[wkat4242]

I work for an enterprise and they don't want this. They still rely on traditional centralised VPNs. How they deal with this is enforcing then everywhere, even in the office. Though there they usually are only on in name.

I think the reason is that they want to inspect the traffic in central locations, if each endpoint is doing its own you need to log there which means you can't always access it immediately.

I do use Mesh VPNs privately and love them. I love the way I have this overlay, a personal network that works everywhere. My devices all keep the same address no matter where they are.

[metmac]

Depends on the industry. But many large enterprises in the Fortune 500 are actively trying to move away from your traditional VPN. (F5, Pulse, Cisco, etc).

Even with VPNs the question should be, what are we gating behind that VPN anyway. Does it actually give us the granularity of controls we want or is this all security theater. (Also what about hybrid infra, between the datacenter and cloud)

FWIW, my ideal architecture is Wireguard into Corp. (Ala CloudFlare Warp, Tailscale, etc) Corp doesn’t hold a ton of sensitive assets. Or put another way, it’s a lower trust tier.

And then using something like Teleport, Octelium, etc to reach production assets.

Admittedly no vendor product I’ve come across yet has bridged this gap nicely. The überProxy tend to focus on the application protocols they support. While the wireguard clients cares more about session control of the tunnel.

[atyvr]

Really thoughtful take. That exact gap: bridging identity-aware tunneling (like WireGuard) with protocol-aware proxy decisions is exactly what we set out to solve with Border0.

We pair WireGuard-style tunnels with real-time identity (sso, device, group context) and protocol aware proxies for SSH, RDP, HTTP, psql, Mysql, mssql, ES, and Kubernetes. Our policy engine lets you write rules like “only the DBA group can run DELETEs in Prod” or “Support can exec into this pod,” and we log every query, command, or request, all tied back to the user and device.

Think of it as combining the modern VPN experience of Tailscale with the deep authZ and observability of Teleport. I call it VPN plus PAM. Would love your thoughts if you give it a look.

Quick 2-minute overview: https://www.youtube.com/watch?v=hU7QixSqnSM&t=3s

https://www.border0.com/

[wkat4242]

Oh yes I agree it's all theater. But we are a very big enterprise (though not big tech) but we're a very traditional company unfortunately.

We're also still working to go "on cloud" as our CIO wants. Because they want to be hip too.

Which in our case means lifting up an image of every server in our datacenter and moving it to a compute box on AWS that runs 24/7. This is not "cloud". It's just paying much more for someone else's server. There is no dynamic scaling or consumption-based billing. It's just setting money on fire so we can tick a box.

Of course we're also "on modern management" yet rely extremely heavily on SCCM policies. Always the same story here.