A Unified, L7-Aware, Zero-Config Remote Access WireGuard-based VPN with Automatic Private DNS for both Humans and Workloads to Access any Private/Internal Resource behind NAT from Anywhere as well as Protected Public Resources such as SaaS APIs and Databases

Provide Dynamic Secretless Access to HTTP-based Resources without sharing API Keys and Access Tokens, PostgreSQL and MySQL Databases without sharing Passwords, SSH Servers without Managing Keys and Certificates

Identity-based, Application-layer/L7-aware, Context-aware ABAC Access via Control Policy-as-Code using CEL and Open Policy Agent (OPA)

Zero-Config, Lightweight Clients with Support for both Kernel-native WireGuard for Maximum Performance as well as Unprivileged, Rootless Tunneling over gVisor. Can Run anywhere from your Laptop to Containers, Kubernetes, IoT and GitHub Actions.

Eliminate Traditional VPN Problems: Use a Single Stable Route instead of Injecting Countless Routes into Your Users' Clients. Effortless Dual-Stack Networking Regardless of the Support at the Upstream. Seamless, Unified, Automatic Private DNS.

Seamlessly integrate any OpenID Connect or SAML 2.0 SSO Provider (IdP) as well as GitHub OAuth2 and Provide Secure Access to all your Resources for your Teams at Scale.

Authenticate your Workloads running from Kubernetes Clusters, Cloud Providers, GitHub Actions and SPIFFE Identities with OpenID Connect (OIDC) Assertions to Eliminate Managing and Distributing Credentials at Scale.

Public clientless BeyondCorp access for both Human via their Browsers and Workload Users via Standard OAuth2 Client Credentials Flow and Bearer Authentication

A Scalable Platform Built on top of Kubernetes for Automatic Horizontal Scalability and Availability

Designed to be Administered like Kubernetes via DevOps/GitOps-friendly Centralized and Declarative Way. The Cluster is furthermore fully Programmable over gRPC.

OpenTelemetry-native, Layer-7 Aware, Real-Time Visibility and Auditing to Your Log Management and SIEM Providers