Documentation
Solutions Guide

VPN Replacement

Replace legacy VPNs with zero-trust infrastructure access. Better security, better performance, easier management.

Estimated time: 45 minutes

VPN vs TigerAccess

Legacy VPN

TigerAccess

Network-level access
Resource-level access
Static credentials
Short-lived certificates
Complex configuration
Minutes to deploy
Single point of failure
Distributed architecture
Split tunneling risks
Direct secure connections
Limited visibility
Complete audit logs

Migration Steps

1

Deploy TigerAccess Infrastructure

Set up the TigerAccess cluster.

# Deploy auth service
tigeraccess start --roles=auth \
  --config=/etc/tigeraccess/config.yaml

# Deploy proxy service (public facing)
tigeraccess start --roles=proxy \
  --auth-server=auth.company.com:3025 \
  --public-addr=access.company.com:443
2

Register Resources

Connect your resources to TigerAccess.

# Deploy agents on servers
tigeraccess start --roles=agent \
  --auth-server=auth.company.com:3025

# Register databases
tacctl db add prod-postgres \
  --protocol=postgres \
  --uri=postgres.internal:5432

# Register K8s clusters
tacctl kube add prod-cluster \
  --kubeconfig=/path/to/kubeconfig
3

Migrate Users from VPN

Transition users to TigerAccess.

# Connect to identity provider
tacctl sso configure oidc \
  --issuer=https://login.company.com \
  --client-id=tigeraccess

# Import existing groups
tacctl users sync --source=ldap

# Create role mappings
tacctl roles create developer \
  --allow-logins=ubuntu \
  --allow-labels=env:dev,env:staging
4

Configure Access Policies

Define zero-trust access rules.

tacctl create -f - <<EOF
kind: role
metadata:
  name: remote-worker
spec:
  allow:
    logins: [ubuntu, ec2-user]
    node_labels:
      env: [dev, staging, production]

  options:
    require_session_mfa: true
    max_session_ttl: 8h
    record_session:
      default: strict
EOF
5

Decommission VPN

Verify access and remove VPN.

# Verify all resources accessible via TigerAccess
tac ls

# Test access to critical resources
tac ssh user@prod-server-1
tac db connect prod-postgres
tac kube get pods

# Decommission VPN
# 1. Notify users of migration date
# 2. Revoke VPN credentials
# 3. Remove VPN infrastructure

VPN Replaced

With VPN replaced by TigerAccess, you have:

  • Resource-level access, not network access
  • No VPN infrastructure to maintain
  • Better user experience
  • Complete visibility and audit trail

Related Guides

Zero Trust Security

Zero trust architecture

Remote Access

Secure remote work

Infrastructure Access

Unified access