Menu / Docs Navigation

Zero-Knowledge Architecture

A system where trust is decentralized. No single node, including the entry point, posesses enough state to link a user identity to their destination traffic.

The Problem with Single-Hop Standard VPNs

In a standard VPN configuration, your device creates an encrypted tunnel to a single provider-operated server.

  • That server decrypts your packet.
  • It reads the destination IP.
  • It forwards the packet.

The Flaw: The server knows exactly who you are (your home IP) and exactly where you are going. If that server is compromised, subpoenaed, or maliciously logging traffic, your privacy is zero.

The Tunnely Multi-Hop Topology

Tunnely forces packets through a minimum of two distinct, decentralized relay nodes.

[Client / Origin]
       ↓ (WireGuard Tunnel)
[Entry Node] --> Knows Client IP.
             --> Forwards packet into Internal Mesh.
       ↓ (Encrypted Server-to-Server Mesh)
[Exit Node]  --> Knows Destination IP.
             --> Does NOT know Client IP (sees only Entry Node IP).
       ↓ (Public Internet)
[Destination Web Server]

Cryptographic Enforcement

The Tunnely client application establishes a secure, single-hop WireGuard tunnel directly to the Entry Node. Rather than decrypting the packet and dropping it onto the public internet, the Entry Node acts as a secure router.

Upon receiving the packet, the Entry Node forwards it through a dedicated, cryptographically verifiable server-to-server mesh network to the assigned Exit Node. The Exit Node alone performs the final NAT translation necessary to reach the destination web server. This ensures that the Entry Node never sees the destination, and the Exit Node never sees the origin.