“How do I reach company systems from outside?” had a single answer for twenty years: the VPN. Today the better answer, for many organisations, is a different one: an overlay network— an encrypted network that lives on top of the Internet and connects users, servers, sites and appliances with direct tunnels, without exposing anything. The underlying technology is called WireGuard, it is open source and has been part of the Linux kernel since 2020. Let's look at how it works, what changes compared to a VPN, and the question — almost always skipped — to ask before choosing a service of this kind.
The VPN grants access to the network. That is the problem
A traditional VPN does exactly what it promises: it puts the remote device inside the corporate network. The problem is that it really does. A stolen credential or a compromised laptop does not open a door: it opens the building — with the ability to move laterally towards file servers, business applications, backups. It is no coincidence that ransomware often enters a company through a legitimate remote access.
Then there is a second, quieter problem: the VPN concentrator is a service exposed on the Internet. It must be patched with discipline, and critical vulnerabilities in VPN gateways and remote access appliances are by now a fixture in security agencies' bulletins — anyone running a firewall with a published VPN knows how often the “update immediately” advisory arrives. Every port listening on the Internet is attack surface that someone, sooner or later, will probe.
How an overlay network works
An overlay network flips the model. On every device — laptop, server, virtual machine, appliance — a lightweight agent establishes point-to-point encrypted WireGuard tunnels with the other authorised devices. Connections are outbound: no open ports, no port forwarding, and the tunnels traverse NATs on their own; only when a direct link is impossible does traffic pass through a relay, which sees exclusively encrypted packets. WireGuard is the reason all this is reliable: roughly 4,000 lines of code against the hundreds of thousands of traditional VPN stacks, modern cryptography, and part of the Linux kernel since release 5.6 in 2020.
Above the tunnels sits the piece that decides everything: the control plane. It is the brain of the network: it authenticates devices (typically with SSO on the corporate identity), distributes the keys and enforces the access policies — who may talk to whom, on which ports. It is worth being precise about what it sees and what it does not:
| The control plane | Detail |
|---|---|
| Does not see | The content of the traffic: it travels encrypted end-to-end directly between devices, even when it transits a relay. |
| Sees — and governs | The device inventory and their identity, the public keys, the access policies (who may reach what), the network topology, the connection events. |
In other words: the control plane does not read your files, but it knows the complete map of how your company is connected — and it has the power to change it. It is a critical asset in the same sense as the network controller: the right question is not just “what features does it have”, but “where does it live and who answers for it”.
The question almost nobody asks: where is the control plane
The best-known overlay services are SaaS offerings from US providers: they activate in ten minutes and work well, but the control plane — the map and the keys of your network — lives with a provider subject to US jurisdiction. The same reasoning we made for the UniFi controller applies: the CLOUD Act, the 2018 federal law, allows US authorities to order a provider under their jurisdiction to hand over the data it holds, wherever the servers physically are. Alternatives exist, and this is where the open-source nature of the technology becomes a practical fact rather than an ideological one: the control plane can run elsewhere.
| Option | Who runs the control plane | Jurisdiction | Suited to |
|---|---|---|---|
| Vendor SaaS | The vendor | Typically US (CLOUD Act) | Those who value speed and have no jurisdiction constraints |
| Self-hosted (open source) | You | Yours | Structured IT teams, ready to run it as production |
| Managed by a European IT provider | The provider, on EU cloud | EU | Those who want the Zero Trust model without running its infrastructure |
Said without taking sides, as always: for many companies the provider's jurisdiction is irrelevant, and that is a legitimate choice. But if the organisation has constraints — due diligence from enterprise customers, public sector, regulated data — the jurisdiction of the control plane must be decided before, not discovered after. And self-hosting is realistic only if someone, with a first and last name, takes responsibility for updating it, backing it up and monitoring it.
What about Microsoft Entra Private Access?
A fair question, because Microsoft has its own ZTNA answer: Entra Private Access (part of Global Secure Access) publishes internal applications to users authenticated with Entra ID, with Conditional Access on every request. It requires Entra ID P1 or P2 as a prerequisite, plus a dedicated licence or the Microsoft Entra Suite. For user access to applications in a Microsoft environment it is often the most natural path — we covered it in ZTNA: how to replace the corporate VPN.
The overlay network covers what an application-level ZTNA does not: site-to-site links between locations, servers talking to servers, management appliances and self-hosted resources, mixed environments where not everything lives in the Microsoft ecosystem. They are not competitors: they are two tools, and in plenty of organisations they coexist — Entra Private Access for people, the overlay network for infrastructure. The choice depends on structure, licensing and budget: it is a network project, not a catalogue purchase.
From field experience
Four things you learn by putting overlay networks into production, not by reading brochures.
- If the control plane is down, the network holds — but freezes. Active tunnels keep working with the keys already distributed; what stops is anything new: new devices, policy changes, rotations. That is why the control plane must be monitored like a production system, not treated as a convenience tool.
- Start with subnet routers, not with agents everywhere. The practical rollout begins with one node publishing an existing subnet (the office, the server farm) and agents only on remote devices: you migrate in pieces, without a big bang. Agents on individual servers come later, where granular policies are needed.
- Default-deny policies must be tried on a pilot group.The power to say “only the authorised reach this resource” is also the power to cut off the ERP at 9 on a Monday morning. Pilot group first, then the rest of the company — with policies versioned and documented.
- The identity hook is the real multiplier. With SSO on Entra ID, offboarding a collaborator also revokes network access — immediately, not at the next review of VPN accounts. And internal DNS must be planned: the names by which resources are reached through the overlay must be the same everywhere, or the phone rings.
Our model
For completeness: we deliver a managed Zero Trust overlay network based on WireGuard and open-source technology, with the control plane on our European cloud infrastructure — under EU jurisdiction, managed according to ISO/IEC 27001, 27017, 27018 and ISO 9001 — identity-based access with SSO on Microsoft Entra ID and per-group policies. It integrates with the management of the network and of hardware: for those who want the model, without becoming its maintainer.
Sources
- Jason A. Donenfeld — “WireGuard: Next Generation Kernel Network Tunnel” (whitepaper, NDSS 2017)
- Linux kernel — release 5.6, March 2020 (WireGuard mainlined)
- CLOUD Act — Clarifying Lawful Overseas Use of Data Act, H.R. 4943, United States, 2018
- Microsoft Learn — “What is Global Secure Access?” and “Microsoft Entra licensing”
Dig deeper
Frequently asked questions
Answers to the most common questions about overlay networks and VPN replacement.
Technically it uses the same family of tools — encrypted tunnels, in this case WireGuard — but the access model is the opposite. A classic VPN connects the device to the network: once inside, you can reach everything the network does not forbid. An overlay network connects the device to the individual authorised resources: every connection is explicit, tied to identity, and everything else simply does not exist. It is the difference between handing over the keys to the building and opening one door at a time.
No: traffic travels encrypted end-to-end directly between devices, and even when a relay is needed the content stays encrypted. But the control plane knows a lot about the network: which devices exist, who may talk to whom, the topology, the connection events. That is why the question “who runs the control plane, and under which jurisdiction” must be asked before choosing the service, not after.
Established tunnels keep working: the keys are already distributed and traffic flows directly between devices. What stops is the management plane: no new devices, no key rotation, no policy changes until it is reachable again. It is degraded operation, not a blackout — but it is also why the control plane must be run and monitored like a production system.
It depends on what you need to connect. Entra Private Access is the natural answer for user access to internal applications in a Microsoft environment: it requires Entra ID P1 or P2 plus a dedicated licence or the Microsoft Entra Suite, and integrates with Conditional Access. The overlay network covers what an application-level ZTNA does not: site-to-site links between locations, servers talking to servers, management appliances, mixed environments. In many organisations they coexist: we choose based on structure, licensing and budget.
No, and that is one of the main advantages: every device establishes outbound connections, and the tunnels form using NAT traversal techniques. No port forwarding, no public VPN concentrator to patch, no RDP or VNC exposed on the Internet. An attacker scanning your public IPs finds nothing listening.