Local encryption first
VPN profile data is encrypted on the device before it is uploaded. GitHub stores encrypted blobs, not readable VPN configuration.
Rust/Tauri OpenConnect helper
oc-oxide
A desktop VPN helper that keeps OpenConnect protocol handling in libopenconnect and moves profile, route, DNS, diagnostics, and UI control into a Rust daemon architecture.
GitHub integration
Used only for profile synchronization
No VPN secrets in sync
Passwords, OTP codes, session cookies, private keys, router credentials, and daemon tokens are not stored in GitHub.
Narrow repository access
The planned GitHub App is scoped to repository contents for a user-selected private sync repository.
Architecture
Daemon-owned VPN control plane
The Tauri desktop app is an unprivileged client. A daemon owns libopenconnect, TUN setup, route policy, DNS policy, cancellation, recovery, and IPC state. The project is Linux-first today, with crate boundaries designed so route, DNS, and privilege backends can grow per platform.