Features How it Works Download No-Log Policy FAQ Sign In Get Started →
Reality Protocol — Next-Gen Camouflage

The VPN That
Doesn't Look
Like a VPN

Military-grade VLESS+Reality protocol. Your traffic looks like a routine visit to Microsoft's servers. Undetectable by DPI. Unblockable by censors.

🐼 Get Your VPN ⬇ Download Client
TLS 1.3
Encryption Standard
0ms
Log Retention
X25519
Key Exchange
Bandwidth
Why Private-Panda

Built Different.
Designed to Survive.

Not another OpenVPN reskin. A fundamentally new architecture that makes your traffic cryptographically invisible.

🛡️
Reality Protocol

Borrows a legitimate website's TLS fingerprint. Observers see traffic to microsoft.com — not a VPN server.

XTLS Vision

Inner TLS splicing eliminates double-encryption. Up to 50% faster than OpenVPN on HTTPS-heavy workloads.

🌍
CDN Fallback

Routes through Cloudflare's global edge when direct connections are blocked. Your IP stays hidden behind 300+ PoPs.

🔑
X25519 Keys

Elliptic curve cryptography with 128-bit security level. Timing-attack resistant. No weak RSA parameters.

📋
Zero Logs

Xray log level is set to "warning" — errors only, zero connection metadata, zero IP records, zero timestamps.

🚫
DPI Immune

Statistically indistinguishable from a standard TLS 1.3 session. Deep Packet Inspection sees nothing unusual.

How it Works

Your traffic wears a disguise.

The Reality handshake is the core innovation — it's not just encrypted, it's impersonating legitimate HTTPS traffic at the TLS layer.

01
Client connects on port 443

Your device initiates a TLS 1.3 handshake to our server on port 443 — the same port as every HTTPS website.

02
Reality steals a legitimate certificate

The server relays your handshake to microsoft.com and returns their authentic TLS certificate. Any observer sees a Microsoft TLS session.

03
X25519 mutual authentication

Within the TLS session, your client and server verify each other using the X25519 keypair. Only valid clients get through.

04
Your traffic reaches the internet

Proxied requests exit from our AWS node. Websites see the server IP, never yours.

Your Device (Private-Panda Client) Built-in
TLS 1.3 · port 443
Cloudflare CDN Edge Optional
WebSocket · encrypted
AWS EC2 Node Xray-core
Reality handshake ↔ microsoft.com
Nginx + XTLS Vision
freedom outbound
🌍 Internet — Your Destination
Download

The Official Private-Panda Client.

A custom, native client built for our network — no third-party apps needed. The VPN engine is bundled in; just install, paste your profile, and connect.

🪟
Windows
Installer (.exe) · Windows 10 / 11 · 64-bit
↓ Download for Windows
 🐧
Linux
Debian package (.deb) · Kali · Ubuntu · Debian · x64
↓ Download for Linux

Linux: sudo apt install ./Private-Panda.deb, then launch Private-Panda from your app menu.  ·  Windows: run the installer, then launch from the Start Menu (admin prompt creates the secure tunnel adapter).

No-Log Policy

We can't log what we don't collect.

Our architecture is designed so that even a court order couldn't produce traffic logs — because none exist.

📋
Log Level: Warning Only
Xray-core runs at log level "warning". Only fatal errors are recorded. Zero connection metadata, zero IP addresses, zero timestamps, zero session identifiers are ever written to disk.
🏠
Single-Tenant Infrastructure
Your config runs on a dedicated AWS instance — not a shared multi-user server. There is no shared pool of connections that could accidentally leak cross-user data or timing correlations.
🔍
DNS Queries Are Tunnelled
The Private-Panda client routes all DNS through the encrypted tunnel via Xray's internal DNS engine. Your ISP cannot see what domains you visit. Verify at dnsleaktest.com after connecting.
🚫
No Third-Party Analytics
This website contains no tracking scripts, no analytics beacons, and no advertising code. The client application makes no telemetry calls. What you do is yours.

Technical Details

The server runs Xray-core configured with "loglevel": "warning". At this setting, Xray writes only unhandled error events — it does not log inbound connections, outbound destinations, user UUIDs, client IPs, or traffic volumes.

No connection database exists on the server. If you sent a subpoena today, the response would be: no records to produce.

The single-tenant model means your UUID is the only UUID on the instance. Even if server memory were somehow imaged, it would contain only your own in-flight session data — and nothing persisted to storage.

Zero Connection Logs Zero IP Records Zero Timestamps Zero DNS Logs Zero Analytics Single-Tenant
FAQ

Questions answered.

What client do I need to use?+
Use the official Private-Panda client — download it from the Download section above. Windows ships as a standard installer (.exe); Linux ships as a Debian package (.deb) for Kali, Ubuntu, and Debian. The VPN engine is bundled in, so no third-party apps are needed.
Which connection profile should I choose?+
Start with the REALITY Direct profile closest to you geographically (Stockholm for Europe, Singapore for Asia-Pacific). If that connection is blocked or slow, switch to the CDN WebSocket variant which routes through Cloudflare.
What makes Reality different from WireGuard?+
WireGuard produces a distinctive UDP packet pattern detectable by DPI hardware. Reality operates over TLS 1.3 on port 443 and actively impersonates a legitimate website's TLS session, making it statistically indistinguishable from normal HTTPS traffic.
Do you log my traffic or browsing activity?+
No. The server runs with Xray's log level set to "warning", which records errors only — no connection metadata, no IPs, no timestamps. The server is single-tenant (your config only), so there's no shared infrastructure that could leak cross-user data.
What happens if the direct connection is blocked?+
The CDN fallback path routes your traffic through Cloudflare's global edge network via WebSocket. Since Cloudflare is used by millions of websites, blocking it would break a significant portion of the internet — censors typically cannot block it.
Which server locations are available?+
Two regions are available: AWS eu-north-1 (Stockholm, Sweden) for European users, and AWS ap-southeast-1 (Singapore) for Asia-Pacific users. Each region has both a REALITY Direct and a CDN WebSocket profile — four profiles total.
Is this legal to use?+
VPN usage is legal in most countries. The Reality protocol is a technical privacy tool with no inherently illegal function. You are responsible for complying with local laws in your jurisdiction. We do not facilitate or condone illegal activity.
How do I know my DNS queries aren't leaking?+
The Private-Panda client routes DNS through the secure tunnel using its internal DNS engine. After connecting, verify at dnsleaktest.com — your results will show the remote server location, not your local ISP.
Which operating systems are supported?+
The desktop client runs on Windows 10/11 (64-bit) and 64-bit Linux distributions including Kali, Ubuntu 20.04+, and Debian. The same build works across these Linux distros — they share the GTK and network libraries the client depends on. macOS is not currently packaged.
Why does the app ask for my password on launch?+
Creating a system-wide VPN tunnel requires administrator rights. On Linux you'll see a polkit prompt; on Windows, a UAC prompt. The client only uses this to bring up the encrypted tunnel adapter — your password is never stored or transmitted.