A provider-agnostic VPN connection manager for Linux.
A lock shroud is the protective metal casing around a padlock's shackle. It doesn't replace the lock. It protects the lock from attack.
┌─────────────────────────────────────────┐
│ │
│ ┌───────────┐ │
│ │ SHROUD │ ← Protective │
│ │ ┌───────┐ │ outer casing │
│ │ │ LOCK │ │ │
│ │ │MECHANISM│ ← The vulnerable │
│ │ └───────┘ │ internals │
│ └───────────┘ │
│ │
└─────────────────────────────────────────┘
That's what VPN Shroud does:
| Lock Shroud | VPN Shroud (This Tool) |
|---|---|
| Wraps the lock | Wraps NetworkManager |
| Protects the mechanism | Kill switch protects against leaks |
| Doesn't replace anything | Works alongside your existing tools |
| Hardens against attack | Hardens against failures and stale state |
The name works on three levels:
- Concealment -- a VPN shrouds your traffic
- Hardware -- protective armor around the lock
- Architecture -- we wrap existing tools, we don't replace them
Most VPN tools want to own your system. They install kernel modules, replace your DNS, spawn seventeen daemons, and phone home to tell someone you're using them.
VPN Shroud doesn't do any of that.
We wrap, we don't replace. NetworkManager already knows how to connect to VPNs. OpenVPN and WireGuard already work. We're not here to reinvent the wheel. We're here to put armor around it.
We fail loud, recover quiet. When something breaks, you'll know. When it heals, you won't need to lift a finger.
We leave no trace. When VPN Shroud stops, your system is exactly as it was. No orphaned firewall rules. No zombie processes. No "please run this cleanup script to fix your networking."
We respect your privacy. No telemetry. No analytics. No phoning home. If you want to run VPN Shroud in a bunker with nothing but a VPN tunnel to the outside world, that's your right.
Read the full Principles if you want to understand what we're about.
I chose Rust because the compiler enforces the kind of promises security tools need to keep. I built VPN Shroud with AI. I'm not going to pretend otherwise, because pretending would violate the same principles this tool is built on.
I broke the code, found the bugs, and fixed them. Every decision is in the CHANGELOG. That's where the real work lives.
┌──────────────────────────────────────────────────────────────────┐
│ │
│ ✓ Kill switch that actually works │
│ └─ Traffic blocked when VPN drops. No leaks. │
│ │
│ ✓ Auto-reconnect that doesn't nag │
│ └─ Falls, gets back up, doesn't complain about it. │
│ │
│ ✓ LAN access while connected │
│ └─ Print, share files, access local devices. VPN stays up. │
│ │
│ ✓ System tray that stays out of your way │
│ └─ Click to connect. Click to disconnect. That's it. │
│ │
│ ✓ Works with any VPN provider │
│ └─ Mullvad, Nord, Proton, self-hosted, corporate. All good. │
│ │
│ ✓ Headless mode for servers │
│ └─ No GUI? No problem. Systemd integration included. │
│ │
│ ✓ Single binary, single purpose │
│ └─ One executable. CLI and daemon in one. │
│ │
└──────────────────────────────────────────────────────────────────┘
- One lean Rust binary. No Electron, no heavyweight GUI stack.
- No provider handshake. We talk straight to NetworkManager with your OpenVPN/WireGuard profiles.
- Minimal background daemons. A single supervisor, no telemetry or auto-updaters.
- Tight event loop. Async Tokio + formal state machine keep connect/disconnect on the hot path.
- In-process kill switch. iptables/nft rules applied/cleaned without extra helpers.
Boot-to-VPN in ~2-4s after network is ready (with auto_connect = true + headless/systemd autostart).
A system tray icon that stays out of your way. Left-click for the menu. That's it.
git clone https://github.com/lousclues-labs/shroud.git
cd shroud
./setup.shThat's it. The script handles dependencies, builds the binary, installs it, sets up your desktop entry, and configures shell completions.
Then import a VPN and go:
shroud import ~/my-vpn.ovpn
shroud connect my-vpn
shroud ks onYou're protected.
shroud # Start with system tray
shroud --headless # Start without GUI (for servers)
shroud autostart on # Launch on loginshroud list # See your VPNs
shroud connect ireland-42 # Connect
shroud disconnect # Disconnect
shroud switch us-west-2 # Atomic switch to different VPN
shroud status # What's happening?The kill switch blocks all traffic when your VPN drops. No exceptions. No leaks.
shroud ks on # Enable
shroud ks off # Disable
shroud ks status # CheckWhen enabled, only these paths are allowed:
- Loopback (localhost)
- Your VPN tunnel
- Your local network (so you can still print)
- DHCP (so you can still get an IP)
Everything else gets dropped. DNS goes through the tunnel or nowhere.
Bring your own configs. We don't care who your provider is.
shroud import ~/mullvad-us1.conf # WireGuard
shroud import ~/corporate.ovpn --name "Work" # OpenVPN with custom name
shroud import ~/vpn-configs/ # Whole directory
shroud import ~/vpn.conf --connect # Import and connect immediately| Document | What's Inside |
|---|---|
| Installation | Dependencies, building, setup |
| CLI Reference | Every command, every flag |
| Configuration | The config file explained |
| Kill Switch | How the firewall rules work |
| Headless Mode | Running on servers |
| Troubleshooting | When things go wrong |
| Architecture | How it's built |
| Principles | Why it's built this way |
| Contributing | How to help |
VPN Shroud keeps its config in ~/.config/shroud/config.toml. Here's what matters:
auto_reconnect = true # Get back up when you fall
kill_switch_enabled = false # Flip to true for always-on protection
dns_mode = "tunnel" # DNS through VPN only
ipv6_mode = "block" # Block IPv6 leaksSee Configuration for the full reference.
VPN Shroud knows exactly what state it's in at all times. No guessing. No "it says connected but nothing works."
Disconnected ──────► Connecting ──────► Connected
▲ │ │
│ │ │
│ ▼ ▼
│ Failed Degraded
│ │ │
│ │ │
└────────────────────┴────► Reconnecting
Every transition is logged. Every state is real. If VPN Shroud says you're connected, you're connected.
Your desktop needs StatusNotifierItem support. GNOME users need the AppIndicator extension.
shroud doctor # Run diagnostics
./setup.sh --install-sudoers # Install the sudoers ruleIf VPN Shroud crashes with the kill switch on:
shroud ks off # Try this first
# If Shroud isn't responding:
sudo iptables -D OUTPUT -j SHROUD_KILLSWITCH
sudo iptables -F SHROUD_KILLSWITCH
sudo iptables -X SHROUD_KILLSWITCHshroud debug on # Start logging everything
shroud debug tail # Watch the logsSee Troubleshooting for more.
Once the first release is published, this project will be installable via the lousclues package repository. See the install instructions at https://pkg.lousclues.com/install/.
# Ubuntu/Debian:
sudo apt install shroud
# RHEL/Fedora:
sudo dnf install shroudContributions are welcome. But first, read the Principles. Every contribution should align with them.
The short version:
- Wrap, don't replace
- Fail loud, recover quiet
- Leave no trace
- Keep it simple
See Contributing for the full guide.
- Linux (Arch, Debian, Ubuntu, Fedora, etc.)
- NetworkManager with OpenVPN and/or WireGuard plugins
- iptables or nftables
- A VPN config file
That's really it.
Copyright (C) 2026 Louis Nelson Jr. -- a lousclues project.
VPN Shroud is dual-licensed:
| Component | License | File |
|---|---|---|
| Source Code | GNU GPL v3.0 or later or Commercial License | LICENSE, LICENSE-COMMERCIAL.md |
| Documentation | Creative Commons Attribution 4.0 (CC BY 4.0) | LICENSE-DOCS.md |
| Third-Party Dependencies | MIT, Apache-2.0, and other permissive licenses | THIRD-PARTY-LICENSES |
For most users: The GPL covers you fully. Use VPN Shroud, connect your VPNs, run the daemon. No restrictions beyond the GPL.
For proprietary/commercial use: If you need to embed VPN Shroud in closed-source products or redistribute without GPL obligations, a commercial license is available.
For contributors: By submitting a pull request, you agree to the Contributor License Agreement. You keep your copyright; you grant the project permission to include your contribution under both licenses.
Trademarks: "VPN Shroud" is the composite project name and is not a claim of rights over "VPN" or "Shroud" individually. "lousclues" is a trademark of Louis Nelson Jr. See TRADEMARKS.md for usage guidelines. The GPL does not grant trademark rights.
For the complete licensing framework, see LICENSING.md. For project governance and succession planning, see GOVERNANCE.md.
VPN Shroud: Wrap your VPN in armor, not bloatware.
We protect. We recover. We disappear.
Your traffic is your business.