Documentation
A remote-work VPN for small teams: simple, encrypted, no server to manage
A small business has the same remote-access needs as a large group — reaching the ERP, the NAS, the payroll software from home — without the means to match: no IT department, no VPN server, no hardware budget. VIGIL-MESH is built for exactly this case: every employee and every office machine joins a private workspace, encrypted end to end, administered from a web console. Nothing to install server-side at the office, no port to open on the router, and role-based access rules that only allow what is necessary.
The small-business remote-work problem
The need is always the same: an employee at home has to reach resources that live at the office. The ERP or management software installed on the company server, the NAS holding the client files, the printer-copier, sometimes the workstation itself to get back to a licensed line-of-business application. These resources are not — and must not be — reachable from the Internet: what is needed is a private path between home and office.
The traditional answer is the router VPN: you enable an IPsec or OpenVPN server on the office gateway, open a port on the company’s Internet connection, and each employee configures a client with a profile file. The model works, but it assumes skills and ongoing upkeep that most small organizations simply do not have in-house.
A server exposed to the Internet
The router VPN requires an inbound port permanently open on the office connection. That is an exposed door that must be monitored and kept up to date — an administrator’s job, with no administrator to do it.
An IP address you have to keep finding
For clients to find the office, you need a stable public address or a dynamic DNS service. A change of provider, a 4G/5G fallback line or a carrier-grade NAT is enough to break the access.
Shared profiles, never revoked
In practice, the configuration file gets passed around by e-mail and outlives departures. Knowing who still holds an access, and cutting it cleanly when an employee leaves, quickly becomes impossible.
All-or-nothing access
Once the tunnel is up, the employee usually sees the whole office network — the accounting NAS as much as the workshop camera — when their job only requires one or two resources.
The private-network approach: a workspace for the company
VIGIL-MESH turns the problem around. Instead of installing a VPN server at the office, every machine — the employee’s laptop at home, the ERP server, the NAS, the workshop PC — becomes a member of a workspace: the company’s private network, isolated from everyone else’s. Machines then reach each other directly, peer to peer, over end-to-end encrypted connections, with no office equipment acting as a gateway.
- Nothing to install server-side: no VPN concentrator, no appliance, no router configuration. The client installs on the machines involved (Windows, Linux, Android), and that is all.
- Zero open ports at the office: each node establishes a single outbound flow (443 UDP). No port forwarding on the router, no fixed IP address to subscribe to, no dynamic DNS to maintain.
- Stable addresses and readable names: each machine gets an address that follows it everywhere and a short name via MagicDNS. The employee reaches “the ERP” or “the NAS” by name, as if they were at the office.
- A connection that works on the first try: the session comes up immediately through a relay, then migrates seamlessly to the direct path between home and office as soon as it is available.
| Classic router VPN | VIGIL-MESH workspace | |
|---|---|---|
| Server at the office | Yes, to configure and maintain | None |
| Inbound port on the router | Required, permanently exposed | None — a single outbound 443 UDP flow |
| Fixed IP address | Often necessary | Not needed |
| Access once connected | Often the whole network | Only what the ACLs allow |
| Employee departure | Profile to track down and invalidate | Immediate revocation from the console |
| Skills required | Network administration | A web console, no IT department |
Role-based access, denied by default
Being a member of the network grants no rights by itself: anything not explicitly allowed is denied. Access rules (ACLs) are written in terms of roles, not addresses: you write “accounting reaches the ERP”, and the rule stays true when an employee joins or changes position, with no rewriting. For a small business, a handful of rules covers the whole organization.
| Source | Destination | Action |
|---|---|---|
| group:management | network:office (all services) | Allow |
| group:accounting | tag:erp, tag:nas (file sharing) | Allow |
| group:sales | tag:erp (business application) | Allow |
| group:workshop | tag:nas (technical folders) | Allow |
| (any source) | (any destination) | Deny by default |
Rules are evaluated in order and the first match decides. Every change produces a new generation of the policy, signed by the controller and verified by each machine before it is applied — even offline. Nobody, not even a relay, can slip in a rule you did not write.
When an employee joins or leaves
The life cycle of an access follows the life cycle of the contract. On arrival, you enroll the employee’s machine; on departure, you revoke it. Both operations happen from the console, in a few clicks, without touching the office or the other machines.
- 1On arrival: enroll the machineInstall the client on the new employee’s computer, then authorize the machine in the workspace — with a single-use enrollment key, a short-lived invitation, or an approval queue where the administrator validates the request.
- 2Assign the rolePlace the machine in the group matching the position (accounting, sales, workshop…). The access rules written for the group apply immediately, with no new rule to write.
- 3On departure: revokeRevoke the machine from the console. Revocation is immediate: removed from the signed network map, the machine instantly loses all access — direct flows and relayed ones alike. No password to change, no VPN profile to chase down.
Troubleshooting a machine remotely, from a browser
Without an IT department, troubleshooting usually falls to the person “who knows computers” — who is not always on site. For this, the VIGIL-MESH console includes an SSH terminal that opens directly in the browser, to any online machine of the network: the browser itself becomes a mesh node, and the session is encrypted end to end all the way to the target machine. Windows Remote Desktop (RDP) follows the same model.
- Nothing to install on the machine you help from: a browser and a signed-in account are enough, even from a machine that is not enrolled.
- No open port on the machine being helped: its SSH server is only reachable through its private-network address, under ACL control.
- No intermediary sees the credentials: the password is consumed by the SSH client in the browser and is only ever transmitted to the target machine, inside the encrypted session.
Security, explained to a non-technical owner
You do not need to be a network engineer to understand what protects the company. Four properties can be checked — and told — simply.
Encrypted end to end
Every exchange between two machines is an end-to-end encrypted QUIC/TLS 1.3 session, with a hybrid post-quantum key exchange (X25519 + ML-KEM). Only the two machines involved hold the keys — nobody else, not even the VIGIL infrastructure.
Zero open ports at the office
No machine listens on the Internet: connections always go outbound. Seen from outside, the office exposes nothing — there is literally no door to force.
Blind relays
When a direct path is not yet established, traffic transits through a structurally blind relay: it does not hold the keys and only sees opaque packets. It can even be hosted by the company itself if it wishes.
Access removed in one action
Each machine has its own identity, verified on every exchange. Revoking it from the console cuts its access immediately — the digital equivalent of taking back the office key at the end of a contract.
Controlled cost, no hardware investment
The router VPN hides costs you discover afterwards: the compatible equipment, the fixed IP address billed by the provider, and above all the consultant hours to install it and then intervene at every incident. The VIGIL-MESH approach removes those line items: no hardware to buy, no server to host, no carrier option to subscribe to — the client installs on the machines you already have.
- Personal use is free, with unlimited direct traffic — enough to test the product in real conditions before committing the company.
- Traffic that transits through relays is subject to a quota on the free plan; in steady state, most exchanges take the direct path.
- Plans, quotas and options (including the dedicated relay) are detailed on the site’s pricing page — the amounts there are authoritative, nowhere else.
Complete setup, step by step
From zero to the first remote access, setup takes five steps. None of them requires touching the office router or opening a port.
- 1Create an account and a workspaceThe account identifies a person; the workspace created at first sign-in is the company’s private network. Enable strong authentication and invite a second administrator.
- 2Install the client on the machines involvedThe ERP server, the NAS if it can run the agent (or an office machine that will publish it), and the computers of remote-working employees — Windows, Linux or Android.
- 3Enroll each machineIn the console, Networks page → Machines → “Add a machine”, generate a single-use key and use it on the machine. It joins the workspace and receives its identity.
- 4VerifyEach enrolled machine appears in the console with its stable address and MagicDNS name. A ping between two machines confirms the network is in place.
- 5Reach your services as if localFrom home, the employee reaches the ERP or the NAS through its address or machine name, exactly as if they were at the office. Then write the role-based access rules to allow only what is necessary.