Documentation Index
Fetch the complete documentation index at: https://docs.velatir.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
The Velatir desktop client is designed to coexist with corporate VPNs. It supports the common configurations that organisations use to route work traffic: split-tunnel VPNs, full-tunnel VPNs, and zero-trust agents. The mechanism differs between operating systems and the behaviour is documented in detail below.macOS
On macOS, the desktop client uses Apple’sNETransparentProxyProvider system extension. This is the supported integration point for transparent proxies and it composes cleanly with VPN-style network extensions.
| VPN configuration | Behaviour |
|---|---|
| No VPN | Velatir intercepts and inspects AI traffic. All other traffic passes through unchanged. |
| Split-tunnel VPN (only specific routes via the tunnel) | Velatir intercepts AI traffic regardless of which route it takes. VPN-routed traffic to corporate resources continues to use the VPN. |
| Full-tunnel VPN (all traffic via the tunnel) | Velatir intercepts AI traffic and forwards it to the upstream over the VPN tunnel. Corporate-only AI resources remain reachable. |
Windows
On Windows, the desktop client uses a Wintun virtual adapter for traffic capture and binds its upstream connections to the most appropriate network interface on the device. The desktop client detects whether a VPN adapter is active at start time and adjusts its upstream binding accordingly.| VPN configuration | Velatir upstream binding | Behaviour |
|---|---|---|
| No VPN | Primary physical network interface | Velatir intercepts AI traffic. All other traffic passes through unchanged. |
| Split-tunnel VPN | Primary physical network interface | Velatir intercepts AI traffic. Connections to corporate-only AI resources route via the VPN automatically when those routes are more specific than the default. |
| Full-tunnel VPN | VPN adapter | Velatir intercepts AI traffic and forwards it over the VPN tunnel. Corporate-only AI resources remain reachable. |
Known Limitation: VPN State at Start Time
The desktop client captures the VPN state when the host process starts. If the VPN later connects or disconnects, Velatir does not automatically rebind to the new network configuration. Dynamic rebinding will land in a future release. Workaround. Restart the desktop client after a VPN state change:Why UDP 443 is Blocked
To keep AI traffic observable, Velatir’s firewall configuration blocks outbound UDP on port 443. This forces clients to use HTTPS over TCP rather than HTTP/3 (QUIC). VPN traffic typically does not use UDP 443 for HTTPS, so this rule has no practical impact on VPN connectivity itself. If you operate a VPN protocol that genuinely depends on outbound UDP 443 (uncommon), please contact support so we can scope an exemption.Zero-Trust Agents and Cloud Proxies
Velatir is compatible with userspace zero-trust agents that operate at the application layer (browser plugin, OS-level agent that injects a system proxy, or similar). Such agents typically intercept traffic in a way that is orthogonal to the desktop client’s interception layer. If your zero-trust solution intercepts traffic at the same kernel layer as Velatir (for example, by installing a competing Wintun adapter or a competing network system extension on macOS), the two may conflict. Contact support before deploying alongside such a tool.Verifying the Configuration
After install, run:Next Steps
Troubleshooting
Resolve binding and interception issues.
CLI reference
The
restart, status, and logs commands in detail.Permissions
The Wintun adapter and macOS system extension explained.
Enterprise deployment
Roll out alongside corporate VPNs at scale.