Wraith

Fast, private WireGuard —
with Haven DNS built in.

Your traffic rides our own fleet. No logs, no ads, no middlemen — because the infrastructure to run any of that doesn’t exist on our side of the wire.

iOS · In review by Katafract ↗

Infrastructure built so there’s nothing to betray.

How it works ↓
App Store approval in progress. Android? Join the waitlist →
Why Wraith

Because the breach-letter cycle is exhausting.

I’m Tek. I piled up third-party apps for every layer of privacy — each one another company I had to trust. Every few months another breach letter arrived from a company I’d never heard of, holding data a company I did know had moved, sold, or leaked.

I stopped trusting third parties for the parts that mattered. I didn’t want to ask anyone to trust me more than the companies that burned them either. So I built Wraith on infrastructure I operate end-to-end, with a posture that’s inspectable rather than opaque.

— Tek, founder
What Wraith does

Four things, done carefully.

01 · Protocol
WireGuard across a global fleet
Modern, audited, open protocol. Nodes in EU, US, and Asia — continuously expanding, not a fixed count.
02 · Filtering
Haven DNS at every exit
Ads, trackers, and known malware domains are blocked at the DNS layer — before the app on your phone ever sees them.
03 · Failover
Kill switch
If the tunnel drops, traffic is blocked. Nothing leaks to your ISP while the app reconnects.
04 · Logs
No activity logs
No connection timestamps, no assigned-IP records, no DNS logs. The pipelines were never built. There’s nothing to subpoena.
How it works

Operator-grade trust, stated plainly.

This is how Wraith is actually built. Each claim is inspectable on docs.katafract.io/trust.

01

WireGuard via our own WraithGate fleet

Every exit node is operated by Katafract — not rented from a reseller, not shared with a brand we don’t control. IPs are listed publicly so you can verify each one.

02

Haven DNS runs on the node itself

Your DNS queries never leave the tunnel. AdGuard + OISD filter lists block ads, trackers, and known-malicious domains before your apps even see them.

03

Kill switch + local network passthrough

If the tunnel drops, the app blocks traffic. Your local network — home printers, Plex server, LAN cameras, smart-home devices — stays reachable while your internet traffic tunnels. No toggle, no config; LAN just works.

04

No-logs posture — architectural, not promised

No connection timestamps, no assigned-IP records, no DNS query logs. The code to collect those was never written. Read the full policy at docs.katafract.io/trust/logs/.

05

Token-based identity, not your email

Apple handles sign-in. Wraith receives a token that grants access. We don’t learn your name, your email, your billing address, or what else you own.

06

Verify the fleet

Every exit IP is documented on docs.katafract.io/trust/infrastructure/. Check them against public WHOIS, ASN, and your own traceroutes.

Who it’s for

People who prefer knowing who they’re trusting.

Privacy-conscious travelers, journalists, operators, and anyone tired of VPN brands that treat their customer list as the product.

Airport / Cafe

Public Wi-Fi is a hostile network. One tap on Wraith and your DNS, your traffic, and your real IP stop leaking to whoever else is on the SSID.

International travel

Connect to a hotel network anywhere in the world. Haven DNS keeps blocking ads and trackers even on networks that inject both.

Home & office

Per-device kill switch means your phone won’t silently leak to your ISP if the tunnel blips. Works alongside home routers via our separate router endpoint.

Proof

Inspectable, not opaque.

We publish the posture. You decide whether it holds up.

Coming soon
App Store · In review
Apple review in progress. We'll publish the App Store link here when it's approved.
Source
github.com/katafract-io ↗
Public code, infra scripts, and node bootstrap.
Canary
Warrant canary →
Updated on a fixed schedule. Absence says what presence can’t.
Docs
Trust architecture ↗
Log policy, infrastructure list, threat model.
Status

In Apple review.

Wraith is currently in Apple's review queue. We'll announce pricing and availability here when the app is approved.

FAQ

Straight answers.

Does Wraith work in countries with DPI or VPN restrictions?
Wraith uses standard WireGuard on UDP, plus an obfuscated Shadowsocks fallback for environments where direct UDP/WG is blocked. We're open about the limits — if a jurisdiction actively blocks all VPN traffic, no fallback is universal.
How fast is Wraith vs. NordVPN or ExpressVPN?
Wraith runs WireGuard — the same protocol most modern VPNs use under the hood. Throughput is a function of your distance to the nearest exit and the node’s uplink. Our fleet covers EU, US, and Asia, and we continue to add regions. Haven DNS runs on the node itself, so DNS lookups don’t make an extra round-trip.
How many devices can I use on one account?
Wraith is currently in Apple review. Device limits and pricing will be confirmed here when the app launches.
What gets logged?
No connection timestamps, no assigned-IP records, no DNS query logs, no session durations. The pipelines that would collect those were never built. Full policy: docs.katafract.io/trust/logs/.
Who’s behind Katafract?
Katafract LLC is a small, founder-operated company. We dogfood every app we ship. Source and posture are inspectable at github.com/katafract-io and docs.katafract.io/trust/.
Does Wraith work with streaming services?
Most services work because we operate our own fleet rather than leasing from IP-reputation-poor pools. We don’t guarantee any specific service will always work — that’s outside our control — but we don’t deliberately break them either.
What happens if my subscription lapses?
Your peer configuration is rotated and the tunnel stops. Haven DNS (free, no account) keeps working on your devices. Re-subscribe and access restores immediately. We don’t keep billing hostages. Pricing details will be published when the app is approved.
The platform

Wraith is one piece.

Wraith·Vaultyx·Haven·DocArmor
See the full Katafract app lineup
Privacy policy Warrant canary Source ↗ Trust docs ↗

iOS 17.0+ · iPhone · In Apple review queue