Premium VPN for those who already chose the best hardware

Two service models

Exit nodes worldwide. We'll add any geolocation you need on request — for either tier.

Optimized for GL.iNet

Cellular VPN routers are capable of the maximum performance their modem can deliver — performance a generic VPN service simply can't match. This is most visible on GL.iNet's flagship models:

• Puli GL-XE300
• Mudi V2 GL-E750V2
• Spitz Plus GL-X2000
• Spitz AX GL-X3000
• Puli AX GL-XE3000
• Mudi 7 GL-E5800

The GemiGuard VPN optimization stack is tuned specifically for this hardware — and the same engineering produces measurable gains on other premium cellular routers (MikroTik, Teltonika, Inseego, etc.) and on any high-end wired router.

The single biggest performance enemy on any cellular link is bufferbloat — the deep buffers in the cellular network (both at the base station and in the modem itself) that accumulate seconds of traffic under load and destroy interactive responsiveness. A generic VPN provider blindly pushes traffic into that buffer. GemiGuard VPN doesn't. Here are three of the optimizations running on every endpoint.

1. CAKE traffic shaping with ECN marking on every tunnel

   On the egress side of every tunnel, our servers apply CAKE — a shaper sized to your link's realistic cellular capacity. This stops us from pushing packets faster than the cellular path can drain them, so they don't pile up in the deep buffers on the downstream path to your router (primarily the per-UE queue at the base station — the main source of bufferbloat for inbound traffic). When the shaper's queue approaches its limit, CAKE marks packets with the ECN flag (Explicit Congestion Notification) instead of dropping them. WireGuard carries these markings transparently through the tunnel, so end-to-end TCP sessions slow down preemptively — no packet loss, no expensive retransmits (each one costing tens of milliseconds on cellular). No configuration required on your side.

2. Cellular-tuned MTU and MSS clamping

   Standard 1500-byte packets routinely fragment or get silently dropped on cellular paths once you add carrier encapsulation and WireGuard's own header overhead. Our servers advertise a tighter MTU and clamp TCP segment size at the forwarding layer so every packet fits the real cellular path on the first attempt. Fewer retransmissions, less head-of-line blocking on the uplink, faster page loads, and noticeably snappier short-lived connections.

3. WAN-side fair-queueing pacing

   On our servers' external interfaces, we run the fq queue discipline (fair-queueing — fair scheduling by flow), which paces (spaces out in time) every outbound packet, including forwarded tunnel traffic. This prevents a burst on one tunnel from hurting another, smooths the encapsulated traffic on the path to your router, and delivers more even throughput — particularly valuable in shared-cell-tower environments where the carrier itself is the variable.

Performance, never at the cost of security. Every GemiGuard VPN optimization is a pure performance layer. None of them touches your encrypted payload, weakens cipher selection, terminates TLS, decrypts traffic, or reduces end-to-end encryption guarantees in any way. We shape, queue, and pace the encrypted tunnel — and the contents inside stay cryptographically sealed between your router and the destination. With GemiGuard VPN, you get the fastest connection your hardware is capable of delivering — full performance, full encryption, no compromise.

Modern encryption

GemiGuard VPN is built on WireGuard — the most modern VPN protocol, designed for simplicity, speed, and security. Its lean codebase (~4,000 lines vs. 70,000+ in OpenVPN and 400,000+ in IPsec) makes it auditable and efficient, and pairs modern cryptography with a minimal attack surface.

Curve25519

High-speed elliptic-curve cryptography for key exchange. 128-bit security with a 256-bit key.

ChaCha20

Stream cipher with a 256-bit key, optimized for software execution — no specialized hardware required.

Poly1305

Message authentication code (MAC). Guarantees data integrity and authenticity with minimal computational overhead.

BLAKE2s

Cryptographic hash function, faster than SHA-256, with proven indistinguishability from random data.

HKDF

The key derivation function used in the Noise_IK handshake to provide perfect forward secrecy.

Noise_IK

A Noise Protocol Framework pattern that delivers secure authenticated connections during handshake.

A smaller attack surface, Linux kernel integration, and a UDP-first design give this foundation advantages legacy protocols can't easily replicate: fast connection recovery on network changes, low CPU overhead, and stability across unstable networks. The GemiGuard VPN optimization stack builds from this solid foundation.

No logs

The strongest data protection is data that doesn't exist. GemiGuard VPN keeps no logs of your activity. We can't surrender, lose, or expose what we never collected.

• No connection logs. We don't record session timestamps, bytes transferred, source IPs, or destination IPs.
• No DNS logs. DNS queries passing through our servers are not recorded.
• No traffic retention. The contents of your encrypted traffic stay between your router and the destination — we never see it and never store it.
• No KYC. We do not maintain any database of personally identifiable information.

Custom capabilities

1. Stealth VPN

   TLS traffic obfuscation (masquerading as legitimate HTTPS connections via transports like V2Ray/VLESS, Trojan, Shadow-TLS, REALITY, or AmneziaWG), TCP fallback when UDP is blocked, SSH tunneling, and Shadowsocks/SOCKS proxies for covert routing — built on request for clients operating in restrictive network environments.

2. Protocol flexibility

   WireGuard is the default for speed and security. OpenVPN, IPsec, or other protocols are available on request when specific compatibility with legacy systems or compliance requirements call for them. Fully customized solutions are available for clients whose requirements go beyond our standard service.

Who it's for

• Journalists and human rights defenders working with sensitive sources
• Business users with corporate communications protection requirements
• Cybersecurity specialists and OSINT analysts
• Users who value real privacy without compromises

Common questions

1. How is GemiGuard VPN different from other VPN providers?

   Other VPN providers run commodity infrastructure built for laptops and phones. GemiGuard VPN runs its own servers, tuned specifically for premium router hardware — GL.iNet cellular models like Mudi, Spitz, and Puli, plus high-end wired routers. The optimization stack (CAKE traffic shaping, cellular-aware MTU and MSS clamping, fair-queueing on the WAN side) runs entirely server-side. Nothing to install. Nothing to configure. Stock WireGuard.

2. Can I change my VPN exit country or IP address on demand?

   Yes — on the Private tier, as an optional customization. Switch your exit IP and geolocation in real time without changing your WireGuard config. Control via web portal or the GemiGuard VPN Telegram bot: pick a new exit node, the switch is instant, no packet loss, session uninterrupted. On Standard, your exit location is set at signup (any country on request).

3. Which countries can I use as my VPN exit location?

   Any country. Both tiers. Tell us where you need to appear, and we deploy an exit node for you on our own infrastructure.

4. What is your logging policy?

   Zero. No connection logs, no DNS logs, no bandwidth metering, no KYC. The strongest data protection is data that doesn't exist.

5. Does GemiGuard VPN work with stock GL.iNet firmware?

   Yes — all versions. GemiGuard VPN works with any standard WireGuard client, which is built into stock GL.iNet firmware. No third-party app, no custom firmware, no extra setup. Drop in the config and connect.