A complete tour of Qeli: a self-hosted, post-quantum VPN in Rust

Qeli 全面解析：一款基于 Rust 的自托管后量子 VPN

Qeli is an open-source VPN you run on your own server. No third-party service, no account with someone else, no telemetry - the server is yours, the keys are yours, and the software itself sends nothing to me or anyone else. The core and server are written in Rust. This is a full tour: what it is, how it is built, how to stand one up, and where it honestly stands today.

Qeli 是一款可以在你自己的服务器上运行的开源 VPN。它无需第三方服务，无需注册他人账户，没有任何遥测功能——服务器是你的，密钥是你的，软件本身不会向我或任何人发送任何数据。其核心和服务器端均使用 Rust 编写。本文将进行全面解析：它是什么、如何构建、如何部署，以及它目前的真实状态。

The model: your server, your keys

模式：你的服务器，你的密钥

Commercial VPNs route your traffic through infrastructure you do not control. Qeli is the opposite: you deploy the server on a box you own or rent, and your devices connect only to it. There is no middleman who could log, sell, or hand over your traffic. If you already rent a VPS, you can have your own private VPN on it. It is a full VPN, not a proxy: the client brings up a TUN interface and routes the whole device through an encrypted channel to your server - not just one app or one browser tab.

商业 VPN 会通过你无法控制的基础设施路由你的流量。Qeli 则完全相反：你在自己拥有或租用的机器上部署服务器，你的设备只连接到该服务器。没有中间人可以记录、出售或移交你的流量。如果你已经租用了 VPS，就可以在上面搭建自己的私有 VPN。它是一个完整的 VPN，而非代理：客户端会启动一个 TUN 接口，并将整个设备的流量通过加密通道路由到你的服务器，而不仅仅是针对某个应用或浏览器标签页。

Architecture

架构

One Rust binary is three things:

• The server - terminates client tunnels, routes traffic, enforces per-user limits;
• The CLI - qeli server, qeli add-client, qeli list-clients, qeli set-bandwidth, qeli kick, and more;
• An admin web panel - manage users, bandwidth and identity from a browser, served over its own built-in TLS.

一个 Rust 二进制文件集成了三项功能：

• 服务器端：终止客户端隧道，路由流量，执行用户限额；
• 命令行工具 (CLI)：支持 qeli server、qeli add-client、qeli list-clients、qeli set-bandwidth、qeli kick 等命令；
• 管理 Web 面板：通过浏览器管理用户、带宽和身份，并由内置的 TLS 提供服务。

Clients are native on every major platform:

• Linux - Rust
• Windows - C# / .NET
• macOS - C# / Avalonia
• Android - Kotlin
• iOS and a Keenetic router build are in progress.

客户端原生支持各大主流平台：

• Linux - Rust
• Windows - C# / .NET
• macOS - C# / Avalonia
• Android - Kotlin
• iOS 和 Keenetic 路由器版本正在开发中。

Cryptography

密码学

This is where Qeli does something most self-host VPNs do not yet: Post-quantum by default. The inner handshake is a hybrid X25519 + ML-KEM-768 (FIPS 203) key exchange. A classical and a post-quantum secret are both mixed into the KDF, so a recorded session stays safe unless both are broken - protection against “harvest now, decrypt later”. I wrote a separate deep dive on the handshake. Data plane: ChaCha20-Poly1305. Key derivation: HKDF-SHA256. Password-derived secrets: Argon2id. The post-quantum core lives in Rust and is shared with the C# and Kotlin clients over FFI/JNI, so every platform speaks the same wire format.

这是 Qeli 与大多数自托管 VPN 的不同之处：默认支持后量子加密。其内部握手采用混合 X25519 + ML-KEM-768 (FIPS 203) 密钥交换。经典密钥和后量子密钥同时混合到 KDF 中，因此除非两者都被破解，否则录制的会话依然安全——这能有效防御“现在截获，未来解密”的攻击。我专门写了一篇关于该握手协议的深度解析。数据平面采用 ChaCha20-Poly1305，密钥派生使用 HKDF-SHA256，密码派生密钥使用 Argon2id。后量子核心由 Rust 编写，并通过 FFI/JNI 与 C# 和 Kotlin 客户端共享，确保所有平台使用相同的传输格式。

Transports

传输协议

Qeli has its own L4 protocol with several interchangeable transports - plain, fake-tls, obfs, reality, reality-tls, quic - so you can pick what suits your server and network. The flagship, reality-tls, terminates a genuine TLS 1.3 session: the tunnel runs inside a real, modern HTTPS channel.

Qeli 拥有自己的 L4 协议，支持多种可互换的传输方式——plain、fake-tls、obfs、reality、reality-tls、quic——你可以根据服务器和网络环境选择最合适的一种。其旗舰方案 reality-tls 可以终止真实的 TLS 1.3 会话：隧道运行在真实的、现代的 HTTPS 通道内。

Operations

运维管理

Management is built in, not bolted on:

• per-user accounts and accounting
• per-user bandwidth limits
• a kill switch on the clients
• per-user device tracking
• human-readable qeli:// config links (and QR) to onboard a client in seconds

管理功能是内置的，而非外挂的：

• 支持用户账户及流量统计
• 支持用户带宽限制
• 客户端内置 Kill Switch（断网保护）
• 支持用户设备追踪
• 支持人类可读的 qeli:// 配置链接（及二维码），几秒钟即可完成客户端接入

Standing one up

部署指南

On a Debian/Ubuntu server:

sudo apt install ./qeli_0.7.1_amd64.deb
sudo cp /etc/qeli/server.conf.example /etc/qeli/server.conf
# edit it
sudo systemctl enable --now qeli

Then add a client and hand it the generated qeli:// link (or QR): qeli add-client alice Point the desktop or mobile client at that link and you are connected. Prebuilt binaries for Linux, Windows, macOS and Android are on the releases page.

在 Debian/Ubuntu 服务器上：

sudo apt install ./qeli_0.7.1_amd64.deb
sudo cp /etc/qeli/server.conf.example /etc/qeli/server.conf
# 编辑配置文件
sudo systemctl enable --now qeli

然后添加客户端，并将生成的 qeli:// 链接（或二维码）发送给用户： qeli add-client alice 在桌面或移动客户端中打开该链接即可连接。Linux、Windows、macOS 和 Android 的预编译二进制文件可在发布页面找到。

How it compares

对比分析

WireGuard is excellent and I still use it - but it is a single fixed transport, has no post-quantum story yet, and ships no user management. OpenVPN is flexible but heavy and dated. Qeli trades some of WireGuard’s minimalism for batteries-included self-hosting: several transports, a web panel, per-user controls, and post-quantum from day one.

WireGuard 非常出色，我至今仍在使用，但它只有单一的固定传输方式，目前尚无后量子支持，且不提供用户管理功能。OpenVPN 虽然灵活，但过于臃肿且陈旧。Qeli 以牺牲 WireGuard 的部分极简主义为代价，换取了“开箱即用”的自托管体验：支持多种传输方式、Web 管理面板、用户控制，并从第一天起就支持后量子加密。

Honest status

真实状态

Qeli is 0.7.1 - beta. The 1.0 line will be the first I would call stable, after more testing and user feedback. There are nearly 200 unit tests and I have triaged two external code audits, but it has not had a professional cryptographic audit, so do not put anything life-critical on it yet. The handshake and transport code is exactly where I would most value outside scrutiny.

Qeli 目前处于 0.7.1 测试版阶段。在经过更多测试和用户反馈后，1.0 版本才会被我称为稳定版。目前项目已有近 200 个单元测试，我也处理过两次外部代码审计，但它尚未经过专业的密码学审计，因此请勿将其用于生命攸关的关键任务。握手和传输代码是我最希望获得外部审查的部分。

Links

相关链接

• Code (AGPL-3.0 core, MPL-2.0 clients): https://github.com/litvinovtd/qeli
• Site: https://qeli.ru
• Releases and builds: https://github.com/litvinovtd/qeli/releases
• Community (Telegram): https://t.me/qeli_vpn

If you self-host, give it a spin and tell me where it breaks - issues and feedback are very welcome.

如果你有自托管需求，欢迎试用并反馈问题——非常欢迎提交 Issue 和建议。