Unparalleled simplicity. Minimal user interface. No new usernames or passwords to remember.


Secure-by-default configuration. Perfect Forward Secrecy. Mutual certificate authentication.

Easy to Manage

Dynamic runtime configuration updates. Windows Active Directory support. Auditing. JSON & RPC API.


Only the necessary features for common VPN use cases are built into the server. All users benefit from defaults that are based on security best practices. Additional functionality can be added via plugins in both control and data planes.

  • PAM Authentication
  • AD Authentication
  • Certificate Authentication
  • Authentication Plugins
  • Hostname Blocking
  • Client Key Management
  • Admin API
  • Packet Flow Plugins

Pilvy VPN Server is an end-to-end, secure, remote access solution that can be up and running in 5 minutes. It includes user-friendly native apps for macOS, Windows, and iOS, as well as command-line clients for macOS, Windows, and Linux for advanced users or custom integration. An Android app is under development and will be available later this year.


Not all features are available during the beta period. Android support will be available in a later release.

How to Connect

After installing the server, copy the generated configuration profile from /etc/vpnserver/pki-tools/clients/client.vpntoolkit to the client and run:

vpnclient --profile client.vpntoolkit --connect

By default, PAM authentication is enabled, so any user account on the VPN server can be used to connect. The default PKCS12 identity password is secret as generated at install time. The .vpntoolkit is a JSON file containing server information, although can also embed credentials into it for a streamlined connection setup.

Useful command-line arguments:

On Windows, you will need to first install the OpenVPN NDIS 6 TUN/TAP driver (tap-windows, bottom of the page) for the client to work. The Windows app installer automatically does this.

On iOS, the configuration profile must be opened in Safari from a secure website and served with the application/x-vpntoolkit-profile MIME type. It can also be opened from any other app (e.g., Mail) as long as the .vpntoolkit file extension is retained.


The default VPN protocol runs over TCP and requires TLS version 1.2. While the cipher suites are configurable, the defaults (both server and clients) consist only of ones that support Perfect Forward Secrecy (PFS), using either the 128-bit or 256-bit AES cipher:

The VPN server needs only a single TCP port to be open, typically 443, and only one instance needs to be running. The VPN server is inherently multi-threaded, so on multi-core systems, all cores are automatically utilized.

A high-performance VPN protocol (UDP and TCP) based on the Noise Protocol Framework will be made default in a future release, later this year. The protocol will also be open sourced.


The server supports username/password, token, and certificate-based authentication. Authentication backends include PAM, OpenID Connect (e.g., Google Apps/G Suite), Windows Active Directory/LDAP, SQL, and custom plugin.

Default Configuration

The default (and recommended) security configuration is to require mutual authentication of client and server before actual user authentication takes place. The server installation generates the following public key infrastructure (PKI) hierarchy:

Clients connecting to the server will only trust a single CA, that is the VPN Root CA. Likewise, servers will require clients to present a certificate issued by said CA (an intermediate CA in this case). If either the client fails to validate the server or the server fails to validate the client, the connection is dropped. Upon success, either credential or token based authentication is performed. In some environments, the secondary authentication step can be disabled if certificates are adequately protected and a real-time revocation process is in place.

External PKI such as HSM and PKCS#11 smart cards will be supported in a future release for enterprise customers.

CRL verification is currently not supported. Until it is available, credential or token based authentication should not be disabled.


VPN client IP pools can be either IPv4 or IPv6 and can be of arbitrary size or prefix length.

Split-tunneling is supported out of the box, with provisions for excluded routes (currently only supported on iOS) to allow certain netblocks to be routed outside the VPN tunnel.

Multi-Protocol Support

Out of the box, it supports a custom SSL/TLS based VPN protocol running over TCP, but additional protocols can be added, even on the same TCP port (assuming each VPN protocol has a distinguishable initial handshake).


Pilvy VPN Server is built on Pilvy VPN Server Toolkit, our VPN SDK. Customers are able to extend the VPN server in a number of different areas:

Documentation about the server and plugin APIs will be provided in future releases.

View Plans & Pricing

Interested in a fully managed VPN solution for your company? Contact Us