Home / Migrate / VPN & Private Networks / Interactive Playground

PQC VPN Tunnel Playground

Walk through a full post-quantum VPN session — from peer registration, to ML-KEM-1024 handshake, to encrypted traffic, to key rotation. Every action hits the live simulator via the Qudo JNI crypto provider — real keys, real ciphertext, real signatures.

ML-KEM-1024 (FIPS 203) ML-DSA-65 (FIPS 204) AES-256-GCM
1
Discover Gateway
GET /gateway-info
Fetch the gateway's public ML-KEM-1024 key and ML-DSA-65 identity. In a real deployment, peers pin the gateway identity pubkey in their client config.
2
Register Peer
ML-KEM-1024 keygen
Provision a new peer. Gateway generates an ML-KEM-1024 keypair and an ML-DSA-65 identity keypair for the peer, and assigns a tunnel IP.
3
PQC Handshake
KEM encap + DSA sign
Perform the ML-KEM-1024 key exchange. Peer encapsulates to gateway's public key, both sides derive the same 256-bit AES session key. Gateway signs the transcript with ML-DSA-65 to prove its identity.
4
Send Encrypted Packet
AES-256-GCM
Encrypt a payload with the tunnel session key and send it through. Gateway decrypts, processes, and returns an AES-GCM encrypted ack.
5
Rekey (Forward Secrecy)
Fresh ML-KEM-1024
Rotate the session key with a fresh ML-KEM-1024 encapsulation. The old key is zeroised in memory — traffic captured from previous sessions cannot be decrypted even if later keys leak.
6
Disconnect
Key zeroisation
Tear down the tunnel. Session key is immediately zeroised in gateway memory. After disconnect, no traffic from this session can be decrypted.

Tunnel State

💻
Peer
📡
VPN Gateway
qudo-pqc-vpn-gw
Tunnel ID
Session Key
Shared Secret
Identity
Packets I/O
0 / 0
Rekeys
0

Last API Response

Click a step above to see the live JSON response here.

Active Tunnels on Gateway

No active tunnels. Register a peer and complete handshake to see it here.