AIVPN: Neural Resonance for DPI-Resistant Traffic

1. Overview and Vision

• AIVPN is presented as a modern replacement for traditional VPNs, designed to defeat deep packet inspection (DPI) by disguising encrypted traffic as real application traffic rather than merely encrypting payloads.
• The core problem it addresses is that ISPs and state-level firewalls can identify and block VPNs by packet sizes, timing, and handshake patterns, even when payloads are encrypted.
• The system aims to make traffic resemble everyday app activity (e.g., a Zoom call or social media browsing) while remaining a fully encrypted tunnel.
• AIVPN’s author built a practical DPI emulator to validate the concept, reproducing filtering scenarios and stress-testing the setup to measure resilience, mask-switching speed, and routing stability.
• The solution includes a patented approach for fast routing, with a USPTO filing noted (System and Method for Unsupervised Multi-Task Routing via Signal Reconstruction Resonance, application No. 19/452,440 dated Jan 19, 2026).
• In short, AIVPN markets itself as a stealthy, resilient VPN layer that hides its very existence and purpose by mimicking legitimate traffic patterns.

1. The Main Feature: Neural Resonance

• The centerpiece of the project is an AI-assisted module called Neural Resonance. It is designed to be lightweight and memory efficient, avoiding the bloat of large language models while still providing robust traffic-mimicking capabilities.
• Baked Mask Encoder: For each mask profile (such as WebRTC codecs or QUIC-based traffic), a compact neural network (a small multilayer perceptron) is baked directly into the binary. The neural network is intentionally tiny (approximately 66 kilobytes) to minimize RAM overhead while delivering real-time analysis.
• Real-time analysis: The neural network inspects incoming UDP traffic on-the-fly by examining entropy and inter-arrival times (IAT). This enables the system to understand current traffic characteristics and decide whether the observed flow matches the expected mask.
• Adversarial detection against censors: If an ISP or censor attempts active probing or throttling, the neural module detects spikes in reconstruction error (mean squared error, MSE) as a signal that the current mask might be compromised.
• Auto mask rotation: When the AI detects a compromised mask (for example, a label like webrtczoom becoming flagged by the censor), both server and client seamlessly switch to a backup mask (for instance, dnsover_udp) with zero disconnects. This creates a continuous, adaptable traffic profile that resists simple static fingerprinting.
• Security depth: The Neural Resonance system works in tandem with other security features to maintain continuity while maintaining camouflage, rather than simply encrypting data.

1. Platform Support and Current Client Status

• Linux: Full support for server and client, with TUN devices exposed via /dev/net/tun. This is the primary platform.
• macOS: Client support exists, using the utun kernel interface to configure routing automatically.
• Windows: Client support exists; the recommended path uses the Wintun driver for efficient tunnel handling.
• Android: Client support exists via a native Kotlin app using the VpnService API.
• Current client status:
• macOS app: working
• CLI client: working
• Android app: working
• Windows client: currently in testing

1. Downloads and Pre-built Binaries (Conceptual Summary)

• The project provides pre-built binaries for multiple platforms so users can avoid compiling:
• macOS: aivpn-macos.dmg with a menu-bar interface
• Linux: aivpn-client-linux-x86_64 and aivpn-client-linux-armv7-musleabihf (static musl builds)
• Entware / MIPSel: aivpn-client-linux-mipsel-musl (static musl)
• Windows: aivpn-windows-package.zip with aivpn-client.exe and wintun.dll
• Android: aivpn-client.apk
• Linux Server: aivpn-server-linux-x86_64
• Linux Server ARMv7: aivpn-server-linux-armv7-musleabihf
• Linux Server MIPSel: aivpn-server-linux-mipsel-musl
• Each binary is designed to be lightweight (roughly a few megabytes for binaries, with server-side builds specifically optimized for various architectures).

1. Getting Started: Quick Platform Guides (High-Level)

• macOS: Install the macOS binary, launch the app, and paste a connection key to connect. The app runs from the menu bar and requires root privileges to access the TUN device.
• Windows: Install the Windows package, ensure the aivpn-client.exe and wintun.dll stay together, and run with an administrator command line to supply your connection key.
• Linux: Install the Linux CLI binary, make it executable, and run as root to initiate the VPN with your connection key.
• Android: Install the APK, paste the connection key, and tap Connect to establish the tunnel.
• Entware Routers: Copy the static musl binary to the router, make it executable, and run as root from Entware.
• Note: In all platforms, the connection key is a compact string that encodes server address, public key, PSK, VPN IP, and, optionally, network_config details. This centralizes configuration in a single token.

1. Cross-Platform Build and Release Strategy

• Cross-platform building supports compiling the client and server from a single repository using Rust. The build process uses a workspace with multiple crates, including aivpn-common (crypto and masks), aivpn-server, and aivpn-client.
• Build steps emphasize release builds and the use of static musl targets for ARMv7 and MIPSel to maximize portability on low-resource devices like SBCs.
• There are scripts for rapid Linux server release deployment and for packaging artifacts for GitHub Releases, including default Linux assets and musl-based artifacts for ARM/Entware targets.
• The project provides Docker-based deployment, including a docker-compose setup that preconfigures the server. This approach simplifies NAT and firewall considerations when bringing up a VPN in a VPS environment.
• The Build System highlights that the binaries can be produced for Linux, Windows, macOS, and Android, and that static builds minimize runtime dependencies on target devices.

1. Server and Client Management: Keys, Masks, and Masks Catalog

• Client registration is modeled similarly to WireGuard/XRay: each client receives a unique pre-shared key (PSK), a static VPN IP, and traffic statistics. All client configuration is encapsulated in a single connection key.
• The connection key carries both a legacy top-level VPN IP field and an optional bootstrap network_config block. New clients can receive server-provided network settings through this block, validated by a ServerHello message from the server.
• Mask management and records are central to operation:
• Recording Custom Masks: The system can record traffic for a service to generate a new mimicry profile (MaskProfile). This involves an authenticated client connection, a recording phase with service traffic, and a post-recording generation and self-testing to ensure fidelity.
• Masks are stored as JSON files named with a mask_id, enabling a catalog of mimicry profiles the server and clients can utilize.
• The workflow for adding clients, listing clients with traffic stats, and showing or removing clients is supported through both Docker-based and bare-metal server deployments, with server-side commands enabling dynamic client management.

1. Recording Custom Masks: Conceptual Flow

• Purpose: To extend mimicry to services that may be blocked in specific networks by generating new MaskProfiles through real traffic demonstrations.
• Process:
• Create an admin client on the server to bootstrap management.
• Connect a client using the admin credentials.
• Start the recording process for a given service (e.g., a video conferencing app).
• Use the service normally for a period sufficient to capture diverse traffic types.
• Stop recording to trigger mask generation and a self-test phase.
• The server analyzes captured packet metadata (sizes, intervals, headers) to construct a MaskProfile, which is then stored and cataloged for use by clients.
• Requirements for high-quality masks include a minimum packet count (e.g., around 500 packets), a recording duration (perhaps 60 seconds or more), traffic diversity, and connection stability to ensure reliable statistical modeling.

1. Client Experience: Connection Keys and Modes

• The recommended interaction model emphasizes the connection key as the primary client credential:
• Paste the aivpn:// link into the client to configure and connect.
• There is a priority order: confirmed network settings from ServerHello precede bootstrap data provided by the connection key, and legacy fallback defaults remain available for backward compatibility.
• Full-tunnel mode routes all traffic through the VPN, with specific commands to opt into or out of this mode on different platforms.
• Manual mode options exist:
• Linux and macOS: manual server address and server public key (base64) can be supplied if needed, allowing legacy or no-auth configurations.
• Windows: similar manual-mode options exist, with added ease through the GUI and a focus on automated route configuration.
• The cross-platform approach ensures that users can deploy AIVPN on a wide range of hardware, from desktops to embedded devices, with consistent behavior and a unified connection-key model.

1. Security and Privacy Features

• Zero-RTT and PFS: No traditional handshake is required for data to flow from the very first packet. Forward secrecy is continuously maintained as encryption keys rotate on the fly, so a seized server does not compromise past data.
• O(1) cryptographic session tags: Each packet includes a dynamic cryptographic tag derived from a timestamp and a secret key, enabling instant client-server matching without transmitting a persistent session ID in the clear. To outsiders, the traffic looks like noise.
• Lightweight and memory-safe: The entire client binary is approximately 2.5 MB, reflecting a careful design philosophy to maximize performance on modest VPS hardware and low-resource devices.
• Security-conscious implementation: The project emphasizes Rust-based implementation, focusing on memory safety and performance, reducing risk of memory leaks or vulnerabilities in long-running processes.

1. Project Structure and How to Contribute

• Repository layout:
• aivpn-common: Crypto primitives, mask definitions, and protocol structures
• aivpn-client: Core client logic, tunnel implementation, mimicry engine
• aivpn-server: Gateway logic, mask catalog, neural processing, NAT rules, metrics
• aivpn-android: Android client
• Contributing:
• The project invites contributions around the mask engine, neural weights and anomaly detection, cross-platform tunneling modules, and comprehensive tests (noting a large test suite of 100+ tests).
• The repository encourages researchers and developers with traffic-analysis experience to help capture dumps and train new mask profiles for Neural Resonance.

1. Licensing, Safety, and Community Focus

• The project is released under the MIT license, indicating openness to use, modification, extraction, and redistribution with minimal licensing friction.
• The description emphasizes responsible use: bypassing censorship should be done in a manner consistent with local laws and regulations, and the project invites ethical contributions and studying traffic patterns in privacy-prespecting contexts.
• The "Contributing" section underscores the collaborative nature of the project and invites developers to engage with mask engines, neural components, and cross-platform TUN modules.

1. Closing Observations and Context

• AIVPN presents a holistic approach to VPN design that prioritizes traffic camouflage, rapid route switching, and resilient performance under censorship or DPI-based threats.
• The Neural Resonance module represents an innovative attempt to balance lightweight AI with real-time network disguise, avoiding the computational burdens of large language models while still enabling adaptive masking.
• The architecture emphasizes modularity and portability, allowing deployment across Linux, macOS, Windows, Android, and embedded environments, with a clearly defined path for automated builds and distribution.
• The project’s emphasis on a modern, mask-driven VPN aligns with a broader trend toward privacy-preserving network technologies that seek to operate under the radar of network monitors without sacrificing security or performance.

Images from the Input

• Note: The input contains no images or embedded graphics. Therefore, no images can be included in this description. If you have specific visuals or diagrams you’d like incorporated (e.g., a schematic of Neural Resonance, a data-flow diagram of the mask recording process, or architecture diagrams for the client/server components), please provide them, and I can weave them into the description as labeled figures or sections.

1. Summary

• The document outlines a comprehensive, multi-platform VPN project designed to evade DPI through traffic mimicry rather than mere encryption.
• Neural Resonance is the standout feature, delivering real-time traffic analysis and adaptive masking with a compact, embedded AI component.
• The system operates across major platforms, supports both cloud-based and bare-metal deployments, and provides a structured pathway for managing clients, masks, and recordings.
• While the content includes procedural and build details, the high-level description emphasizes the architectural choices, security properties, and strategic goals of masking VPN traffic in a modern network environment.
• The license and community notes invite ongoing contributions to improve mask profiles, refine the neural detector, and expand platform support while maintaining a strong emphasis on safety, legality, and responsible use.