Security
The cryptography and key handling behind vpn.golf, stated plainly.
Encryption
vpn.golf uses WireGuard, which fixes a single modern cipher suite: Curve25519 for key exchange, ChaCha20-Poly1305 for authenticated encryption, BLAKE2s for hashing. There are no weak options to misconfigure into โ the protocol is secure by construction.
Key handling
Each device generates its own WireGuard key pair locally. The private key stays on the device; we receive and store only the public key. When you revoke a device, we remove its public key from the exit nodes and the peer stops working.
Isolation
The control plane (accounts, billing) and the exit nodes are separate systems on separate providers. Exit nodes hold no account information. This limits the blast radius of any single compromise: a breached exit node exposes no identities, and a breached control plane has no traffic.
Reporting a vulnerability
Found a security issue? Email security@vpn.golf (see our security.txt). We welcome good-faith research and will work with you on disclosure.
On the roadmap
RAM-only / diskless exit nodes, multi-hop ("playing two holes"), and an independent third-party no-logs audit as the service grows.