Secure Network Access

Secure network-level access powered by WireGuard, built into the gateway. Policy-driven access controls enforce who can connect, from which platforms, and to which networks. Native client support for desktop and mobile with automatic peer expiration and dynamic policy re-evaluation.

Network Access

Secure Network Access

WireGuard-powered network access with native client support on all platforms
Per-user encrypted tunnels with individual key management
Network access policies — allow or deny connections by user, team, IP, and platform
CIDR-based route restrictions — control which networks peers can reach
Dynamic policy re-evaluation — peer access updated instantly when policies change
Split tunneling with policy enforcement — exit node routing controlled by policy
Per-user peer limits enforced by plan and policy (most restrictive wins)
Custom DNS configuration per tunnel for internal name resolution
CGNAT IP allocation — no conflicts with existing network ranges
Full audit trail — policy denials, peer revocations, and restriction changes logged
Automatic peer expiration with policy-driven session duration limits
One-click config download for WireGuard native clients
Network Access Architecture

WireGuard Tunnel Flow

SECURE NETWORK ACCESS • POLICY-DRIVEN ACCESS 👤 User Authenticated john@acme.com via Okta SSO • MFA verified Verified Network Access Policy Evaluated 3 policies matched • platform: linux ✓ • peer limit: 2/3 AllowedCIDRs: 10.0.0.0/8 • ExitNode: denied • MaxSession: 8h Allowed 🔑 Network Peer Created WireGuard key pair generated • Peer: john-laptop PubKey: kG3x...9mE= • IP: 100.64.0.3 Allocated WireGuard Client 🔒 Encrypted PumaGate Gateway UDP :51820 • ChaCha20-Poly1305 • Noise IK handshake • 1ms latency Active Policy-Enforced Routes Routes filtered by network access policy CIDR restrictions ✓ 10.0.0.0/8 → Allowed by policy ✓ 10.2.0.0/16 → Contained in allowed ✗ 0.0.0.0/0 → Exit node denied by policy ✗ 172.16.0.0/12 → Not in allowed CIDRs ↻ Policy changes trigger automatic re-evaluation of all active peers Native WireGuard Clients macOS, Windows, Linux, iOS, Android Access Policy Engine User, team, IP, platform, CIDR rules Team: 2 peers • Business: 5 peers + policies + split tunnel • Enterprise: unlimited Auto key rotation • CGNAT IP allocation • Full audit trail • Dynamic revocation
Getting Started

How It Works

1. Connect Identity Provider

Integrate with Okta, Azure AD, Google Workspace, or any SAML/OIDC provider in minutes.

2. Add Resources

Register your servers, databases, and web apps. Define role-based access policies.

3. Secure Access

Users access resources through the browser with identity verification, session recording, and audit logs.

Explore More

Related Features

SSH Access Gateway

Secure shell gateway with browser-based terminal access — no SSH ports exposed to the internet. Full terminal emulation, session recording, keystroke logging, and identity-based access controls for compliance.

Secure RDP Access Gateway

Native RDP gateway with Kerberos authentication and Active Directory Protected User support. Access Windows desktops through the browser or GUI client — no RDP ports exposed. Includes SSO, MFA, full screen recording, clipboard controls, and file transfer policies.

VNC Remote Desktop Gateway

Embedded VNC gateway with browser-based remote desktop access — no VNC ports exposed to the internet. SSO, MFA, full session recording, clipboard controls, and read-only mode for secure remote management of Linux desktops, Proxmox hosts, and headless servers.

Ready for Secure Network Access?

Deploy in minutes. No legacy VPN required. No credit card required.

Start Free Trial