Security isn't a feature. It's the foundation.
Every design decision in KookVPN prioritizes one thing: ensuring your real identity and traffic are never exposed. Not to the GFW. Not to AI companies. Not to us.
VLESS+Reality Protocol Encryption
Connections use TLS 1.3 with the real certificates of microsoft.com. The encryption is identical to standard HTTPS -- because it IS standard HTTPS from a cryptographic perspective. No custom ciphers, no proprietary encryption. Just battle-tested TLS 1.3.
- TLS 1.3 with server-side certificate from real target
- ECDH key exchange for forward secrecy
- No custom encryption algorithms
- uTLS for browser-authentic fingerprints
Zero-Log Architecture
We don't log your traffic content, DNS queries, connection timestamps, bandwidth usage, source IP addresses, or destination addresses. The server is configured with minimal write permissions. Logs that don't exist can't be subpoenaed, hacked, or leaked.
- No traffic logs of any kind
- No connection metadata stored
- No DNS query logs
- Server runs with restricted disk write access
DNS-over-TLS
All DNS queries are encrypted and routed through the VPN tunnel via DNS-over-TLS. This prevents DNS manipulation (a common attack in China), DNS leaks that could reveal your browsing history, and ISP-level DNS logging.
- Encrypted DNS queries via DoT
- No plaintext DNS packets leave your device
- Prevents ISP DNS poisoning
- Eliminates DNS leak vectors
Kill Switch
If the VPN connection drops for any reason, the kill switch immediately blocks all internet traffic. No packets leave your device until the VPN reconnects. This prevents the single most dangerous scenario: your real China IP being exposed to AI services during a momentary disconnect.
- Instant traffic block on disconnect
- Prevents real IP exposure
- Automatic re-enable on reconnect
- Works at the OS network adapter level
TUN-Level Traffic Capture
Unlike SOCKS proxies or browser extensions that only capture specific application traffic, TUN mode creates a virtual network adapter at the OS level. Every packet from every application passes through the encrypted tunnel. This eliminates WebRTC leaks, application-level DNS leaks, and any other traffic that might bypass a proxy.
- Virtual network adapter captures ALL traffic
- WebRTC leak prevention
- Application-level leak prevention
- No traffic bypasses the tunnel
Active Probe Defense
When the GFW or any unauthorized connection attempt reaches our server without proper Reality authentication, the connection is transparently forwarded to the real destination (microsoft.com). The probe receives microsoft.com's genuine response, making our server indistinguishable from a legitimate web server.
- Unauthenticated connections forwarded to real target
- GFW probes get genuine microsoft.com responses
- No server-side VPN fingerprint detectable
- Port scanners see a normal HTTPS server
Our entire technology stack
We use open-source software wherever possible. You can verify every component of our stack independently.
| Component | Details |
|---|---|
| Protocol | VLESS+Reality+Vision via Xray-core (open source) |
| Client Engine | sing-box v1.13.2 (open source) |
| Server OS | Ubuntu 24.04 LTS |
| Congestion Control | BBR (Google, open source) |
| TUN Driver | wintun (WireGuard project, open source) |
| Firewall | UFW + DigitalOcean cloud firewall |
| DNS | DNS-over-TLS (encrypted) |
| Server Location | DigitalOcean Singapore SGP1 |
| Open Ports | 22 (SSH), 443 (VLESS) only |
| Logging Policy | Zero logs. No traffic, no metadata, no timestamps. |
What we don't do
We don't log your traffic
No packet inspection, no traffic analysis, no content logging. We physically cannot see what you do online.
We don't sell your data
We have no data to sell. Our revenue comes from subscriptions, not advertising or data brokering.
We don't use tracking analytics
No Google Analytics, no Facebook Pixel, no third-party trackers on the VPN connection. The website uses minimal analytics.
We don't require personal information
No phone number, no real name, no address. Pay with crypto for complete anonymity.
Privacy isn't optional.
It's the entire point. Try KookVPN risk-free for 7 days.