Quartz is a ZTNA platform with a pure QUIC data plane, hybrid ML-KEM + ML-DSA cryptography, and a controller that stays out of the data path. Self-hosted, open source, and honest about where each component is on the road to general availability.
Most "ZTNA" vendors repackaged VPN concentrators with a policy dashboard. Quartz starts from a different architecture — one where transport, cryptography, and trust boundaries are all first-class.
All traffic rides QUIC — the IETF-standardized protocol that powers HTTP/3. No TCP fallback, no TLS-over-TCP legacy. Independent streams, 0-RTT resumption, native connection migration.
Hybrid ML-KEM-768 + X25519 for key exchange. ML-DSA-65 + Ed25519 for signatures. Both classical and quantum algorithms must break for a connection to compromise.
The control plane authenticates, authorizes, coordinates. It never terminates QUIC streams. It never decrypts user data. If the controller is compromised, the attacker gains metadata — not your traffic.
Authenticate, discover, connect, hybrid-handshake, verify continuously. First connection costs one round trip; subsequent resumes can be zero.
Timings are representative on local LAN; WAN varies with RTT and NAT.
These are transport-level capabilities, not lab numbers. They are true by virtue of the protocol choice — QUIC for Quartz, TCP for traditional VPNs, a UDP datagram overlay for WireGuard. Numbers depend on your network; properties do not.
| Capability | TCP VPN | WireGuard | Quartz (QUIC) |
|---|---|---|---|
| Connection setup (new) | 2–3 RTT | 1 RTT | 1 RTT |
| Connection setup (resumed) | 2–3 RTT | 1 RTT | 0 RTT * |
| Connection migration (IP change) | ✗ breaks | ✗ breaks | ✓ survives |
| Stream multiplexing | ✗ HoL blocking | — n/a (L3) | ✓ independent streams |
| Post-quantum key exchange | — none | — none | ✓ ML-KEM-768 hybrid |
| Post-quantum signatures | — none | — none | ✓ ML-DSA-65 hybrid |
| Userspace (no kernel modules) | partial | optional | ✓ native |
* 0-RTT resumption carries replay risk and is off by default in Quartz v0.9. Enable only for idempotent workloads after reviewing RFC 9001 §9.2.
Every claim on this page is verifiable in the source tree. The cryptographic stack assumes a quantum attacker. The implementation assumes unsafe code is a bug class. An internal audit in April 2026 remediated 54 findings across five commits — the commit history is public.
Every Quartz connection combines classical and post-quantum primitives via HKDF with domain separation and a transcript-bound label. Both must break — independently — to compromise a session.
Agents report device posture to the control plane, which evaluates it against policy. Posture signals include disk encryption, firewall state, OS patch level, and platform attestation where available.
Platform attestation depth varies by OS. Linux agent is functional; macOS/Windows attestation is in progress (M3).
Policies are Ed25519-signed by the controller and verified by the agent before enforcement. First-match-wins. No matching policy resolves to deny, not abstain.
The workspace forbids unsafe_code via a workspace-level lint. Secrets are zeroed on drop. Token comparisons run in constant time. Every .unwrap() on untrusted input is flagged as a build error.
Tailscale and Netbird are mature, excellent products. If you need a mesh VPN today and post-quantum isn't a requirement, use them. Quartz is for teams who specifically need QUIC-native transport, hybrid PQC shipped today, and auditable self-hosted infrastructure.
| Aspect | Tailscale | Netbird | Cloudflare WARP | Quartz |
|---|---|---|---|---|
| Transport | WireGuard · L3 | WireGuard · L3 | WireGuard / MASQUE | QUIC · L4 |
| Post-quantum crypto | — none shipped | — none shipped | — none shipped | ✓ hybrid, shipped |
| Open source | client only | ✓ yes | ✗ no | ✓ MIT / Apache-2.0 |
| Controller in data path | DERP sees metadata | relay sees metadata | cloud-hosted | ✓ out of path |
| Self-hosted | Headscale (community) | ✓ yes | ✗ no | ✓ first-class |
| Connection migration | via DERP | via relay | yes | ✓ native QUIC |
| Stream multiplexing | — no | — no | — no | ✓ yes |
| Ecosystem maturity | ★★★★★ | ★★★★ | ★★★★★ | ★★★ growing |
| Mobile clients | all platforms | all platforms | all platforms | planned · Q1 2027 |
Quartz is at Milestones 1–3. Core networking, hybrid PQC cryptography, and policy enforcement are functional today. Multi-platform agents and managed cloud are on a dated roadmap — here is exactly what's where.
pqc_dilithium 0.2; fail-closed today.Each subsystem is its own crate. The workspace forbids unsafe code. The dashboard is React 19 + TypeScript. The protocol definitions are five .proto files, versioned and stable.
Quartz is a deliberate choice, not a default. It's the right fit when post-quantum cryptography is insurance you need, when you audit your tools, and when you care about how packets actually move.
If your data must stay confidential for decades, post-quantum crypto isn't optional. It's insurance against harvest-now-decrypt-later collection.
The 2033 NSA CNSA 2.0 deadline is closer than it looks. Hybrid PQC deployments take years to validate and operationalise — Quartz is one of the few ZTNA options with PQ shipped today.
Self-hosted control plane, local policy enforcement with offline cache, auditable open-source code. Architecture that maps to compliance requirements — not a certification badge.
MIT / Apache-2.0. Full source available. No black-box binaries. Every claim on this page is verifiable in the code — and we tell you when one isn't yet.
If you understand why 0-RTT resumption, connection migration, and stream multiplexing matter, Quartz is built for you. It's a ZTNA that thinks in QUIC, not IPsec.
If you need all major platforms today with zero engineering overhead and PQC isn't on your list, use Tailscale or Cloudflare WARP. We'll say so plainly instead of selling you the wrong thing.
Quartz is self-hostable today. Managed cloud is on the roadmap (M4–M6). Clone the repo, bring up the stack, point your agent at it.
Docker Compose with controller, DERP relay, Prometheus, and Grafana. Multi-stage builds on Debian Bookworm slim, non-root containers, systemd hardening templates for bare-metal installs. SQLite by default; PostgreSQL migration path is M4.
# clone & start the stack $ git clone https://github.com/quartz-ztna/quartz.git $ cd quartz $ cp docker/.env.example docker/.env # set GRAFANA_ADMIN_PASSWORD etc. $ docker compose -f docker/docker-compose.yml up -d ✓ quartz-controller running :8443 ✓ quartz-derp running :3478/udp :443/tcp ✓ prometheus running :9090 ✓ grafana running :3000 # configure & run your first agent (Linux) $ cp config/agent.toml.example config/agent.toml $ cargo run --bin quartz-agent -- --config config/agent.toml INFO quartz_agent: identity loaded · 0o600 verified INFO quartz_agent: auth → OIDC (Google Workspace) ok INFO quartz_agent: handshake: ML-KEM-768 ⊕ X25519 ok INFO quartz_agent: session opened · posture verified INFO quartz_agent: SOCKS5 listening on 127.0.0.1:1080
No marketing dodges. If you need more, the docs go deeper and the source goes deeper still.
CAP_NET_ADMIN is required on Linux; the macOS package is scoped to run as a non-root service user (_quartz).classical crypto mode disables PQC algorithms. We don't recommend it for new deployments, but it exists for compatibility testing and for environments where PQ libraries are not yet permitted.SECURITY.md in the repo. Private reporting channel, 2-day acknowledgement, 30-day fix SLA for critical issues, 90-day coordinated disclosure window. We ran an internal audit in April 2026 and publicly remediated 54 findings across five commits — the history is on GitHub.Clone the repo, bring up the stack, point your first agent at it. If Quartz isn't the right fit, we'll tell you where to look instead.