The latest articles on DEV Community by Jesse D (@jessedye). https://dev.to/jessedye https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1512335%2F0fdc00b5-6938-4649-86c3-f2357691afac.jpeg https://dev.to/jessedye en Jesse D Sun, 25 Jan 2026 06:02:19 +0000 https://dev.to/jessedye/building-a-zero-trust-vpn-how-i-wrapped-openvpn-and-wireguard-with-modern-authentication-4cjn https://dev.to/jessedye/building-a-zero-trust-vpn-how-i-wrapped-openvpn-and-wireguard-with-modern-authentication-4cjn <h1> Building a Zero-Trust VPN: How I Wrapped OpenVPN and WireGuard with Modern Authentication </h1> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4h7v6fr5ilcj6m75w5ny.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4h7v6fr5ilcj6m75w5ny.png" alt=" " width="800" height="533"></a></p> <p>It started with my homelab.</p> <p>I have a modest setup—a few Proxmox nodes, some Kubernetes clusters, network storage, the usual suspects. I wanted secure remote access without exposing everything to the internet. Simple ask, right?</p> <h2> The Search for a Solution </h2> <p>I tried the modern zero-trust solutions first:</p> <p><strong>Tailscale</strong> - Great product, but I wanted self-hosted. Their open-source Headscale works, but felt like I was fighting the architecture. Coordination servers, DERP relays, ACL policies in HuJSON—it's elegant if you buy into their model, but I wanted something closer to traditional VPN semantics.</p> <p><strong>NetBird</strong> - Promising concept, but the setup was painful. Multiple components to deploy, documentation gaps, and I spent more time debugging connectivity issues than actually using it. The mesh networking model also felt like overkill for my use case.</p> <p><strong>Firezone</strong> - Looked good on paper, but the WireGuard-only approach was limiting. Some of my older devices needed OpenVPN. And the complexity of the Elixir/Phoenix stack made me nervous about long-term maintenance.</p> <p><strong>Pritunl</strong> - Closer to what I wanted, but the enterprise licensing model and MongoDB dependency gave me pause. Also, the codebase felt dated.</p> <p>Each solution had pieces I liked, but none hit the sweet spot: <strong>simple deployment, SSO integration, both OpenVPN and WireGuard, and actual zero-trust with per-user firewall rules.</strong></p> <p><strong>So I built my own.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsaeq5f6z2a8f390nmnnb.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsaeq5f6z2a8f390nmnnb.jpg" alt=" " width="620" height="465"></a></p> <h2> What I Built </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffcojcvilezb9povl4vc4.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffcojcvilezb9povl4vc4.gif" alt=" " width="688" height="530"></a> </p> <p>A few simple commands. That's it. </p> <p><strong>GateKey</strong> is a zero-trust VPN solution that wraps OpenVPN and WireGuard to provide software-defined perimeter capabilities—while maintaining 100% compatibility with existing clients.</p> <p>In this article, I'll walk through the architecture decisions, the technical challenges, and how you can deploy a zero-trust VPN for your organization or homelab.</p> <h2> The Problem with Traditional VPNs </h2> <p>If you've managed a corporate VPN, you know the pain:</p> <ol> <li> <strong>Certificate Management Hell</strong> - Generating, distributing, and rotating certificates manually</li> <li> <strong>Shared Secrets</strong> - One compromised credential = everyone's compromised</li> <li> <strong>Flat Network Access</strong> - Once you're in, you can reach everything</li> <li> <strong>No Identity Awareness</strong> - The VPN doesn't know <em>who</em> you are, just that you have a valid cert</li> <li> <strong>Manual Onboarding</strong> - New employee? Here's a 10-step guide to configure your VPN client</li> </ol> <p>Modern identity providers solved authentication years ago. Why are VPNs still using 1990s-era certificate distribution?</p> <h2> The Zero-Trust Approach </h2> <p>GateKey flips the model:</p> <blockquote> <p><strong>Authenticate first, connect second.</strong></p> </blockquote> <p>Instead of:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User has certificate → User connects → Hope they're authorized </code></pre> </div> <p>We do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User authenticates via SSO → System generates short-lived cert → User connects → Per-user firewall rules applied </code></pre> </div> <h3> Key Principles </h3> <ol> <li> <strong>Identity-First</strong> - Integrate with your existing IdP (Okta, Azure AD, Google Workspace)</li> <li> <strong>Short-Lived Credentials</strong> - Certificates expire in 24 hours (configurable), no manual rotation</li> <li> <strong>Per-User Firewall</strong> - Each user gets individualized network access based on their role</li> <li> <strong>Zero Standing Privileges</strong> - No access without active authentication</li> </ol> <p>Here's what SSO login looks like in the web UI:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5j6dmn9kbg2bi229ieks.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5j6dmn9kbg2bi229ieks.png" alt=" " width="700" height="930"></a></p> <h2> Architecture Deep-Dive </h2> <p>Here's how the pieces fit together:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkkl3qrwc9kuiilhi67rz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkkl3qrwc9kuiilhi67rz.png" alt=" " width="800" height="488"></a></p> <h3> Component Breakdown </h3> <p><strong>Control Plane</strong> (Go + React)</p> <ul> <li>Handles SSO authentication (OIDC/SAML)</li> <li>Embedded Certificate Authority for on-demand cert generation</li> <li>Policy engine for access rules</li> <li>REST API for all operations</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsuge6tu5xv6grp8ohoqf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsuge6tu5xv6grp8ohoqf.png" alt=" " width="800" height="419"></a></p> <p><strong>Gateway Agents</strong> (Go)</p> <ul> <li>Lightweight agents that run alongside OpenVPN/WireGuard</li> <li>Communicate with control plane via authenticated API</li> <li>Manage nftables firewall rules per-user</li> <li>Support both OpenVPN and WireGuard protocols</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9wabuor5xf2rnycmvrae.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9wabuor5xf2rnycmvrae.png" alt=" " width="800" height="365"></a></p> <p><strong>Embedded CA</strong></p> <ul> <li>No external PKI infrastructure required</li> <li>Generates short-lived certificates on-demand</li> <li>Supports graceful CA rotation with zero downtime</li> </ul> <h2> Technical Decision: Why Wrap Instead of Reimplement? </h2> <p>I considered building a custom VPN protocol. Then I remembered:</p> <ol> <li> <strong>OpenVPN and WireGuard are battle-tested</strong> - Millions of deployments, extensively audited</li> <li> <strong>Client compatibility</strong> - Every platform already has OpenVPN/WireGuard clients</li> <li> <strong>Security audits are expensive</strong> - Why audit a new protocol when proven ones exist?</li> </ol> <p>Instead, GateKey uses <strong>hook scripts</strong> to intercept OpenVPN events:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># OpenVPN calls these scripts on client events</span> client-connect /usr/local/bin/gatekey-connect client-disconnect /usr/local/bin/gatekey-disconnect auth-user-pass-verify /usr/local/bin/gatekey-verify via-env </code></pre> </div> <p>When a client connects:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fux0g4209zeqkxcdymfit.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fux0g4209zeqkxcdymfit.png" alt=" " width="800" height="533"></a></p> <ol> <li>OpenVPN triggers <code>gatekey-verify</code> with the client certificate</li> <li>Gateway agent validates the cert against the control plane</li> <li>Control plane checks: Is this cert valid? Is the user still authenticated? What access rules apply?</li> <li>Gateway receives the user's access rules and configures nftables</li> <li>User gets access only to their authorized resources</li> </ol> <p><strong>The VPN protocol itself is unchanged.</strong> We're just adding an authentication and authorization layer.</p> <h2> Per-User Firewall Rules with nftables </h2> <p>This is where zero-trust gets real. Each connected user gets their own firewall rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/firewall/nftables.go</span> <span class="k">func</span> <span class="p">(</span><span class="n">f</span> <span class="o">*</span><span class="n">NFTablesFirewall</span><span class="p">)</span> <span class="n">ApplyUserRules</span><span class="p">(</span><span class="n">userID</span> <span class="kt">string</span><span class="p">,</span> <span class="n">vpnIP</span> <span class="n">net</span><span class="o">.</span><span class="n">IP</span><span class="p">,</span> <span class="n">rules</span> <span class="p">[]</span><span class="n">AccessRule</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// Create a chain for this specific user</span> <span class="n">chainName</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"user_%s"</span><span class="p">,</span> <span class="n">sanitize</span><span class="p">(</span><span class="n">userID</span><span class="p">))</span> <span class="c">// Add rules for each allowed network</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">rule</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">rules</span> <span class="p">{</span> <span class="n">nftCmd</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span> <span class="s">"nft add rule inet gatekey %s ip saddr %s ip daddr %s accept"</span><span class="p">,</span> <span class="n">chainName</span><span class="p">,</span> <span class="n">vpnIP</span><span class="p">,</span> <span class="n">rule</span><span class="o">.</span><span class="n">CIDR</span><span class="p">,</span> <span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"sh"</span><span class="p">,</span> <span class="s">"-c"</span><span class="p">,</span> <span class="n">nftCmd</span><span class="p">)</span><span class="o">.</span><span class="n">Run</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to add rule: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// Default deny for this user</span> <span class="n">nftCmd</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span> <span class="s">"nft add rule inet gatekey %s ip saddr %s drop"</span><span class="p">,</span> <span class="n">chainName</span><span class="p">,</span> <span class="n">vpnIP</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"sh"</span><span class="p">,</span> <span class="s">"-c"</span><span class="p">,</span> <span class="n">nftCmd</span><span class="p">)</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p>Access rules are managed through a clean admin interface:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwxphl6whf3hazo9f2kee.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwxphl6whf3hazo9f2kee.png" alt=" " width="800" height="395"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3fh0t4jump85yzjws2jr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3fh0t4jump85yzjws2jr.png" alt=" " width="739" height="1346"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1r2ib5q4jtqev1g2wdf6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1r2ib5q4jtqev1g2wdf6.png" alt=" " width="800" height="990"></a></p> <p>When access rules change in the admin UI, gateways poll for updates every 10 seconds and immediately update firewall rules—no client reconnection required.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foalpudodzvj1tsylfmoa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foalpudodzvj1tsylfmoa.png" alt=" " width="800" height="800"></a></p> <h2> Short-Lived Certificates: The Key to Zero Trust </h2> <p>Traditional VPNs issue certificates valid for 1-5 years. If compromised, you're exposed for years.</p> <p>GateKey certificates expire in <strong>24 hours by default</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/pki/ca.go</span> <span class="k">func</span> <span class="p">(</span><span class="n">ca</span> <span class="o">*</span><span class="n">CA</span><span class="p">)</span> <span class="n">IssueCertificate</span><span class="p">(</span><span class="n">commonName</span> <span class="kt">string</span><span class="p">,</span> <span class="n">validityHours</span> <span class="kt">int</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">x509</span><span class="o">.</span><span class="n">Certificate</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">template</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">x509</span><span class="o">.</span><span class="n">Certificate</span><span class="p">{</span> <span class="n">SerialNumber</span><span class="o">:</span> <span class="n">big</span><span class="o">.</span><span class="n">NewInt</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">UnixNano</span><span class="p">()),</span> <span class="n">Subject</span><span class="o">:</span> <span class="n">pkix</span><span class="o">.</span><span class="n">Name</span><span class="p">{</span> <span class="n">CommonName</span><span class="o">:</span> <span class="n">commonName</span><span class="p">,</span> <span class="p">},</span> <span class="n">NotBefore</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">(),</span> <span class="n">NotAfter</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Duration</span><span class="p">(</span><span class="n">validityHours</span><span class="p">)</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Hour</span><span class="p">),</span> <span class="n">KeyUsage</span><span class="o">:</span> <span class="n">x509</span><span class="o">.</span><span class="n">KeyUsageDigitalSignature</span><span class="p">,</span> <span class="n">ExtKeyUsage</span><span class="o">:</span> <span class="p">[]</span><span class="n">x509</span><span class="o">.</span><span class="n">ExtKeyUsage</span><span class="p">{</span><span class="n">x509</span><span class="o">.</span><span class="n">ExtKeyUsageClientAuth</span><span class="p">},</span> <span class="n">BasicConstraintsValid</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="p">}</span> <span class="c">// Sign with our CA</span> <span class="n">certDER</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">x509</span><span class="o">.</span><span class="n">CreateCertificate</span><span class="p">(</span><span class="n">rand</span><span class="o">.</span><span class="n">Reader</span><span class="p">,</span> <span class="n">template</span><span class="p">,</span> <span class="n">ca</span><span class="o">.</span><span class="n">cert</span><span class="p">,</span> <span class="n">pubKey</span><span class="p">,</span> <span class="n">ca</span><span class="o">.</span><span class="n">privateKey</span><span class="p">)</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p>The CA management interface provides full visibility into certificate lifecycle:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7v2u6v60o6ntauovocm7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7v2u6v60o6ntauovocm7.png" alt=" " width="800" height="803"></a></p> <p>The client CLI handles renewal automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>gatekey connect <span class="c"># First time: Opens browser for SSO, downloads config, connects</span> <span class="c"># Subsequent times: Refreshes config if needed, connects immediately</span> </code></pre> </div> <p>Users never see certificate expiration. They just authenticate and connect.</p> <h2> Dual Protocol Support: OpenVPN + WireGuard </h2> <p>Some environments need OpenVPN (maximum compatibility). Others want WireGuard (performance, mobile). GateKey supports both with the same zero-trust model:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1h4z3bfyss4i58o6xt9p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1h4z3bfyss4i58o6xt9p.png" alt=" " width="800" height="593"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Gateway types in the database</span> <span class="na">gateways</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">us-east-openvpn</span> <span class="na">type</span><span class="pi">:</span> <span class="s">openvpn</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">vpn-east.company.com:1194</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">us-west-wireguard</span> <span class="na">type</span><span class="pi">:</span> <span class="s">wireguard</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">vpn-west.company.com:51820</span> </code></pre> </div> <p>Users can connect to either:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>gatekey connect us-east-openvpn <span class="c"># Uses OpenVPN</span> <span class="nv">$ </span>gatekey connect us-west-wireguard <span class="c"># Uses WireGuard</span> <span class="nv">$ </span>gatekey status Active connections: us-east-openvpn connected 10.8.0.5 tun0 us-west-wireguard connected 10.9.0.12 wg0 </code></pre> </div> <p>Multi-gateway support means users can be connected to multiple VPNs simultaneously—each with their own firewall rules.</p> <h2> Mesh Networking: Site-to-Site Connectivity </h2> <p>Beyond traditional client-to-site VPN, GateKey supports hub-and-spoke mesh networking for site-to-site connectivity:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz8qkiusgr97yxc2d5tic.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz8qkiusgr97yxc2d5tic.png" alt=" " width="800" height="399"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2g244fmet7ao4wmolcc2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2g244fmet7ao4wmolcc2.png" alt=" " width="800" height="261"></a></p> <p>This enables:</p> <ul> <li> <strong>Branch office connectivity</strong> - Connect remote offices to central resources</li> <li> <strong>Multi-cloud networking</strong> - Link AWS, GCP, and on-prem networks</li> <li> <strong>Zero-trust between sites</strong> - Same per-identity firewall rules apply</li> </ul> <h2> Network Topology Visualization </h2> <p>Monitor your entire VPN infrastructure in real-time:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjb75bjnbwjeoxqwyzwl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjb75bjnbwjeoxqwyzwl.png" alt=" " width="800" height="398"></a></p> <p>The topology view shows:</p> <ul> <li>All gateways, hubs, and spokes</li> <li>Active VPN sessions</li> <li>Connection health and bandwidth</li> <li>User attribution for every connection</li> </ul> <h2> Geo-Fencing: IP-Based Access Control </h2> <p>Add another layer of security with geo-fencing rules:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faxu2c6dofw7cr7oi6gw5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faxu2c6dofw7cr7oi6gw5.png" alt=" " width="800" height="418"></a></p> <ul> <li> <strong>Whitelist model</strong> - Only connections from explicitly allowed IP ranges</li> <li> <strong>Hierarchical rules</strong> - User rules override group rules, which override global rules</li> <li> <strong>Audit mode</strong> - Log violations without blocking (for testing)</li> </ul> <h2> Authentication Integration </h2> <p>GateKey integrates with your existing identity provider:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmwjrscx9way8qoxt1773.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmwjrscx9way8qoxt1773.png" alt=" " width="800" height="259"></a></p> <p>Supported providers:</p> <ul> <li>Okta</li> <li>Azure AD / Entra ID</li> <li>Google Workspace</li> <li>Keycloak</li> <li>Any OIDC or SAML 2.0 compliant provider</li> </ul> <h2> The Admin Dashboard </h2> <p>A unified view of your zero-trust VPN infrastructure:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4z2638fq9y1wx4t5lt7g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4z2638fq9y1wx4t5lt7g.png" alt=" " width="800" height="627"></a></p> <h2> The User Experience </h2> <p>For end users, it's three commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># One-time setup</span> gatekey config init <span class="nt">--server</span> https://vpn.company.com <span class="c"># Daily usage</span> gatekey login <span class="c"># Opens browser for SSO</span> gatekey connect <span class="c"># Downloads config, connects</span> gatekey disconnect <span class="c"># When done</span> </code></pre> </div> <p>Or use the web UI to download a standard <code>.ovpn</code> file that works with any OpenVPN client.</p> <h2> Deployment Options </h2> <h3> Kubernetes (Recommended) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add gatekey https://dye-tech.github.io/gatekey-helm-chart helm <span class="nb">install </span>gatekey gatekey/gatekey <span class="nt">-n</span> gatekey <span class="nt">--create-namespace</span> </code></pre> </div> <h3> Docker Compose </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16-alpine</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">gatekey</span> <span class="na">gatekey-server</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">dyetech/gatekey-server:latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">DATABASE_URL</span><span class="pi">:</span> <span class="s">postgres://gatekey:pass@postgres/gatekey</span> <span class="na">gatekey-web</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">dyetech/gatekey-web:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">80:8080"</span> </code></pre> </div> <h2> What I Learned </h2> <p>Building GateKey taught me several things:</p> <ol> <li> <strong>Don't reinvent crypto</strong> - Wrap proven protocols instead of creating new ones</li> <li> <strong>Hook scripts are powerful</strong> - OpenVPN's plugin system is underutilized</li> <li> <strong>nftables &gt; iptables</strong> - Modern, atomic updates, better performance</li> <li> <strong>Short-lived credentials change everything</strong> - When certs expire in hours, compromise windows shrink dramatically</li> <li> <strong>Developer experience matters</strong> - <code>gatekey connect</code> should just work</li> </ol> <h2> Try It Out </h2> <p>GateKey is open source under Apache 2.0:</p> <ul> <li> <strong>GitHub</strong>: <a href="https://github.com/dye-tech/GateKey" rel="noopener noreferrer">github.com/dye-tech/GateKey</a> </li> <li> <strong>Documentation</strong>: <a href="https://gatekey.net" rel="noopener noreferrer">gatekey.net</a> </li> <li> <strong>Docker Hub</strong>: <a href="https://hub.docker.com/u/dyetech" rel="noopener noreferrer">hub.docker.com/u/dyetech</a> </li> <li> <strong>Helm Chart</strong>: <a href="https://github.com/dye-tech/gatekey-helm-chart" rel="noopener noreferrer">github.com/dye-tech/gatekey-helm-chart</a> </li> <li> <strong>GitHub Android Client</strong>: <a href="https://github.com/dye-tech/gatekey-android-client" rel="noopener noreferrer">github.com/dye-tech/gatekey-android-client</a> </li> </ul> <p>If you're tired of managing VPN certificates manually, or want to add zero-trust to your existing OpenVPN/WireGuard infrastructure, give it a try.</p> <p><em>What's your experience with VPN infrastructure? Have you implemented zero-trust networking? I'd love to hear about your approach in the comments.</em></p> vpn security zerotrust devsecops