VPN Remote Access

The Monozu VPN module provides secure, policy-controlled remote access to IT and OT infrastructure. Access is limited to explicitly authorized assets — not entire subnets.

How it works

Your device
    │
    │ WireGuard tunnel
    ▼
VPN Hub (cloud)
    │
    │ routed via policy
    ▼
Edge appliance (customer site)
    │
    ▼
Allowed assets (e.g. PLC_Line_1, SCADA_Server)

No inbound ports need to be opened at the customer site. The Monozu edge appliance maintains a persistent outbound tunnel to the VPN Hub.

Prerequisites

• Your account must have VPN access permission (assigned by your administrator)
• You must be granted access to the target gateway via an Access Policy
• MFA must be configured on your account

Connecting

1. Go to VPN → Connect

2. Select the gateway (site) you want to access

3. If required by the access policy, enter a Change Request ID to associate your session

4. Download the WireGuard configuration or use the Monozu VPN client

5. Connect — your access is limited to the assets defined in the policy

Caution

VPN sessions are logged in full — connected user, gateway, accessed resources, duration, and bandwidth. All activity is attached to the audit trail.

What you can access

Access policies define exactly which assets are reachable. Your administrator configures rules like:

Group:   Vendor_Siemens
Gateway: Factory_Warsaw
Allowed: 192.168.10.4 (PLC_Line_1)
         192.168.10.12 (HMI_Line_1)

You cannot reach any other IPs — even if they are on the same subnet.

Session recording

For OT environments, SSH and RDP sessions may be recorded. If session recording is enabled, you will see a notice when connecting.