Skip to content

Crux VPN

Crux VPN establishes a post-quantum secure communication tunnel based on the WireGuard protocol by initiating an over-the-air bootstrap using a triple ratchet protocol. Following a successful ML-KEM-1024 key exchange, the system leverages Arqit’s SKA-Platform™ (SKA-P) to continuously rotate quantum-safe symmetric keys. This enables a persistent, quantum-resilient VPN tunnel to securely connect locations, hosts, peers, or cloud service provider environments.

Prerequisites

To run Crux VPN, you must have access to Arqit’s SKA-Platform™ (SKA-P), either via an Enterprise Agreement with Sirius or directly with Arqit.

Architectural Overview

Crux VPN consists of four major components.

  1. Web UI
  2. API Server
  3. Database
  4. Agents

In self-hosted deployments, the Web UI, API server, and database can be run natively or as Docker containers. The agents operate identically across deployment models.

Web UI

The Web UI is a Vue.js application compiled as a static site. It can be served by any standard web server, such as NGINX. The server hosting the UI does not require access to the API or database, but must be reachable from any device that needs to access the UI. The UI runs in any modern web browser and communicates with the API server over HTTPS.

API Server

The API server is built with Elixir and Phoenix. It handles all HTTPS communication with the Web UI and agents, and provides access to persistent data stored in the database.

Database

Crux VPN uses a PostgreSQL database to store configuration data, state, and audit logs. No additional extensions are required.

Agents

Agents are lightweight client applications installed on each participating host. Each agent establishes and maintains a secure tunnel. Agents initiate outbound HTTPS connections to the API server; the API server never initiates connections to agents.

More information on the types of agents available can be found in the Agents section of this guide.