Expose a VPN service

Using Border0, running an authenticated VPN service for your users is easy. This allows clients to connect to your VPN Socket, making your (private) IP network available via this VPN.

An example use case may be a scenario with an AWS VPC with private Subnets. Using this VPN socket, you can easily spin up a VPN server on that private VPC, allowing clients authorized by your Border0 policy to connect to these private subnets over an encrypted TLS tunnel.

1 - Create and connect VPN socket

The first step is to create a socket for this new VPN server. The VPN server is built on top of a TLS socket.
border0 socket create --type tls --name myvpn


$ border0 socket create --type tls --name myvpn
│ SOCKET ID                            │ NAME  │ DNS NAME                      │ PORT(S) │ TYPE │ DESCRIPTION │
│ b11d0c10-fc86-43a9-8ed4-42a83beaeea0 │ myvpn │ myvpn-border0-demo.border0.io │ 22129   │ tls  │             │

│ default     │                    │ Yes               │

After the socket has been created, it's time to connect it to the Border0 infrastructure and start the VPN server. We'll also provide the --route flag, instructing the VPN server to let clients that connect to the VPN know what routes to install. sudo border0 socket connect vpn myvpn --route

Note you'll likely need to enable IP forwarding and NAT on the VPN server. On a typical linux machine this can be achieved like this

sudo sysctl net.ipv4.ip_forward=1
# Note replace eth0 as needed
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


sudo or root credentials

The VPN server will create a new TUN interface on your server, which requires root credentials.

$ sudo border0 socket connect vpn myvpn --route
Welcome to Border0.com
myvpn - tls://myvpn-border0-demo.border0.io


Now that your VPN server is running and ready for connections, it's time to test.

2 - Connecting to your VPN

To start, make sure you're logged in as a client to your border0 organization: sudo border0 client login --org <orgname>. Make sure to replace the orgname with your Border0 organization name.

Now we can connect to your new VPN service.
Run sudo border0 client vpn and pick your newly created vpn service from the list.

$ sudo border0 client vpn
? choose a host: myvpn-border0-demo.border0.io []
{"level":"info","ts":"2023-08-03T15:58:52-07:00","msg":"Created TUN interface","interface_name":"utun6"}
{"level":"info","ts":"2023-08-03T15:58:52-07:00","msg":"Received control message","control_message":{"client_ip":"","server_ip":"","subnet_size":22,"routes":[""]}}

You're now connected to the VPN. A new network interface was created and as can be seen in the output, the VPN server provided the client with an IP address and one or more routes to install.

In the example above, we can see the server provided us with the IP address; it told us the VPN server is, and we can reach the network via the VPN server (

3 - Testing your VPN

The first step is to test and see if you can ping the VPN server from the client like this:

$ ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=76.133 ms
64 bytes from icmp_seq=1 ttl=64 time=120.387 ms

We can also double-check to see if the routes were installed correctly. On Linux or Mac, we can use netstat like this:

$ netstat -rn | grep 192.168.42
192.168.42         utun6              USc             utun6

4 - Advanced usage

We have a few additional things we can configure on the _VPN server _we started in step 2.
The border0 socket connect vpn command is used to start the VPN server and has a few additional flags.

$ sudo border0 socket connect vpn  --help
Connect a VPN socket (TLS under-the-hood)

  border0 socket connect vpn [flags]

  -h, --help                help for vpn
      --route strings       Routes to advertise to clients
      --vpn-subnet string   Ip range used to allocate to vpn clients (default "")

Using the --route flag indicates what routes should be pushed down to VPN clients. You may repeat this flag multiple times if you have multiple routes you'd like to make available to your VPN clients.

Using the --vpn-subnet flag, the VPN administrator can control what IP range to use as a range to allocate IP addresses from to connecting clients. The first IP is always reserved for the VPN server. Think of this as your DHCP range for VPN clients. The default range is


$ sudo border0 socket connect vpn myvpn  --vpn-subnet --route --route
Welcome to Border0.com
myvpn - tls://myvpn-border0-demo.border0.io

{"level":"info","ts":"2023-08-03T16:15:52-07:00","msg":"Started VPN server","interface":"utun5","server_ip":""," vpn_subnet ":""}