V2Run· vault for VPN configs

Local encrypted vault for VPN config strings

Stop losing your vless URLs
in screenshots.

V2Run is a password-manager-style app for the configuration strings you use with the VPN client of your choice. Paste a vless://, vmess://, trojan://, ss://, a WireGuard .conf or an OpenVPN .ovpn — V2Run validates the syntax, encrypts the sensitive parts with AES-256-GCM under a key generated inside the Secure Enclave, and locks the lot behind Face ID, Touch ID, or your device passcode.

Get on the App Store What it does

What it does

A vault, not a tunnel.

Paste & parse

Six protocol formats

V2Run parses vless, vmess, trojan, shadowsocks, WireGuard wg-quick, and OpenVPN .ovpn. Bad ports, missing UUIDs, and malformed addresses are rejected before they reach storage.

Encrypt at rest

AES-256-GCM + Secure Enclave

The master key is generated and held inside the Secure Enclave. Sensitive fields (UUIDs, private keys, passwords) live as ciphertext blobs and only decrypt at the moment of reveal.

Biometric reveal

Face ID, Touch ID, or passcode

Reveal, copy, share, and export all gate on a fresh LAContext prompt. Auto-lock options: immediately, 1 min, 5 min, 15 min, or never. A Lock now button is one tap deep in Settings.

Organise

Folders, tags, notes, stars

Group configs into colour- and icon-customised folders. Tag and note them freely. Search across labels, hosts, tags, and notes. Sort by recency, name, last-used, protocol, or starred-first.

Share

Clipboard, QR, or system share sheet

Generate a Core Image QR of any saved config on demand. Or copy to clipboard. Or hand off to another app through the iOS share sheet. Sensitive fields stay sealed until biometric unlock.

Six on-device tools

Tools tab — Password gen, UUID, Diceware, Base64, hashing, Cipher Crack

A password generator with entropy meter. A UUID v4 generator with three formats and a history strip. A Diceware passphrase generator. A Base64 codec. A SHA-256/512/1 hash calculator. And a small Mastermind-style puzzle for the slow minutes.

How it works

On-device only.

  1. Paste. A config URL or a WireGuard / OpenVPN text block.
  2. Parse. Host, port, transport, fingerprint, sensitive-field keys are extracted; bad inputs are rejected before save.
  3. Encrypt. Sensitive fields and the raw string are sealed with AES-256-GCM. The master key never leaves Keychain (Secure Enclave-bound, .biometryCurrentSet).
  4. Reveal. Face ID prompt every time you reveal, copy, or share. There is no "remember me" timer for sensitive fields.
  5. Erase. Settings → Erase all data wipes every config, every folder, and the master key. After that, any remaining ciphertext is cryptographically unrecoverable.

Privacy

Nothing leaves your device.

V2Run has no cloud backend, no analytics, no third-party trackers, no ad SDKs, no NetworkExtension, no NEVPNManager. The app does not register a VPN profile and does not route traffic. The only outgoing request the app ever makes is during launch — for one tiny JSON config used to decide whether to show the in-app helpline page, and even that traffic never carries identity beyond a per-device anonymous UUID.

The full policy is in /policies/privacy. Questions? Use the contact form.