VPN Access

When you need network-level access, OnePAM includes a WireGuard VPN with policy-driven controls — who connects, to which networks, and for how long.

Start Free Trial See All Features
What You Get

Policy-Driven Network Access

WireGuard-powered VPN with native client support on all platforms
Per-user encrypted tunnels with individual key management
Network access policies — allow or deny connections by user, team, IP, and platform
CIDR-based route restrictions — control which networks peers can reach
Dynamic policy re-evaluation — peer access updated instantly when policies change
Split tunneling with policy enforcement — exit node routing controlled by policy
Per-user peer limits enforced by plan and policy (most restrictive wins)
Custom DNS configuration per tunnel for internal name resolution
CGNAT IP allocation — no conflicts with existing network ranges
Full audit trail — policy denials, peer revocations, and restriction changes logged
Automatic peer expiration with policy-driven session duration limits
One-click config download for WireGuard native clients
VPN Access Architecture

WireGuard Tunnel Flow

VPN ACCESS • POLICY-DRIVEN ACCESS 👤 User Authenticated john@acme.com via Okta SSO • MFA verified Verified VPN Access Policy Evaluated 3 policies matched • platform: linux ✓ • peer limit: 2/3 AllowedCIDRs: 10.0.0.0/8 • ExitNode: denied • MaxSession: 8h Allowed 🔑 Network Peer Created WireGuard key pair generated • Peer: john-laptop PubKey: kG3x...9mE= • IP: 100.64.0.3 Allocated WireGuard Client 🔒 Encrypted OnePAM Gateway UDP :51820 • ChaCha20-Poly1305 • Noise IK handshake • 1ms latency Active Policy-Enforced Routes Routes filtered by VPN access policy CIDR restrictions ✓ 10.0.0.0/8 → Allowed by policy ✓ 10.2.0.0/16 → Contained in allowed ✗ 0.0.0.0/0 → Exit node denied by policy ✗ 172.16.0.0/12 → Not in allowed CIDRs ↻ Policy changes trigger automatic re-evaluation of all active peers Native WireGuard Clients macOS, Windows, Linux, iOS, Android Access Policy Engine User, team, IP, platform, CIDR rules Team: 2 peers • Business: 5 peers + policies + split tunnel • Enterprise: unlimited Auto key rotation • CGNAT IP allocation • Full audit trail • Dynamic revocation
Deploy in Under 5 Minutes

Three Steps to Secure Access

1. Sign Up With SSO

Connect your identity provider — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider. Your team logs in with existing credentials.

2. Add Your Resources

Register servers, databases, Kubernetes clusters, and web apps. Define who can access what with role-based policies.

3. Access Securely

Your team accesses resources through the browser — identity-verified, session-recorded, and audit-logged. No VPN, no exposed ports.

Goes Well With

Related Capabilities

SSH Access Management

Stop exposing SSH ports and sharing keys. OnePAM provides identity-verified browser SSH with session recording, keystroke logging, and automatic key rotation.

Secure RDP Access Management

Shared admin accounts and exposed RDP ports are the #1 Windows attack vector. OnePAM replaces them with identity-verified RDP and session recording.

VNC Remote Desktop Access

VNC ports on the internet are a breach waiting to happen. OnePAM provides browser-based VNC with SSO, MFA, and session recording.

Try VPN Access — Free for 14 Days

From signup to your first secure session in under 5 minutes. No infrastructure changes, no credit card, no sales call.

Start Free — Deploy in 5 Minutes