A VPN built on uncompromising privacy

Two service models 01 / Service tiers

Optimized for GL.iNet 02 / GL.iNet optimization

GemiGuard VPN is optimized specifically for GL.iNet devices. Our infrastructure is tuned to extract the best possible performance from GL.iNet hardware — and especially from the high-throughput cellular models like the Spitz Plus (Cat 12 LTE), Spitz AX (5G), Puli AX (5G), and Mudi 7 (5G), where raw modem capability often outpaces what a generic VPN provider can keep up with. The same optimizations meaningfully improve performance on other high-end cellular VPN routers too — Inseego, Nighthawk, ZTE, and others — though the tightest tuning is for GL.iNet.

The single biggest performance enemy on any cellular link is bufferbloat — oversized queues in the carrier network and modem that destroy interactive responsiveness the moment the link is under load. A standard VPN service does nothing about it. GemiGuard does. Here are four of the optimizations running on every GemiGuard endpoint.

1. 01

   Adaptive traffic shaping with CAKE on every tunnel

   We apply the CAKE active queue management algorithm to the downstream side of every WireGuard tunnel, sized to your device's realistic cellular capacity. This keeps the bottleneck — and therefore the queue — on our infrastructure, where we can actively manage it, instead of buried inside the carrier's deep buffer where no one can. The visible result: video calls, gaming, VoIP, and SSH stay responsive even when the link is saturated by a large download.

2. 02

   Cellular-tuned MTU and MSS clamping

   Standard 1500-byte packets routinely fragment or get silently dropped on cellular paths once you add carrier encapsulation and WireGuard's own header overhead. Our endpoints serve a tighter MTU and clamp TCP segment size at the forwarding layer so every packet fits the real cellular path on the first attempt. Fewer retransmissions, less head-of-line blocking on the uplink, faster page loads, and noticeably snappier short-lived connections.

3. 03

   BBR congestion control with fair-queueing pacing

   Our servers run Google's BBR congestion control algorithm with fq per-flow pacing on the WAN side. This prevents a burst from one tunnel from disrupting another, smooths out the encapsulated traffic going to your modem, and delivers more even throughput — particularly valuable in shared-cell-tower environments where the carrier itself is the variable.

4. 04

   Explicit Congestion Notification end-to-end

   Wherever your endpoint supports it (modern Linux, macOS, iOS, and Windows all do), we negotiate ECN so congestion is signaled rather than handled by dropping packets. Over cellular, where every retransmission costs tens of milliseconds, ECN-marked traffic is meaningfully faster and steadier — and CAKE's ECN marking on our side is what makes this work end-to-end.

Performance, never at the cost of security. Every optimization above is a pure performance layer. None of them touches your encrypted payload, weakens cipher selection, terminates TLS, decrypts traffic for inspection, or reduces WireGuard's end-to-end encryption guarantees in any way whatsoever. We shape, queue, and pace the encrypted tunnel — exactly as we would any other UDP traffic — and the contents inside stay cryptographically sealed between your GL.iNet router and the destination. With GemiGuard VPN, you get the fastest, most secure connection your GL.iNet VPN-router is capable of delivering — with no compromise on the privacy you bought a GL.iNet device for in the first place.

Why WireGuard 03 / Cryptography

WireGuard is the most modern VPN protocol, designed for simplicity, speed, and security. A lean codebase (~4,000 lines vs. 70,000+ in OpenVPN and 400,000+ in IPsec) makes it auditable and efficient. We chose WireGuard as our foundation because it pairs modern cryptography with a minimal attack surface.

• Curve25519 High-speed elliptic-curve cryptography for key exchange. 128-bit security with a 256-bit key.
• ChaCha20 Stream cipher with a 256-bit key, optimized for software execution — no specialized hardware required.
• Poly1305 Message authentication code (MAC). Guarantees data integrity and authenticity with minimal computational overhead.
• BLAKE2s Cryptographic hash function, faster than SHA-256, with proven indistinguishability from random data.
• HKDF Secure key derivation with perfect forward secrecy guarantees.
• Noise_IK A Noise Protocol Framework pattern that delivers secure authenticated connections during handshake.

A smaller attack surface, Linux kernel integration, and a UDP-first design give WireGuard advantages that legacy protocols can't easily replicate: fast connection recovery on network changes, low CPU overhead, and stability across unstable networks.

Advanced capabilities 04 / Capabilities

1. 01

   Stealth VPN

   HTTPS traffic obfuscation (domain fronting), UDP hole punching for NAT traversal, TCP fallback when UDP is blocked, SSH tunneling, and Shadowsocks/SOCKS proxies for covert routing.

2. 02

   Protocol flexibility

   WireGuard is recommended by default for speed and security. We can also deploy OpenVPN, IPsec, or other protocols on request.

3. 03

   Hardware integration

   Pair GemiGuard VPN with our customized GL.iNet devices — full control from client to server, configured to your requirements.

Who it's for 05 / Audience

• Journalists and human rights defenders working with sensitive sources
• Business users with corporate communications protection requirements
• Cybersecurity specialists and OSINT analysts
• Users who value real privacy without compromises