Sovereign VPN Governance Back to Platform →
VPN Governance Operational

Cryptographic
Session
Accountability.

A governance layer for encrypted tunnels. Every session produces a hash chain. Every chain link is independently verifiable. Tampering is mathematically detectable.

Sovereign VPN Governance does not replace your tunnel infrastructure. It produces cryptographic evidence that the tunnel operated as declared — session birth, session death, traffic totals, DNS queries — all anchored in a Merkle transparency log.

Start Governed Session See How It Works
Not a VPN — a governance layer SHA-256 hash chains Works with any tunnel
Initialize Scroll
Hash Algorithm SHA-256
Chains Per Session 0
Jurisdictions Available 0
Traffic Content Logged ZERO

The Stakes

Third-party audits are
point-in-time snapshots.

The VPN industry's verification model is periodic: hire an auditor, grant access for a window, publish a report. What happened between audits? What is happening right now? RAM-only servers are a hardware improvement — but still require trusting the operator between reboots. DORA and NIS2 require continuous operational accountability for network infrastructure, not periodic snapshots.

Continuous Verification

Every 5 seconds. Every session. User-verifiable.

Every session produces a hash chain: sha256(prev_hash + canonical(event)). At disconnect, the terminal hash from the server is compared to the client. Match = verified. Divergence = the exact link where tampering occurred is identifiable. This is not a periodic audit — it is continuous, per-session, and user-verifiable.

Session Certificates

Birth and death, cryptographically attested.

Every session produces SESSION_BIRTH (jurisdiction, tunnel type, code hash) and SESSION_DEATH (both chain hashes, traffic totals, duration, disconnect reason) Merkle leaves. Independently verifiable. No VPN provider produces cryptographic session certificates. The concept does not exist elsewhere.

DNS Fidelity

Prove queries weren't leaked, injected, or altered.

A separate DNS chain records every DNS query (hashed) during the session. DNS leaks and injection are common VPN failure modes. Current providers address them through configuration. Sovereign VPN Governance addresses them through cryptographic proof.

Code Attestation

"What software am I actually connecting to?"

CODE_DEPLOYMENT leaves record the code hash, commit hash, and deployer identity. The client verifies the server's running code matches a specific deployment in the log. No current tunnel solution answers this question. Sovereign VPN Governance does.

01 — The Difference

Claims vs.
Cryptographic Evidence.

Encrypted tunnels are a solved problem. What remains unsolved is independent verification of operational claims — without requiring trust in the infrastructure operator.

Conventional Tunneling Sovereign VPN Governance
No-log claim Privacy policy statement, periodic third-party audit. No mechanism for independent, continuous verification by the end user. Every session produces a hash chain: sha256(prev_hash + canonical(event)). Traffic content is never in the chain — only session metadata. The absence of content is structurally enforced, not promised.
Session proof No cryptographic proof of session existence or termination. Session records stored in mutable databases controlled by the operator. SESSION_BIRTH leaf anchored in the Merkle tree at connect. SESSION_DEATH leaf at disconnect with final traffic totals and terminal chain hash. Both are independently verifiable via inclusion proofs.
Tamper detection No tamper-detection mechanism. Session metadata stored in conventional databases where records can be modified without detection. Each event is a link in the hash chain. Altering any record breaks the chain at the exact point of tampering. The tamper demo lets you break a chain and watch verification identify the corrupted link.
DNS privacy Configuration-based DNS leak prevention. DNS queries routed through the provider's resolver without an independently verifiable audit trail. DNS queries route through an encrypted DoH proxy. Each query is hashed and appended to a separate DNS chain per session. Auditors can verify the integrity of every reported query.
Code integrity Server-side code not independently verifiable. Audits are periodic snapshots, not continuous attestation. Worker deployments can commit a CODE_DEPLOYMENT leaf with the code hash, commit hash, and deployer identity. Clients can verify the code hash returned during attestation against logged deployments.
Jurisdiction Jurisdiction based on corporate registration. No cryptographic binding between declared exit location and actual traffic routing. You select exit jurisdiction explicitly (EU-BE, EU-DE, EU-NL, EU-FR, US-NY, US-CA, CH, SG). The selected jurisdiction is recorded in the session's birth leaf and anchored in the Merkle tree.

02 — Session Lifecycle

Four Steps.
Four Proofs.

Every governed tunnel session follows a cryptographic lifecycle. Each step produces a verifiable artifact.

VPN Governance Session Lifecycle Pipeline 01 ATTEST Client sends public key. Server returns code hash + nonce. 02 CONNECT SESSION_BIRTH leaf committed. Hash chain begins. 03 GOVERN Traffic & DNS chains grow. Each event hashed with prev_hash. 04 DISCONNECT SESSION_DEATH leaf committed. Client vs worker chain compared. The dashboard renders each phase in real time. Each transition produces a verifiable state change anchored in the transparency log.

03 — Dual Chain Architecture

Two Chains Per Session.
One for Traffic. One for DNS.

Traditional VPNs give you a single connection with no audit trail. Sovereign VPN Governance maintains two independent hash chains for every session.

Traffic Chain

Byte-level accountability.

1. Tracks bytes_up and bytes_down

2. TransformStream counts in 64KB batches

3. Each counter update = new chain link

4. sha256(prev_hash + canonical(event))

5. Terminal hash compared at disconnect

DNS Chain

Query-level audit trail.

1. Every DNS query hashed: sha256(name:type)

2. Separate chain from traffic

3. Queries routed via encrypted DoH

4. Domain frequency audit per session

5. Tamper-evident query audit trail

If either chain is tampered with, verification identifies the exact link where the hash continuity broke. The traffic chain proves reported bandwidth wasn't fabricated. The DNS chain proves reported queries weren't altered.

04 — Tamper Detection

Break the Chain.
Watch It Catch You.

The tamper demo isn't a simulation. It creates a real governed session, lets you alter a record in the chain, then runs verification. The exact point of corruption is identified because sha256(prev_hash + canonical(event)) doesn't lie.

Step 1: Create a demo session with real chain links
Step 2: Tamper with a record — change bytes transferred
Step 3: Verify — recompute every hash, find the break
Result: exact link number, stored vs computed hash, proof of manipulation

Conventional tunnel architectures do not produce hash chains because they were not designed to. Sovereign VPN Governance was.

05 — Governance Layer

Bring Your Own Tunnel.
We Make It Accountable.

Sovereign VPN Governance isn't a replacement for WireGuard or OpenVPN. It's the cryptographic layer that makes any tunnel provably honest.

Reference Proxy (Built In)

TCP-over-HTTPS relay.

TransformStream byte counting in 64KB batches.

Ports 80, 443, 8080, 8443 allowed.

Private/internal hosts blocked.

Demonstrates governance with real traffic.

External Operator SDK

Run your own tunnel. Report into AGTS.

Run WireGuard, OpenVPN, or any tunnel.

Report counters via /sdk/counter-report.

Report DNS hashes via /sdk/dns-report.

Authenticated with per-session node tokens.

Same hash chains, same Merkle anchoring.

The governance protocol doesn't care what tunnel software you run. It cares that every byte and every DNS query is accounted for in a tamper-evident chain.

06 — Architecture

Edge-Native.
Distributed. Isolated.

Sovereign VPN Governance is a vertical on the ObligationSign platform. Same infrastructure that governs encrypted storage, mail delivery, and AI agent obligations.

Session Isolation

One container per session.

Each session runs in its own isolated container. No shared state, no race conditions on counter updates. Traffic and DNS chains are maintained independently per session with automatic idle timeout at 5 minutes.

Transparency

Merkle hash tree.

SESSION_BIRTH, SESSION_DEATH, SESSION_ANOMALY, and CODE_DEPLOYMENT leaves anchored in the same Merkle tree used by Drive and Mail. Signed tree head. Inclusion proofs. Anyone can audit.

DNS Security

Encrypted DoH proxy.

DNS queries routed through encrypted DNS-over-HTTPS. Each query hashed and chained. Per-session DNS audit verifies chain integrity and detects any tampering with reported query records.

Code Attestation

Deployment transparency.

Worker deployments record CODE_DEPLOYMENT leaves with commit hash, code hash, version, and deployer identity. Clients can verify the code hash returned during attestation against logged deployments.

Authentication

Zero-trust gateway + JWT.

RS256 JWT validation against JWKS endpoint. API key fallback for programmatic access. No passwords stored. Identity is cryptographically bound to every session and chain event.

Billing

Metered governance.

Charged to the tunnel operator, not the end user. Usage metered by governed sessions, attested bytes, and audited DNS queries. 30-day L1 free trial. Same billing infrastructure as all ObligationSign verticals.

07 — Verdicts

Every Session Gets a Verdict.
Not a Status — a Proof.

When a session closes, the governance protocol evaluates its integrity and assigns a cryptographic verdict based on the evidence, not on trust.

Verified

Birth leaf, death leaf, and hash chain all present and consistent. Client chain matches worker chain. No anomalies detected.

Partial

Birth leaf committed but session incomplete or chain length insufficient. Common for sessions still in progress.

Anomaly

Birth leaf present but death leaf missing, or client-side chain hash doesn't match the worker-side chain. Provable discrepancy.

Business Impact

Trust Is Not a
Compliance Strategy.

DORA
Digital Operational Resilience Act

Requires continuous operational accountability for network infrastructure used by financial institutions. Sovereign VPN Governance turns "we have a VPN" into "we have a provably accountable VPN" — with per-session cryptographic evidence rather than periodic audit reports.

NIS2
Network & Information Security

EU-wide cybersecurity directive requiring essential and important entities to maintain provable network security measures. Session birth and death certificates, code attestation, and DNS fidelity proofs provide the evidence NIS2 demands.

24/7
Continuous Accountability

Third-party audits verify what was true during the audit window. Hash chains verify what is true right now, and what was true at any point in the past. This is the difference between periodic compliance and continuous accountability.

VPN Operators

Differentiation through verifiable honesty, not marketing claims about honesty. Operators integrate via the Counter Relay SDK and produce the same proofs regardless of which tunnel carries the traffic. Protocol licensing and SDK integration fees for tunnel operators who need to prove their claims.

Enterprise Network Teams

Compliance evidence that is continuous rather than periodic. Every governed session produces independently verifiable artifacts: session certificates, chain hashes, DNS fidelity proofs, and code attestation. This evidence exists whether or not an auditor is watching.

Every Session.
Every Chain Link.
Independently Verifiable.

Connect a session. Watch it attest, chain, and anchor. Four cryptographic operations, four verifiable proofs, one transparency log.

Start Governed Session
Verify a Session