VPN Setup for Teams

WireGuard for performance and simplicity — kernel-level implementation with minimal overhead and modern cryptography. OpenVPN when you need compatibility with legacy systems or TCP transport for restrictive networks. The VPN server runs in your cloud VPC with a dedicated subnet. Multiple gateway servers across regions provide low-latency access for distributed teams. Failover between gateways is automatic.

Users authenticate via SSO (OIDC, SAML) — no separate VPN credentials to manage. Each user gets a unique keypair with device-level certificates. User provisioning and deprovisioning syncs with your identity provider — offboard someone from Okta/Google Workspace, their VPN access revokes automatically. Admin dashboard shows active connections, bandwidth usage, and connection history.

Split tunneling routes only internal traffic through the VPN — internet browsing goes direct. This reduces VPN server load, improves user experience (no latency penalty for non-work traffic), and avoids bandwidth bottlenecks. Routing rules define which CIDR ranges go through the tunnel. DNS queries for internal domains resolve through the VPN; everything else uses the user's local resolver.

Connection logs track who connected, when, and from where — exportable for compliance audits. Bandwidth monitoring per user catches unusual patterns. Alerting fires on failed authentication attempts and connections from unexpected geolocations. VPN server health checks ensure the gateway is reachable. You get secure remote access with full audit trail.