Document Ref: WP-0.3.0

R-VPN Technical Whitepaper

A Stealth Transport Protocol with Double Ratchet Encryption.

VERSION: 0.3.0
DATE: March 2026
STATUS: Technical Specification

01 Executive Summary & Transport

R-VPN is a next-generation VPN architecture designed to operate over WebSocket/TLS on port 443, making encrypted traffic indistinguishable from standard HTTPS.

The protocol replaces traditional static key exchanges with the Double Ratchet Algorithm, providing forward secrecy and post-compromise security. All traffic flows through a single WebSocket connection multiplexed via port 443.

TLS is implemented via BoringSSL to produce a Chrome-identical TLS 1.3 ClientHello fingerprint, neutralizing passive JA3/JA4 fingerprinting deployed by modern DPI firewalls.

TLS_MIMICRY.RS
// TLS 1.3 Chrome Fingerprint
fn build_chrome_connector() {
    let mut builder = SslConnector::builder();
    builder.set_min_proto_version(TLS1_3);
    builder.set_cipher_list(
        "TLS_AES_128_GCM_SHA256:
         TLS_AES_256_GCM_SHA384:
         TLS_CHACHA20_POLY1305"
    );
    builder.set_alpn_protos(b"\x08http/1.1");
    builder.build()
}

02 Threat Model Mitigations

Threat Level Adversary Capability R-VPN Mitigation
Passive Observer Traffic analysis, flow timing 0-64 byte frame padding, constant-rate injection.
DPI Systems Protocol fingerprinting WebSocket over TLS 1.3, BoringSSL Chrome mimicry.
Censorship Active probing, domain blocking Decoy website masking (HTTP 200 OK to unauth probes).
Compromised Keys Future key compromise Post-compromise security via Double Ratchet.
Quantum Adversary Store-now-decrypt-later attacks Hybrid PQC mode (ML-KEM + X25519).

03 Cryptographic Architecture

R-VPN completely abandons the static handshakes of OpenVPN and WireGuard in favor of a dynamic, self-healing cryptographic state.

3.1 X3DH Key Agreement

Initial handshakes utilize Extended Triple Diffie-Hellman. The client retrieves the server's signed prekey, computes 4 DH shared secrets, and derives the root key via HKDF-SHA256.

3.2 Double Ratchet

Post-handshake, the connection is governed by the Double Ratchet Algorithm.

Symmetric Ratchet evolves chain keys per message for Forward Secrecy. DH Ratchet rotates asymmetric keys for post-compromise security.

3.3 Post-Quantum Hybrid

To protect against "store now, decrypt later" attacks, R-VPN uses a hybrid X25519 + ML-KEM768 construct, conforming to NIST FIPS 203 standards natively within the application logic.

Because TCP streams can reorder messages, R-VPN implements a MessageReorderBuffer that buffers up to 1,000 out-of-order messages, allowing the strict ratchet state to process frames correctly without dropping connections.

04 Smart Routing & Optimizations

A production VPN deployment requires intelligent traffic routing to preserve bandwidth and reduce latency. R-VPN integrates an advanced routing engine natively within the client.

RADIX TRIE

IP CIDR Lookup

Longest prefix matching with O(log n) complexity. ~2MB for 8,000 routes.

SUFFIX TRIE

Domain Rules

Instant hierarchy traversal for domain-based routing rules.

BLOOM FILTER

Ad/Tracker Lists

O(1) negative lookups for 1M+ ad domain rules.

FAKEIP POOL

Deferred DNS

Zero DNS leaks, near-zero initial connection latency.

05 Zero-Copy Rule Distribution

Parsing million-line ad-block lists and geographic IP databases at startup creates severe latency. R-VPN utilizes a multi-tier caching strategy focused on zero-copy deserialization.

RAW TEXT
~500ms Load
Slow parsing penalty
BINCODE
~100ms Load
Compact binary format
RKYV / MMAP
~1ms Load (Recommended)
Instant, zero-copy access

How It Works

Rules are serialized using rkyv and loaded instantly via memory-mapped files (mmap2), bypassing traditional parsing entirely.

For enterprise/fleet management, differential (delta) updates are pushed via Redis L2 caching.

06 Zero-Surface Management Philosophy

A critical vulnerability in modern VPN deployments is the exposure of HTTP/REST management APIs, RPC interfaces, or even local admin sockets. These inevitably open attack vectors for credential theft, privilege escalation, and zero-day exploits.

R-VPN solves this by having absolutely no management interface. All operational parameters, routing rules, and key mappings are defined entirely via static configuration files (TOML) read at startup. Because there are no admin APIs, web dashboards, or control sockets to compromise, an adversary cannot manipulate the running state of the node.

NO MANAGEMENT API

No HTTP endpoints, no RPC interfaces, no admin sockets. Nothing to exploit at runtime.

STATIC CONFIG (TOML)

All parameters defined at startup. Immutable at runtime. No dynamic reconfiguration surface.

GITHUB REPOSITORY DOWNLOADS