Modern

Unparalleled simplicity. Minimal user interface. No new usernames or passwords to remember.

Secure

Secure-by-default configuration. Perfect Forward Secrecy. Mutual certificate authentication.

Easy to Manage

Dynamic runtime configuration updates. Windows Active Directory support. Auditing. JSON & RPC API.

VPN—Simplified.

Only the necessary features for common VPN use cases are built into the server. All users benefit from defaults that are based on security best practices. Additional functionality can be added via plugins in both control and data planes.

  • PAM Authentication
  • AD Authentication
  • Certificate Authentication
  • Authentication Plugins
  • Hostname Blocking
  • Client Key Management
  • Admin API
  • Packet Flow Plugins

Pilvy VPN Server BETA is available as a .deb package for Debian and Ubuntu Linux systems running systemd. Command-line clients for macOS, Windows, and Linux are provided out of the box, with full GUI clients forthcoming. An iOS app is available, with Android support coming in a later release. During the beta evaluation period, there is no cost to use the product.

Download

Not all features are available during the beta period. Android support will be available in a later release.

How to Connect

After installing the server, copy the generated configuration profile from /etc/vpnserver/pki-tools/clients/client.vpntoolkit to the client and run:

vpnclient --profile client.vpntoolkit --connect vpn.example.com

By default, PAM authentication is enabled, so any user account on the VPN server can be used to connect. The default PKCS12 identity password is secret as generated at install time.

Useful command-line arguments:

On Windows, you will need to first install the OpenVPN NDIS 6 TUN/TAP driver (tap-windows, bottom of the page) for the client to work. This requirement will be dropped in a future release.

On iOS, the configuration profile must be opened in Safari from a secure website and served with the application/x-vpntoolkit-profile MIME type. It can also be opened from any other app (e.g., Mail) as long as the .vpntoolkit file extension is retained.

Updates During Beta Period

Check for server updates: vpnserver --check-update

Check for client updates: vpnclient --check-update

Security

The default VPN protocol runs over TCP and requires TLS version 1.2. While the cipher suites are configurable, the defaults consist only of ones that support Perfect Forward Secrecy (PFS), using either the 128-bit or 256-bit AES cipher:

These are defaults for both server and clients. To permit other, potentially weaker, cipher suites, clients must be explicitly configured to accept them. The VPN server needs only a single TCP port to be open, typically 443, and only one instance needs to be running. The VPN server is inherently multi-threaded, so on multi-core systems, all cores are automatically utilized.

Authentication

The server supports username/password, token, and certificate-based authentication. Authentication backends include PAM, OpenID Connect (Google Apps/G Suite), Windows Active Directory/LDAP, SQL, HTTP, and custom plugin.

Default Configuration

The default (and recommended) security configuration is to require mutual authentication of client and server before actual user authentication takes place. The server installation generates the following public key infrastructure (PKI) hierarchy:

Clients connecting to the server will only trust a single CA, that is the VPN Root CA. Likewise, servers will require clients to present a certificate issued by said CA (an intermediate CA in this case). If either the client fails to validate the server or the server fails to validate the client, the connection is dropped. Upon success, either credential or token based authentication is performed. In some environments, the secondary authentication step can be disabled if certificates are adequately protected and a real-time revocation process is in place.

External PKI such as HSM and PKCS#11 smart cards will be supported in a future release for enterprise customers.

CRL verification is currently not supported. Until it is available, credential or token based authentication should not be disabled.

Networking

VPN client IP pools can be either IPv4 or IPv6 and can be of arbitrary size or prefix length.

Split-tunneling is supported out of the box, with provisions for excluded routes (currently only supported on iOS) to allow certain netblocks to be routed outside the VPN tunnel.

Multi-Protocol Support

Out of the box, it supports a custom SSL/TLS based VPN protocol running over TCP, but additional protocols can be added, even on the same TCP port (assuming each VPN protocol has a distinguishable initial handshake). The default protocol is a TCP-based one due to the prevalence of mobile clients roaming on and off mobile data networks like LTE, which proactively optimize TCP traffic flows resulting in lower end user device battery consumption.

TLS Renegotiation is not supported. Instead, the server can be configured to abort TLS sessions after a certain threshold of packets, bytes, or time has elapsed to avoid session key compromise. However, in practice, this is only a concern for extremely long-lived TLS connections (spanning multiple years), as long as a minimum 128-bit cipher is used. Regardless, client will reconnect to the server without adverse effects.

A high-performance hybrid TCP/UDP protocol will be made available in a future release.

Extensibility

Pilvy VPN Server is built on Pilvy VPN Server Toolkit, our VPN SDK. Customers are able to extend the VPN server in a number of different areas:

More documentation on the server and plugin API will be provided in a future release.

Pricing Plans

Mini

  • 5 Concurrent Users
  • Local Authentication
  • SQL Authentication
  • LDAP/AD Authentication
  • OpenID Connect Authentication
  • Custom Plugins
$99 / year Sign Up

Small

  • 10 Concurrent Users
  • Local Authentication
  • SQL authentication
  • LDAP/AD Authentication
  • OpenID Connect Authentication
  • Custom Plugins
$189 / year Sign Up

Medium

  • 50 Concurrent Users
  • Local Authentication
  • SQL Authentication
  • LDAP/AD Authentication
  • OpenID Connect Authentication
  • Custom Plugins
$889 / year Sign Up

Interested in a fully managed VPN solution for your company? Contact Us

See Our Other Products