the UI you sign in to, and a Windows SYSTEM-level helper service that owns tunnel creation, routing, and firewall rules. The UI never needs admin rights. Connect, disconnect, switch protocol — no prompts. Your screen share keeps working.

Kill switch that actually fires before exposure

The window most people miss: when a VPN drops, there are usually 200–800ms before the client notices and starts a reconnect. During that window, every open connection your laptop has — Slack, the corp wiki, the staging dashboard you SSH'd into — sends packets out your real ISP IP.

Fexyn's kill switch uses Windows Filtering Platform filters at the kernel level. The filters exist before the VPN handshake completes and stay in place across reconnects, sleep, and hibernate. Nothing leaves your machine outside the tunnel during a drop. For someone SSH'd into production from a hotel, this is the difference between a clean reconnect and a leaked session.

24-hour certificates, not 12-month ones

Most VPN services issue you a client certificate that's valid for months or years. If that certificate gets pulled off a stolen laptop, the attacker can impersonate you on the VPN until somebody manually revokes it — and certificate revocation lists are famously slow to propagate.

Fexyn issues short-lived certificates from a HashiCorp Vault PKI, valid for 24 hours. Even if a cert is compromised, it expires the next day. This is the same pattern Let's Encrypt brought to the public web by shortening cert lifetimes; we apply it to VPN clients.

For remote-work threat models — laptop theft, lost phones, a coffee shop where someone shoulder-surfed your session — this is meaningful. You don't need to chase down certificate revocation; the cert is gone tomorrow.

Three protocols, no manual fiddling

The networks remote workers sit on are wildly inconsistent. Hotel Wi-Fi blocks UDP. Co-working networks block VPN signatures. Some corporate guest networks only allow TCP/443. Fexyn ships three protocols and rotates if one is blocked:

Fexyn Bolt (WireGuard) — your daily-driver protocol on clean networks
Fexyn Stealth (VLESS Reality / XRay) — when the network blocks VPN traffic by signature
Fexyn Secure (OpenVPN) — TCP/443 fallback for the most locked-down networks

You don't pick the protocol unless you want to. The app handles it.

Teams & org features

Fexyn has team plans with centralised billing, member management, and bulk provisioning. Engineering teams get one bill, one admin, and per-seat pricing. We don't market this hard yet because we're still in Beta; if you're interested in a team rollout, contact support and we'll set it up directly.

For solo contractors, the standard plan covers what you need: multiple devices, all three protocols, kill switch, no logs.

What we won't pretend to do

Replace your company's VPN. Fexyn is a personal VPN. If your employer mandates Cisco AnyConnect or Tailscale into a private network, run that and run Fexyn separately for personal traffic.
Solve hostile-network problems your endpoint can't solve. A VPN encrypts traffic in transit; it doesn't protect against malware on the laptop itself.
Hide you from your employer's MDM. If you're on a corporate-managed laptop, the MDM sees what it sees regardless of the VPN.