Introduction to QuFabric
QuFabric is a security-hardened Zero Trust Networking platform purpose-built for transmitting classified and top-secret data over the public internet. It creates encrypted point-to-point overlay networks that meet the stringent requirements of government, defence, and critical infrastructure environments.
QuFabric is built on NetBird, an open-source Zero Trust Networking platform. We extend NetBird with additional security layers specifically designed for environments that handle sensitive and classified information, aligning with the NSA's Commercial Solutions for Classified (CSfC) program requirements.
QuFabric builds on the NetBird open-source project and can be self-hosted on your own infrastructure. Much of this documentation is adapted from the NetBird documentation, with additions covering QuFabric's security enhancements.
What Makes QuFabric Different
QuFabric adds critical security capabilities on top of NetBird's Zero Trust architecture:
- Double VPN with Independent Encryption — Two nested WireGuard tunnels: an outer tunnel (
wg0) using ChaCha20-Poly1305 with post-quantum key exchange via Rosenpass (enabled by default), and an inner tunnel (aes0) using AES-256-GCM with DSKE-managed keys. This dual-layer architecture aligns with CSfC requirements. - Post-Quantum Cryptography — The outer tunnel runs Rosenpass by default, continuously rotating pre-shared keys using quantum-resistant algorithms (Classic McEliece + Kyber) to protect against "harvest now, decrypt later" attacks.
- Distributed Symmetric Key Exchange (DSKE) — Automated management of pre-shared keys for the inner AES tunnel, using threshold cryptography across multiple security hubs to eliminate reliance on Diffie-Hellman key exchange alone.
- Dual-Interface Access Control — Firewall rules enforced across both
wg0andaes0interfaces, ensuring consistent security policy regardless of which encryption tunnel carries the traffic.
Like NetBird, QuFabric requires no centralized VPN server — your machines connect directly over fast encrypted tunnels. It creates a high-performance point-to-point WireGuard® overlay network that connects machines running anywhere.
Security
Security Overview
Understand QuFabric's security architecture, encryption layers, and compliance alignment.
DSKE Key Exchange
Learn how Distributed Symmetric Key Exchange automates pre-shared key management for AES tunnels.
CSfC Alignment
How QuFabric's dual-layer encryption architecture aligns with NSA Commercial Solutions for Classified requirements.
WireGuard Lockdown
Configure additional port restrictions and interface hardening for maximum security.
Guides
Onboarding Guide
Get started with QuFabric in under 5 minutes. Learn the basics of installation and setup.
Deploy QuFabric
Deploy your own QuFabric instance. Learn how to set up and configure the server components.
Manage Network Access
Learn how to use access control policies to manage and secure access to your machines and resources.
Add Users to Your Network
Discover how to add team members to your network and manage user access.
Route Traffic to Private Networks
Learn how to provide secure access to LANs, VPS instances, and corporate private networks.
Manage DNS in Your Network
Configure custom name servers and DNS settings for your private network.
About
How It Works
Learn about the underlying concepts, architecture, protocols, and how secure networks are created.
Zero Trust vs. Traditional VPN
Discover how Zero Trust networking compares to traditional VPNs and understand the advantages.
Why WireGuard
Explore why WireGuard provides fast, secure, and modern networking as the foundation for QuFabric.