# SilverVPN

**Status**: v1 (Linux MVP) — planning

Always-on VPN with no logs, run on SilverLABS infrastructure. Mullvad-style account-number signup (no email, no name).

## v1 approach

- **Protocol**: WireGuard. Period. (Battle-tested, tiny attack surface, performant.)
- **Account**: random 16-digit account number; no email, no PII
- **Payment**: separate channel (SilverDotPay / crypto / payment processor) with no link back to account number
- **Exit nodes**: SilverLABS-operated initially; geographically diverse
- **Kill-switch**: enforced at firewall layer (nftables on Linux, NetworkExtension content filters on Apple)
- **DNS**: encrypted DNS through tunnel; no DNS leaks
- **Per-device keys**: each device gets its own WireGuard key; revoke per-device

## Server-side

Lives in `SilverLABS/silver-vpn-infra` (separate repo). This repo holds the **client** code only.

## What we do not do

- We do not log connection metadata beyond what is operationally required (typically just real-time peer state, not retained)
- We do not bundle ad-blocking — that's the browser's job, not the VPN's
- We do not bundle tracker-blocking heuristics in the VPN — that risks false positives that break sites
- We do not run a "free tier" with a different infrastructure — paid users and free users (if any) get the same server quality

## Per-platform clients

- **Linux**: GTK + native daemon (`silvervpn-daemon` running as systemd service)
- **Android**: VpnService-based, native UI
- **Windows**: WireGuard tunnel service + tray UI (signed)
- **macOS**: NetworkExtension, signed and notarised
- **iOS**: NetworkExtension via App Store

## Verification

- Kill-switch test: disconnect upstream, verify zero packets leak
- DNS-leak test: capture DNS during tunnel-up; all queries must traverse the tunnel
- Reconnect test: WAN flap, verify reconnect without temporary leak