VIGIL MESH

Documentation

A remote-work VPN for small teams: simple, encrypted, no server to manage

A small business has the same remote-access needs as a large group — reaching the ERP, the NAS, the payroll software from home — without the means to match: no IT department, no VPN server, no hardware budget. VIGIL-MESH is built for exactly this case: every employee and every office machine joins a private workspace, encrypted end to end, administered from a web console. Nothing to install server-side at the office, no port to open on the router, and role-based access rules that only allow what is necessary.

The small-business remote-work problem

The need is always the same: an employee at home has to reach resources that live at the office. The ERP or management software installed on the company server, the NAS holding the client files, the printer-copier, sometimes the workstation itself to get back to a licensed line-of-business application. These resources are not — and must not be — reachable from the Internet: what is needed is a private path between home and office.

The traditional answer is the router VPN: you enable an IPsec or OpenVPN server on the office gateway, open a port on the company’s Internet connection, and each employee configures a client with a profile file. The model works, but it assumes skills and ongoing upkeep that most small organizations simply do not have in-house.

A server exposed to the Internet

The router VPN requires an inbound port permanently open on the office connection. That is an exposed door that must be monitored and kept up to date — an administrator’s job, with no administrator to do it.

An IP address you have to keep finding

For clients to find the office, you need a stable public address or a dynamic DNS service. A change of provider, a 4G/5G fallback line or a carrier-grade NAT is enough to break the access.

Shared profiles, never revoked

In practice, the configuration file gets passed around by e-mail and outlives departures. Knowing who still holds an access, and cutting it cleanly when an employee leaves, quickly becomes impossible.

All-or-nothing access

Once the tunnel is up, the employee usually sees the whole office network — the accounting NAS as much as the workshop camera — when their job only requires one or two resources.

The private-network approach: a workspace for the company

VIGIL-MESH turns the problem around. Instead of installing a VPN server at the office, every machine — the employee’s laptop at home, the ERP server, the NAS, the workshop PC — becomes a member of a workspace: the company’s private network, isolated from everyone else’s. Machines then reach each other directly, peer to peer, over end-to-end encrypted connections, with no office equipment acting as a gateway.

  • Nothing to install server-side: no VPN concentrator, no appliance, no router configuration. The client installs on the machines involved (Windows, Linux, Android), and that is all.
  • Zero open ports at the office: each node establishes a single outbound flow (443 UDP). No port forwarding on the router, no fixed IP address to subscribe to, no dynamic DNS to maintain.
  • Stable addresses and readable names: each machine gets an address that follows it everywhere and a short name via MagicDNS. The employee reaches “the ERP” or “the NAS” by name, as if they were at the office.
  • A connection that works on the first try: the session comes up immediately through a relay, then migrates seamlessly to the direct path between home and office as soon as it is available.
Classic router VPNVIGIL-MESH workspace
Server at the officeYes, to configure and maintainNone
Inbound port on the routerRequired, permanently exposedNone — a single outbound 443 UDP flow
Fixed IP addressOften necessaryNot needed
Access once connectedOften the whole networkOnly what the ACLs allow
Employee departureProfile to track down and invalidateImmediate revocation from the console
Skills requiredNetwork administrationA web console, no IT department

Role-based access, denied by default

Being a member of the network grants no rights by itself: anything not explicitly allowed is denied. Access rules (ACLs) are written in terms of roles, not addresses: you write “accounting reaches the ERP”, and the rule stays true when an employee joins or changes position, with no rewriting. For a small business, a handful of rules covers the whole organization.

SourceDestinationAction
group:managementnetwork:office (all services)Allow
group:accountingtag:erp, tag:nas (file sharing)Allow
group:salestag:erp (business application)Allow
group:workshoptag:nas (technical folders)Allow
(any source)(any destination)Deny by default

Rules are evaluated in order and the first match decides. Every change produces a new generation of the policy, signed by the controller and verified by each machine before it is applied — even offline. Nobody, not even a relay, can slip in a rule you did not write.

When an employee joins or leaves

The life cycle of an access follows the life cycle of the contract. On arrival, you enroll the employee’s machine; on departure, you revoke it. Both operations happen from the console, in a few clicks, without touching the office or the other machines.

  1. 1
    On arrival: enroll the machineInstall the client on the new employee’s computer, then authorize the machine in the workspace — with a single-use enrollment key, a short-lived invitation, or an approval queue where the administrator validates the request.
  2. 2
    Assign the rolePlace the machine in the group matching the position (accounting, sales, workshop…). The access rules written for the group apply immediately, with no new rule to write.
  3. 3
    On departure: revokeRevoke the machine from the console. Revocation is immediate: removed from the signed network map, the machine instantly loses all access — direct flows and relayed ones alike. No password to change, no VPN profile to chase down.

Troubleshooting a machine remotely, from a browser

Without an IT department, troubleshooting usually falls to the person “who knows computers” — who is not always on site. For this, the VIGIL-MESH console includes an SSH terminal that opens directly in the browser, to any online machine of the network: the browser itself becomes a mesh node, and the session is encrypted end to end all the way to the target machine. Windows Remote Desktop (RDP) follows the same model.

  • Nothing to install on the machine you help from: a browser and a signed-in account are enough, even from a machine that is not enrolled.
  • No open port on the machine being helped: its SSH server is only reachable through its private-network address, under ACL control.
  • No intermediary sees the credentials: the password is consumed by the SSH client in the browser and is only ever transmitted to the target machine, inside the encrypted session.

Security, explained to a non-technical owner

You do not need to be a network engineer to understand what protects the company. Four properties can be checked — and told — simply.

Encrypted end to end

Every exchange between two machines is an end-to-end encrypted QUIC/TLS 1.3 session, with a hybrid post-quantum key exchange (X25519 + ML-KEM). Only the two machines involved hold the keys — nobody else, not even the VIGIL infrastructure.

Zero open ports at the office

No machine listens on the Internet: connections always go outbound. Seen from outside, the office exposes nothing — there is literally no door to force.

Blind relays

When a direct path is not yet established, traffic transits through a structurally blind relay: it does not hold the keys and only sees opaque packets. It can even be hosted by the company itself if it wishes.

Access removed in one action

Each machine has its own identity, verified on every exchange. Revoking it from the console cuts its access immediately — the digital equivalent of taking back the office key at the end of a contract.

Controlled cost, no hardware investment

The router VPN hides costs you discover afterwards: the compatible equipment, the fixed IP address billed by the provider, and above all the consultant hours to install it and then intervene at every incident. The VIGIL-MESH approach removes those line items: no hardware to buy, no server to host, no carrier option to subscribe to — the client installs on the machines you already have.

  • Personal use is free, with unlimited direct traffic — enough to test the product in real conditions before committing the company.
  • Traffic that transits through relays is subject to a quota on the free plan; in steady state, most exchanges take the direct path.
  • Plans, quotas and options (including the dedicated relay) are detailed on the site’s pricing page — the amounts there are authoritative, nowhere else.

Complete setup, step by step

From zero to the first remote access, setup takes five steps. None of them requires touching the office router or opening a port.

  1. 1
    Create an account and a workspaceThe account identifies a person; the workspace created at first sign-in is the company’s private network. Enable strong authentication and invite a second administrator.
  2. 2
    Install the client on the machines involvedThe ERP server, the NAS if it can run the agent (or an office machine that will publish it), and the computers of remote-working employees — Windows, Linux or Android.
  3. 3
    Enroll each machineIn the console, Networks page → Machines → “Add a machine”, generate a single-use key and use it on the machine. It joins the workspace and receives its identity.
  4. 4
    VerifyEach enrolled machine appears in the console with its stable address and MagicDNS name. A ping between two machines confirms the network is in place.
  5. 5
    Reach your services as if localFrom home, the employee reaches the ERP or the NAS through its address or machine name, exactly as if they were at the office. Then write the role-based access rules to allow only what is necessary.

Frequently asked questions

Do we need a VPN server or a compatible router at the office?
No. There is no server to install and no equipment to buy: the client installs directly on the machines involved (the ERP server, the NAS, the employees' computers), and each one establishes its connections outbound. The office router stays untouched, with no port forwarding and no DMZ.
Do we need a fixed IP address or open ports on the router?
No. Each machine emits a single outbound flow (443 UDP) and opens no inbound port. This works behind a consumer router, a carrier-grade NAT or a 4G/5G connection, and survives a change of address or provider without any reconfiguration.
Can a small business without an IT person really administer it?
Yes — that is exactly the case this page addresses. Administration happens in a web console: enroll a machine with a single-use key, place it in a group, revoke it when the employee leaves. Access rules are written by role in plain terms ("accounting reaches the ERP"), and deny-by-default means an oversight closes access instead of opening it.
What happens when an employee leaves the company?
You revoke their machine from the console and the effect is immediate: removed from the signed network map, it instantly loses all access, direct and relayed alike. Unlike a classic VPN profile that can outlive the departure, there is no configuration file to track down and no shared password to change.
Does all of the employees' Internet browsing go through the company?
No. VIGIL-MESH only carries traffic destined for the machines of the private network; the employee's ordinary browsing keeps going through their own connection, with no detour and no interception. VIGIL-MESH is not an anonymization proxy: it is a private network between your machines.
Will the VPN slow down access to office files?
The connection comes up immediately through a relay and then migrates seamlessly to the direct path between home and office as soon as it is available: in steady state, data goes machine to machine without a detour through a central server, unlike a hub-and-spoke VPN where everything climbs through the gateway.
How much does it cost for a small team?
Personal use is free, with unlimited direct traffic and a quota on relayed traffic — enough to validate everything in real conditions. For the company, plans and amounts are detailed on the site's pricing page; there is no hardware to buy and no server to host on top of the subscription.
Read nextReplacing an enterprise VPN with a Zero Trust mesh