Documentation
Replacing an enterprise VPN with a Zero Trust mesh
The classic enterprise VPN concentrates all traffic on a central gateway and, once connected, grants broad access to the network. A Zero Trust mesh inverts the model: every machine has an identity, every stream is explicitly authorized, and exchanges go direct, without a concentrator.
The limits of the classic enterprise VPN
- Star-shaped architecture: the concentrator is a bottleneck and a point of failure.
- Overly broad access: once the tunnel is up, the user often reaches far more than necessary.
- Systematic detour: traffic climbs to the gateway even when two machines could talk directly.
VIGIL's Zero Trust mesh model
- Identity-based access: each machine has a unique Ed25519 identity, verified against a network map (netmap) signed by the controller.
- Ordered ACLs: who talks to what is defined explicitly, in signed generations, verifiable offline by the client.
- Direct paths without a concentrator: traffic takes the best path, the infrastructure only relays without reading.
- MagicDNS: internal names are resolved locally, no DNS query leaves the machine.
Security and governance
- Hash-chained audit, per organization: every console action is attributed and exportable.
- Mandatory MFA on destructive actions and re-authentication on critical operations.
- Multi-tenant: the workspace is the tenant, with separate roles (operator, network administrator, read-only auditor).
- Immediate revocation: removing a machine from the netmap cuts it off instantly.
Classic VPN versus Zero Trust mesh
| Criterion | Classic enterprise VPN | VIGIL Zero Trust mesh |
|---|---|---|
| Topology | Star (concentrator) | Mesh, direct paths |
| Access model | Broad once connected | By identity and ACL |
| Central point of failure | Yes (the gateway) | No |
| Inbound port at the site | Often required | None on the node side |
| Audit and MFA | Depends on the solution | Built in |
To position VIGIL against Tailscale, ZeroTier and NetBird, see /en/docs/comparatif.