Technology

The stack behind QAL VPN

QAL VPN combines a high-speed tunneling design with a secure control plane, account-based access, and optional post-quantum cryptographic enhancement.

Tunnel engine

WireGuard with the Noise_IK handshake, Curve25519 key exchange, ChaCha20-Poly1305 authenticated encryption, and BLAKE2s hashing for high-throughput secure transport.

Control plane

Cloud API coordinates region discovery, entitlement checks, provisioning metadata, and secure tunnel bootstrap through signed, user-authenticated API requests.

Identity and auth

Firebase Authentication issues identity tokens and refresh tokens. QAL clients refresh tokens automatically to keep entitlement checks and provisioning reliable.

Billing integration

Stripe Checkout + Customer Portal manage trial and billing lifecycle. Webhooks normalize plan status into entitlements used by app and website.

Post-quantum integration model

QAL VPN uses an optional hybrid model: classical X25519 plus ML-KEM-768. When enabled, the client derives additional shared material, sends a PQ payload during provisioning, and installs a WireGuard preshared key derived from the hybrid exchange.

Standard mode remains available by default for compatibility and speed. Hybrid mode is user-controlled, so teams can progressively adopt post-quantum protections without forcing a one-size-fits-all rollout.

Public technical flow

  1. Client fetches public config + PQ parameters.
  2. Client computes hybrid key material (X25519 + ML-KEM-768).
  3. Provision API validates entitlement and issues endpoint + server keying data.
  4. Client writes tunnel profile and brings up WireGuard transport.