v1.0 — Self-Hosted Zero Trust

Identity-Aware Secure Remote Access

Your VPN doesn't know who is connected. Zylock does.
Single binary. WireGuard speed. Complete audit trail.

Download Binary View on GitHub
OIDC/SSO Integration mTLS Device Trust WireGuard Protocol Air-Gap Ready

The Problem with Traditional VPNs

Legacy VPNs are secure doors — anyone with the key can enter. Zylock is a secure door with a bouncer.

Legacy VPN

  • "Here's a key, you're trusted forever"
  • Logs show IP addresses, not identities
  • Credential sharing is common
  • Revocation is manual and slow
  • No audit trail for compliance

Zylock

  • Every session tied to a verified identity (SSO)
  • Know exactly who accessed what, when
  • Device-bound certificates (mTLS)
  • Instant revocation from dashboard
  • Immutable audit logs for SOC2/ISO 27001

Built for Security Teams

Everything you need to replace your legacy VPN. Nothing you don't.

ID

Identity-First Access

OIDC/SSO integration with any provider (Google, Microsoft, Okta). Admin approval workflow. Know exactly who is connected.

mTLS

Device Trust

Mutual TLS certificates bound to each device. Cryptographic device identity, not just network location.

WG

WireGuard Speed

Modern kernel-space encryption. High throughput, low latency, resistant to network scanning.

LOG

Audit Trail

Immutable append-only logs. Every login, every approval, every revocation. Compliance-ready.

BIN

Single Binary

Server and agent in one executable. All assets embedded. No runtime dependencies. Air-gap ready.

REV

Instant Revocation

Terminate sessions immediately from the dashboard. No waiting for token expiry. True Zero Trust.

How Zylock Works

From login to connection in five steps. No shared credentials. No credential files.

User + Device
SSO Login
Zylock Server
Identity + Audit
Internal Resources
File Servers, Apps, SSH
1

User logs in with SSO

Google, Microsoft, Okta — any OIDC provider. MFA enforced by your IdP.

2

Admin approves the user

New users appear in dashboard. One-click approval with full audit trail.

3

User enrolls their device

Receives mTLS certificate and WireGuard keys. Device identity is cryptographically bound.

4

Device connects via WireGuard

Kernel-space tunnel established. Every heartbeat is mutually authenticated.

5

Admin has full visibility

See who's connected, from where, when. Revoke access instantly if needed.

Simple, Transparent Pricing

No per-seat fees. No usage limits. No surprises.

Community Edition
Free
For evaluation and non-critical deployments
  • OIDC authentication (any provider)
  • JIT provisioning + admin approval
  • mTLS device authentication
  • WireGuard VPN tunneling
  • Audit logging (14-day retention)
  • Device enrollment and management
  • Full security hardening
Commercial License
$4,000/year
For production deployments
  • Everything in Community, plus:
  • Extended audit retention (3-24 months)
  • Audit log export (CSV/JSON)
  • RBAC (Admin/Operator/Viewer)
  • Break-glass recovery
  • Backup/restore primitives
  • Policy engine (resource-level access)
  • CRL/certificate revocation lists
  • Device posture signals
  • Priority support

Community Edition is not a trial — it's a fully functional, secure product.
Commercial License adds compliance and operational features for production use.

Why Zylock?

How Zylock compares to other approaches.

Capability Zylock Tailscale OpenVPN Traditional VPN
Self-hosted ✓ 100% ✕ Coordination server
Identity/SSO ✓ Any OIDC ✕ Certs only ✕ Shared keys
Audit trail ✓ Built-in ✓ Enterprise ✕ Manual
Protocol WireGuard WireGuard OpenVPN IPsec
Deployment Single binary Agent + SaaS Complex Appliance
Air-gap ready
Instant revocation

Security by Design

Assume failure. Design around it.

Transport TLS 1.3 enforced, HSTS, strict CSP
Data at Rest AES-256-GCM encryption
Authentication Bcrypt hashing, CSRF protection
Sessions Short-lived tokens, immediate revocation
Certificates Server-controlled CN, CA pinning
Rate Limiting 5 req/min per IP on auth endpoints

Get Started in Minutes

Single binary deployment. No containers. No orchestration.

1. Prerequisites

  • Server: Linux with root access
  • Ports: UDP 51820 (VPN), TCP 8443 (HTTPS)
  • Optional: OIDC provider credentials (Google, Microsoft, Okta)

2. Download and Initialize

# Download the latest release
curl -LO https://github.com/zylock-security/zylock/releases/latest/download/zylock-linux

# Make executable
chmod +x zylock-linux

# Initialize the server (interactive wizard)
sudo ./zylock-linux server init

The wizard will prompt for master key, admin credentials, and OIDC configuration.

3. Start the Server

sudo ./zylock-linux server

# Dashboard available at https://your-server:8443

4. Connect a Client

# On Windows client
.\zylock.exe connect login --server https://vpn.yourcompany.com:8443 \
    --ca-cert .\zylock-ca.pem \
    --ca-fingerprint <SHA256>

# Browser opens for SSO login
# Paste enrollment token when prompted
# VPN tunnel established automatically

5. Optional: Install as Service

# Make connection persistent across reboots
.\zylock.exe connect service install
.\zylock.exe connect service start
View Full Documentation Download Latest Release