Resources
VPNs (Virtual Private Networks) are a popular method for securing remote access to networks, resources, or services. Accordingly, they’ve been a staple for several decades and many organizations continue to use them today to work remotely. But as organization needs, processes, and technologies evolve, organizations and businesses find themselves looking for VPN alternatives.
This list is for teams seeking other solutions for business use, especially those trying to avoid the following VPN problems:
Latency issues (due to hops)
Device management costs (clients need to be installed and maintained everywhere)
Poor logging for auditing purposes (VPNs establish a log on connection, but not per-request)
Expansion of data boundary (your data must travel through the VPN’s networks, inviting MitM)
Perimeter Problem inherent to perimeter-defense
There are four criteria that makes a VPN alternative good:
Usability: The solution should be easy to use for both end users and easy to setup for admins. VPNs are notoriously unfriendly for end users and represent a management burden for IT teams and administrators. Any replacement solution should have no end user clients and no agents, connectors, or daemons installed on the backend to make life easier for network admins.
Speed: Users demand speed. The best alternative solution will have architecture or infrastructure for providing the fastest latency possible. While it can be hard to compare latency for various solutions, keep in mind that self-hosted solutions will invariably be faster than third-party hosted services.
Security: Last but not least, the replacement needs to be secure. We are shifting away from perimeter-based security, so the replacing solution should be capable of continuous verification. The ideal solution goes beyond simply verifying authentication and authorization at the start of a session.
This list has various options with bullet points of their notable features and of course, pricing:
Pomerium is an open-source identity and context-aware proxy for providing secure zero trust access to internal services such as web applications. Additionally, it can be integrated with any identity provider that supports OIDC and OAuth 2.0 protocols to enable SSO, enforcing granular access policies to the resources it protects. Because it can be deployed anywhere, Pomerium is often used by organizations looking to give any resource access control capabilities, making it an effective zero trust VPN alternative for organizations looking to secure their internal services.
Usability: Pomerium enables clientless access without tunneling, ensuring users are satisfied and IT admins are happy.
Speed: Self-hosted makes Pomerium faster than any third-party hosted service.
Security: Continuous verification makes Pomerium more secure than tunnel-based solutions. As Pomerium is self-hosted, users retain data privacy and tenancy.
Pricing:
Pomerium Core — free and open source
Pomerium’s Quickstart is easy to use and developers can protect any resource in just 5 minutes!
As part of the Google Cloud Platform bundle, Google’s Identity-Aware Proxy is a cloud-based access control solution that provides secure access to cloud resources. It uses Google Cloud Identity and Access Management (IAM) to manage access policies and supports role-based access control (RBAC) and multi-factor authentication (MFA). Moreover, Google IAP is designed to work natively with Google’s other cloud offerings, making it a good VPN alternative option for teams that are already in the Google ecosystem.
Note that Google IAP is not the same as their internal tool UberProxy. You can read our full writeup on Google IAP here.
Usability: IAP supports clientless access, but only for those already on Google Cloud Platform (GCP). It requires client-based access for multi-cloud and hybrid-cloud use-cases.
Speed: IAP is fast in GCP, but reverts to tunnels and Virtual Private Clouds in other use-cases. This adds severe limitations.
Security: They are also capable of continuous verification, but this is problematic as it decrypts your data to the third-party service. In this case, Google has access to all your data, making this a poor option for privacy-sensitive companies.
Pricing:
For Google Cloud-hosted resources — free
BeyondCorp Enterprise — $6/user/month, minimum $14k
Cloudflare Access is an identity-based access control solution that uses Cloudflare's global network to provide secure access to internal resources. Because Cloudflare is already offering DNS services to many companies, they began adding to their infrastructure, resulting in Access.
Consequently, Cloudflare Access offers granular access controls with policies managed centrally. For this reason, Access is a good VPN alternative for teams that do not want to self-host their access solution and are comfortable with the minor latency issues resulting from backhauling data.
Usability: Cloudflare is capable of clientless access.
Speed: Cloudflare is a hosted third-party service. This makes Cloudflare slower than self-hosted solutions like Pomerium.
Security: Cloudflare's HTTPS Inspection enables Cloudflare to do continuous verification. However, like Google, this exposes all user data to Cloudflare and there is no data tenancy.
Pricing:
Under 50 users — free
Pay-as-you-go — $7/user/month
If you’re trying to provide access to databases, servers, and Kubernetes clusters, StrongDM is a strong contender. Their platform uses multi-factor authentication and audit logging to enhance security and supports a range of identity providers, including LDAP and Okta. StrongDM simplifies user management in your existing SSO solution and keeps the underlying credentials and keys hidden from end users. It provides clear auditing logs for all database queries, complete SSH and RDP sessions, and kubectl activity.
Whereas Pomerium is primarily for HTTP-based traffic, StrongDM's bread and butter is layer 4 networking.
Usability: StrongDM uses client-based access, and connectors. They provide poor usability for end users and admins alike.
Speed: As StrongDM is a hosted third-party service, they will be slower compared to self-hosted solutions like Pomerium.
Security: StrongDM is a tunneling solution — this means their security features are done at the start of a session. Once a session is established, StrongDM is unable to verify the authenticity of the stream of data as it happens. As a result, StrongDM is incapable of continuous verification to check the activities of any ongoing session and block malicious actions, disqualifying them from being a zero trust solution.
Pricing:
Contract-only — $70/user/month, 20 seat minimum
In brief, Perimeter81 is a cloud-based access management solution that provides secure access to cloud and on-premises resources. Their solution uses identity and MFA to authenticate users and supports a range of authentication methods, including SSO and LDAP. It uses a Software-Defined Perimeter (SDP) architecture to provide secure access and visibility to specific applications and services through creating an individualized network segment for each user. While this purportedly provides an additional layer of security by isolating resources from the public internet, it does hit the Perimeter Problem.
Usability: Perimeter81 is client-based access, using connectors and agents on the backend.
Speed: Being a third-party hosted solution, Perimeter81 will have added latency. They have tried to address this by having a global backbone infrastructure, but users will find them to be slower than self-hosted solutions.
Security: Also a tunneling solution, Perimeter81 shares the same problems as all other tunneling solutions — authentication and authorization is only checked at the start of a session, then Perimeter81 cannot perform continuous verification on actions after that. This does mean that their solution is unable to check and verify the activities of any ongoing connection to block malicious actions, disqualifying them from being zero trust.
Pricing:
Multiple plans starting at $8/user/month going up to $16/user/month
Enterprise contract available
Twingate uses a client-to-client model to authenticate users and supports a range of authentication methods, including SSO and MFA. While based on VPN architecture, they’ve attempted to address the perimeter vulnerability inherent to VPNs by granting access on a need-to-know basis and hiding other resources. Consequently, Twingate is primarily used to provide remote access to corporate networks and cloud resources.
Usability: Twingate is a NextGen VPN with a lightweight client. However, this still makes them a client-based access solution with connectors and agents on the backend.
Speed: Twingate tries to fix the problem of extra hops by using their design to make sure the extra hop only matters at the start of a connection. In theory, this means the latency will only be slow at the start of a connection.
Security: Being a tunneling solution, Twingate's security features are to check if the requesting user has authorization and authentication to the service they want to access, then provisions that access. This does mean that Twingate is unable to check and verify the activities of any ongoing connection to block malicious actions, disqualifying them from being zero trust.
Pricing:
Under 5 users — free
Teams — $5/user/month (up to 100)
Business — $10/user/month (up to 500)
Enterprise contract available
Tailscale is a virtual private cloud which effectively allows you to create your own private internet. Where most VPNs allow individual users to connect to a network and treat their connection as though it originated from within the network, Tailscale stitches together multiple networks (and devices) and treats them as one, redefining the boundaries of the network and its perimeter. Its primary usage is for organizations creating a network between cloud resources without the need for firewall configuration changes. While Tailscale is extremely effective for providing access to hard-to-reach resources, its usage of the perimeter means you may want other solutions for securing the tailnet.
Usability: Tailscale is a Mesh VPN solution for solving the NAT problem. Ultimately, they are a VPN with a client.
Speed: It's hard to judge Tailscale's speed as it can also be a self-hosted virtual private cloud. However, unless every part of your network mesh is self-hosted, you risk the added latency.
Security: Tailscale has the Perimeter Problem — they only check for authentication and authorization when a user makes the access request. Once that user gains access, Tailscale is unable to block the user from performing malicious actions for the duration of that session.
Pricing:
Up to 3 users — free
Starter — $6/user/month
Premium — $18/user/month
Enterprise contract available
Boundary is HashiCorp's open-source identity-aware proxy that provides secure access to internal resources. It uses a client-to-server model to authenticate users and supports a range of authentication methods, including SSH certificates and OIDC. As a result, it works to replace the VPN by establishing secure connections between authorized users and the target resources, without exposing the resources directly to the internet. Ultimately, their goal is to provide access to applications only, not to the network.
Usability: HashiCorp Boundary uses end-user clients and backend agents called Boundary Workers. While it's usable, it's not the best experience.
Speed: Being that the Boundary Controller is involved at the start of each connection, HashiCorp Boundary will have some latency on connection. However, once the tunnel has been established, it should be reasonably fast.
Security: Unfortunately, being a tunneling solution does result in HashiCorp Boundary being unable to enforce continuous verification. Once that tunnel has been established between the client and Boundary Worker, the access is treated as authenticated and authorized. Malicious actions will not be inspected and blocked from execution.
Pricing:
Open-source — free
HCP Standard — $0.50 per session
GoTeleport is a cloud-native access solution that provides secure access to internal resources. While it uses some similar concepts in VPNs such as encryption and secure connections, it is not considered a VPN in the traditional sense. Instead, it uses a cloud-based infrastructure to provide secure access to resources on a per-user basis without exposing them to the public internet. GoTeleport uses a client to connect to a remote network, and then routes traffic through a cloud-based proxy, providing secure access to resources without the need for a traditional VPN.
Caution: Teleport's model seeks to replace OpenSSH with their own. You can read our entire write-up here.
Usability: Teleport is a client-based solution, marking it down for user experience. It also has extensive usage of agents, making it a headache for network admins to manage.
Speed: Teleport is a third-party hosted solution, which adds latency from data backhauling.
Security: Being a tunneling solution, Teleport is unable to check and verify the activities of any ongoing connection to block malicious actions, disqualifying them from being zero trust.
Pricing:
Open-source — free
Enterprise contract available
Securing access is broke down into two parts: security and access. When evaluating what VPN alternatives tools you may want to try out, consider the following questions for each category:
Security | Access and User Experience |
How does it authenticate and authorize? | How frustrating is it to use for end users? Is there a client? Does it need periodical updating and maintenance? |
Is the access periodically/continuously monitored/verified? | Does the experience differ for remote workers (such as latency or connection drops)? If yes, how much does this impact workflow and performance? |
How is access revoked or limited? | How is access granted? If an employee wants access to X, how manual is it for the organization to provision that access? |
Where is the data going? At what point is it in a position where my data gets Man-in-the-Middle’d? | Does it require a client on the end user’s machine? |
How does it collect logs? Are those logs complete and easy to audit? | Is there session replay so administrators can troubleshoot the user experience? |
In any case, having answers to these relevant questions will help you make informed decisions on how your current tool is working and what tool to shift to next.
Self-hosted access solutions provide two desirable aspects to a remote access solution: speed and security.
While this image is a bit of an exaggeration (but happens more often than you think), it explains why hosted third-party solutions add unnecessary latency. The data needs to travel from the origin server to the VPN service, which then sends that data on to the requesting user. In horrible situations the data needs to travel through multiple servers before reaching its intended destination, with each server "hop" adding extra latency.
Companies seeking a VPN replacement can do better than solutions using the same latency-inducing architecture. Utilizing self-hosted solutions skips this unnecessary data backhauling for faster speeds while retaining data tenancy and improves security.
You lose control of your data when it travels from origin servers to the third-party hosted solution's servers. In cases where these hosted solutions also provide security features (such as Cloudflare's HTTPS Inspection), that data is decrypted into clear-text, exposing all private information such as passwords, cookies, and more. This is unavoidable because you cannot control what is being done with that data on the service provider's infrastructure. The possibility of this data being breached due to the service provider's negligence or malicious insider is completely out of your control.
The only way to ensure this does not happen is to self-host your access control solution and retain data tenancy. Options such as Pomerium ensure the fastest speeds while providing peace-of-mind that your data stays yours.
Companies can only shift away from the faulty perimeter-defense strategy when they have a comfortable VPN alternative.
Pomerium’s place as an open-source context-aware reverse proxy helps prevent ransomware attacks on internal services and resources. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN. The result is:
Easier with clientless access.
Faster by being tunnel-free and deployed where your apps and services are.
Safer because every single action is verified before allowed to execute.
Tailored to your organization’s needs by integrating all data for context-aware access.
Pomerium’s place as an open-source context-aware reverse proxy helps prevent ransomware attacks on internal services and resources. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN. The result is:
Easier with clientless access.
Faster by being tunnel-free and deployed where your apps and services are.
Safer because every single action is verified before allowed to execute.
Tailored to your organization’s needs by integrating all data for context-aware access.
Our customers depend on us to secure zero trust, clientless access to their web applications everyday.
Check out our open-source Github Repository or give Pomerium a try today!
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Company
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements
