VPN

Navigate to VPN and click Add Peer.

1. Device name — a label for the peer (e.g. "Work Laptop").
2. Platform — macOS, Windows, Linux, iOS, or Android.
3. Allowed IPs (optional) — restrict the CIDRs this peer can route to. Requires the split-tunnel entitlement.
4. Expiry — set an optional expiration (1 hour to 1 year, or never).

The My Peers tab shows your registered devices. From here you can:

• Download config — re-download the WireGuard configuration file.
• Delete — permanently remove the peer and revoke access.

Administrators see an additional All Peers tab showing every peer in the organisation with columns for device name, user, IP address, platform, status, traffic, and creation date.

Exit nodes allow VPN traffic to break out to the internet through a specific endpoint in your infrastructure. This is useful for geo-restricted access or routing traffic through a trusted network perimeter.

Enable an endpoint as an exit node from the endpoint settings, then select it as the active exit node under VPN → Exit Nodes.

Custom DNS forwarding rules let VPN peers resolve internal hostnames through your private DNS servers. Configure rules under VPN → DNS Forwarding.

Mesh networking connects VPN peers directly to each other, enabling peer-to-peer communication without routing through a central gateway. View configured mesh networks under VPN → Mesh Networks.

VPN access is governed by access policies with the VPN Access scope. See Access Policies for details on configuring allowed/denied CIDRs, max peers, platform restrictions, and exit-node/split-tunnel controls.