Insights

Overlay networks:
beyond the corporate VPN

·Zero TrustVPNWireGuardNetworkingSME
WireGuard in the Linux kernelSince 5.6 (2020)
WireGuard codebase~4,000 lines
Ports exposed on the InternetZero
CLOUD ActUS law, 2018

“How do I reach company systems from outside?” had a single answer for twenty years: the VPN. Today the better answer, for many organisations, is a different one: an overlay network— an encrypted network that lives on top of the Internet and connects users, servers, sites and appliances with direct tunnels, without exposing anything. The underlying technology is called WireGuard, it is open source and has been part of the Linux kernel since 2020. Let's look at how it works, what changes compared to a VPN, and the question — almost always skipped — to ask before choosing a service of this kind.

The VPN grants access to the network. That is the problem

A traditional VPN does exactly what it promises: it puts the remote device inside the corporate network. The problem is that it really does. A stolen credential or a compromised laptop does not open a door: it opens the building — with the ability to move laterally towards file servers, business applications, backups. It is no coincidence that ransomware often enters a company through a legitimate remote access.

Then there is a second, quieter problem: the VPN concentrator is a service exposed on the Internet. It must be patched with discipline, and critical vulnerabilities in VPN gateways and remote access appliances are by now a fixture in security agencies' bulletins — anyone running a firewall with a published VPN knows how often the “update immediately” advisory arrives. Every port listening on the Internet is attack surface that someone, sooner or later, will probe.

How an overlay network works

An overlay network flips the model. On every device — laptop, server, virtual machine, appliance — a lightweight agent establishes point-to-point encrypted WireGuard tunnels with the other authorised devices. Connections are outbound: no open ports, no port forwarding, and the tunnels traverse NATs on their own; only when a direct link is impossible does traffic pass through a relay, which sees exclusively encrypted packets. WireGuard is the reason all this is reliable: roughly 4,000 lines of code against the hundreds of thousands of traditional VPN stacks, modern cryptography, and part of the Linux kernel since release 5.6 in 2020.

Above the tunnels sits the piece that decides everything: the control plane. It is the brain of the network: it authenticates devices (typically with SSO on the corporate identity), distributes the keys and enforces the access policies — who may talk to whom, on which ports. It is worth being precise about what it sees and what it does not:

The control planeDetail
Does not seeThe content of the traffic: it travels encrypted end-to-end directly between devices, even when it transits a relay.
Sees — and governsThe device inventory and their identity, the public keys, the access policies (who may reach what), the network topology, the connection events.

In other words: the control plane does not read your files, but it knows the complete map of how your company is connected — and it has the power to change it. It is a critical asset in the same sense as the network controller: the right question is not just “what features does it have”, but “where does it live and who answers for it”.

The question almost nobody asks: where is the control plane

The best-known overlay services are SaaS offerings from US providers: they activate in ten minutes and work well, but the control plane — the map and the keys of your network — lives with a provider subject to US jurisdiction. The same reasoning we made for the UniFi controller applies: the CLOUD Act, the 2018 federal law, allows US authorities to order a provider under their jurisdiction to hand over the data it holds, wherever the servers physically are. Alternatives exist, and this is where the open-source nature of the technology becomes a practical fact rather than an ideological one: the control plane can run elsewhere.

OptionWho runs the control planeJurisdictionSuited to
Vendor SaaSThe vendorTypically US (CLOUD Act)Those who value speed and have no jurisdiction constraints
Self-hosted (open source)YouYoursStructured IT teams, ready to run it as production
Managed by a European IT providerThe provider, on EU cloudEUThose who want the Zero Trust model without running its infrastructure

Said without taking sides, as always: for many companies the provider's jurisdiction is irrelevant, and that is a legitimate choice. But if the organisation has constraints — due diligence from enterprise customers, public sector, regulated data — the jurisdiction of the control plane must be decided before, not discovered after. And self-hosting is realistic only if someone, with a first and last name, takes responsibility for updating it, backing it up and monitoring it.

What about Microsoft Entra Private Access?

A fair question, because Microsoft has its own ZTNA answer: Entra Private Access (part of Global Secure Access) publishes internal applications to users authenticated with Entra ID, with Conditional Access on every request. It requires Entra ID P1 or P2 as a prerequisite, plus a dedicated licence or the Microsoft Entra Suite. For user access to applications in a Microsoft environment it is often the most natural path — we covered it in ZTNA: how to replace the corporate VPN.

The overlay network covers what an application-level ZTNA does not: site-to-site links between locations, servers talking to servers, management appliances and self-hosted resources, mixed environments where not everything lives in the Microsoft ecosystem. They are not competitors: they are two tools, and in plenty of organisations they coexist — Entra Private Access for people, the overlay network for infrastructure. The choice depends on structure, licensing and budget: it is a network project, not a catalogue purchase.

From field experience

Four things you learn by putting overlay networks into production, not by reading brochures.

  • If the control plane is down, the network holds — but freezes. Active tunnels keep working with the keys already distributed; what stops is anything new: new devices, policy changes, rotations. That is why the control plane must be monitored like a production system, not treated as a convenience tool.
  • Start with subnet routers, not with agents everywhere. The practical rollout begins with one node publishing an existing subnet (the office, the server farm) and agents only on remote devices: you migrate in pieces, without a big bang. Agents on individual servers come later, where granular policies are needed.
  • Default-deny policies must be tried on a pilot group.The power to say “only the authorised reach this resource” is also the power to cut off the ERP at 9 on a Monday morning. Pilot group first, then the rest of the company — with policies versioned and documented.
  • The identity hook is the real multiplier. With SSO on Entra ID, offboarding a collaborator also revokes network access — immediately, not at the next review of VPN accounts. And internal DNS must be planned: the names by which resources are reached through the overlay must be the same everywhere, or the phone rings.

Our model

For completeness: we deliver a managed Zero Trust overlay network based on WireGuard and open-source technology, with the control plane on our European cloud infrastructure — under EU jurisdiction, managed according to ISO/IEC 27001, 27017, 27018 and ISO 9001 — identity-based access with SSO on Microsoft Entra ID and per-group policies. It integrates with the management of the network and of hardware: for those who want the model, without becoming its maintainer.

Sources

  • Jason A. Donenfeld — “WireGuard: Next Generation Kernel Network Tunnel” (whitepaper, NDSS 2017)
  • Linux kernel — release 5.6, March 2020 (WireGuard mainlined)
  • CLOUD Act — Clarifying Lawful Overseas Use of Data Act, H.R. 4943, United States, 2018
  • Microsoft Learn — “What is Global Secure Access?” and “Microsoft Entra licensing”

Frequently asked questions

Answers to the most common questions about overlay networks and VPN replacement.

Want to retire the VPN without opening holes?

We start from how your network looks today — sites, servers, remote access — and design the right path: Entra Private Access, a managed overlay network, or both. Without exposing anything on the Internet.