PHP Backend Developer – VPN (Laravel)

About DeepLock

DeepLock is Quanta Tech’s business-grade VPN platform. Think: zero-drama privacy, enterprise controls, multi-region uptime, and clean UX across mobile/desktop. We’re scaling fast and need a Backend Developer (Laravel) with commercial VPN experience to own the control plane and infrastructure automation for a global VPN network.

What You’ll Do

• Own the control plane (PHP 8.2): Design and build APIs/services (Laravel or Symfony) for auth, device keys, sessions, policy, routing, usage, and billing.
• Provision and orchestrate servers: Automate multi-region WireGuard/OpenVPN/IPsec nodes (Ansible/Terraform + cloud APIs: AWS/DO/Hetzner/OVH). Golden images, immutability, blue-green rollouts.
• Config + key lifecycle: Generate per-device configs, rotate keys, revoke access, enforce device limits, and implement mTLS where needed.
• Enterprise features: SSO (SAML/OIDC: Okta, Azure AD, Google), team/org management, RBAC, audit logs, per-group policies, split-tunnel controls, DNS/DoH policies.
• Networking & security: Linux networking (netfilter/iptables or nftables), routing/NAT, DNS, TLS lifecycle (ACME), hardening, zero-logs policy with privacy-safe metrics.
• Observability & ops: Health checks, synthetic probes, structured logs, metrics/alerts (Prometheus/Grafana or equivalent), incident runbooks.
• Billing & entitlements: Stripe (and later B2B invoicing), plan management, seats/devices, trials, refunds, webhooks, ledgers.
• DDoS & reliability: Work with infra to add shields (provider-level filtering, anycast/BGP partners or Cloudflare Spectrum), fast failover, rate limits/abuse controls.
• CI/CD: Bitbucket Pipelines (or GitHub Actions), testing, static analysis, zero-downtime deploys, secrets management.
• Compliance-ready: Help us be SOC2/ISO-friendly (access controls, least privilege, change management, evidence trails).

Must-have Experience

• PHP 8.x with Laravel (or Symfony) at production scale; queues (Redis/SQS), caching, events.
• Linux networking fundamentals: routing, NAT, DNS, TLS, firewalling.
• Hands-on with WireGuard (preferred) and/or OpenVPN/strongSwan in production.
• Commercial experience building VPNs for restricted countries.
• Infrastructure as Code (Terraform) + config management (Ansible) + cloud APIs.
• RDBMS (PostgreSQL/MySQL), migrations, query tuning; Redis for sessions/queues.
• Nginx + PHP-FPM performance, rate limiting, secure headers.
• Security mindset: secrets, key rotation, least-privilege IAM, dependency hygiene.
• Solid testing discipline (feature + integration + load testing).

Nice to Have

• RADIUS/FreeRADIUS, policy enforcement via attributes.
• Multi-tenant org model, RBAC, audit/event sourcing (e.g., Kafka/NATS optional).
• ClickHouse/ELK for high-volume logs; Prometheus exporters.
• Mobile/Desktop client integration basics (Apple NE, Android VpnService) for backend compatibility.
• DDoS mitigation experience; anycast/BGP or provider-side scrubbing.
• Go/Rust familiarity to interface with high-performance daemons (not required, PHP is your core).

Role Details

• Level: Mid-level (per team review).
• Location: Remote (Ukraine/Russian-speaking preferred).
• Type: Contractor (potential full-time).