Trust — infrastructure

This is the list of servers that actually handle your traffic or your files. Every IP below is a public endpoint. You can ping, traceroute, or whois any of them and the result should match what’s on this page.

Katafract LLC owns the accounts on every provider. The providers host the hardware; we operate it. No third-party managed services sit in the data path for VPN, DNS, or file storage.

Current WraithGate fleet

Each node runs WireGuard (wg1, UDP 51821) and Haven (AdGuard Home bound to the WG interface). Peer isolation is enforced server-side: clients can reach the internet but not each other and not the mesh.

Node	Region	Provider	IPv4	WG client CIDR
vpn-nbg-01	Nuremberg, DE	Hetzner	178.104.49.211	10.11.1.0/24
vpn-hel-01	Helsinki, FI	Hetzner	204.168.224.243	10.11.2.0/24
vpn-pdx-02	Hillsboro, OR, US	Hetzner	5.78.207.199	10.11.3.0/24
vpn-iad-01	Ashburn, VA, US	Hetzner	87.99.128.159	10.11.6.0/24
vpn-pdx-01	Hillsboro, OR, US	Hetzner	5.78.178.202	10.11.7.0/24
vpn-sin-02	Singapore, SG	Vultr	149.28.132.184	10.11.8.0/24
vpn-sin-03	Singapore, SG	Vultr	45.76.186.75	10.11.9.0/24
vpn-nrt-01	Tokyo, JP	Vultr	167.179.82.216	10.11.10.0/24
vpn-bom-01	Mumbai, IN	Vultr	65.20.76.56	10.11.12.0/24
vpn-ewr-01	Piscataway, NJ, US	Vultr	64.176.215.96	10.11.13.0/24

GeoDNS routes the vpn-*.katafract.com names to these addresses. The mapping is published under GeoDNS records and each name resolves to exactly one IP above.

Shards (S3 object storage)

Vaultyx ciphertext chunks land here. Replication factor is 2 across zones.

Node	Region	Provider	Role	Capacity
fury	St. Louis, MO, US	Contabo	Garage node, zone `us-central`	1.5 TB
atlas	Vint Hill, VA, US	OVH Kimsufi	Garage node, zone `us-vin`	14.8 TB
hades	Beauharnois, QC, CA	OVH Kimsufi	Garage node, zone `ca-bhs`	14.8 TB

Public S3 traffic reaches the cluster through s3.objstore.io (proxied via argus nginx). Direct Garage ports are not exposed to the internet.

Secondary control plane

One box runs a warm standby for the control plane and the monitoring stack. It does not carry user VPN or DNS traffic.

Node	Region	Provider	Role	IPv4
fury	St. Louis, MO, US	Contabo	artemis-api standby, Prometheus, Grafana	85.239.240.208

Providers we use

Hetzner — EU + US nodes. Cloud + dedicated.
Vultr — APAC + US-East nodes. Cloud.
Contabo — US Central VPS (Missouri) used for monitoring + Shards us-central.
OVH Kimsufi — North American dedicated storage boxes (atlas, hades).
Self-hosted at Tek’s home — a mini PC (tartarus) runs a standalone Garage cluster used only by the founder as a dogfood customer. It is not part of the shared Shards cluster and holds no other user’s data.

What’s not on this list

The internal control plane (artemis, argus, kata-db-replica) and the mesh-only automation infrastructure don’t appear in this table. They never handle user VPN traffic and never hold plaintext user content. Their topology is described in platform architecture overview.

Update cadence

This table reflects the live fleet. It is updated each time a node is added or retired. Refresh is triggered from the katafract-audit pipeline that inspects the real node registry on artemis, so drift between this page and reality shows up in the next commit.

We add nodes continuously. Treat the list as “what’s live right now,” not a ceiling. When a new region comes online it will appear here before it appears in the client app’s server list.

How to verify

Pick any IP above and run:

whois <ip> | grep -iE 'orgname|netname|country'
mtr -r -c 5 <ip>

The whois result should identify one of the providers listed. The mtr result should terminate at the IP, not a CDN edge.

Logs policy — what is and isn’t captured on these nodes
Retention — how long anything that is captured lives
Threat model — what this fleet is designed to defeat