PharosVPN
§05 · for enterprises

many users · many regions · same binaries

Run it like a fleet.

The --enterprise preset gives you multi-region pre-positioned nodes, multiple admins, MDM-managed clients, and audit retention sized for compliance — out of the same binaries an individual operator runs. There is no edition.

no edition, no paywall

Same engine. Different defaults.

Nothing on this page is locked behind a tier. We don't sell PharosVPN; we build it as an Apache-2.0 platform that anyone can run, audit, modify, and build on. The permissive licence puts no obligation on you to publish your changes — contributions are invited, not compelled.

how the licence works →

posture · what --enterprise sets

Defaults sized for a fleet.

Regionsoperator picks
Idle nodesencouraged — pre-positioned, stopped, brought up as load shifts
ProtocolsAmneziaWG + XRay both, per region
Relayembedded + as many remote relays as you need
Account syncoptional — MDM-only deployments run none
Adminsa core admin plus others added through the UI, each with their own device cert
Audit retention1 year
Metrics retention90 days
REALITY decoy siteconfigurable, rotated
Endpoint rotationon — anti-correlation, per-client

anti-correlation · a leak most VPNs leave open

Your fleet doesn't look like one address.

A typical corporate VPN has every employee dial the same vpn.example.com:443. A passive observer doesn't need to break TLS or WireGuard to cluster traffic by employer: same destination endpoint, same affiliation. The crypto is fine; the correlation surface stays open.

Each PharosVPN node binds a set of public IPs and a UDP port range — yielding a large pool of valid (ip, port) endpoints from a small config. A profile carries that pool plus a rotation policy { enabled, interval, jitter }. The client picks a random endpoint at connect and re-picks every interval ± jitter, swapping the WireGuard peer endpoint live. WireGuard peers roam by design, so the tunnel never drops.

On by default for --enterprise. Two employees in the same office hit two different (ip, port) pairs, ten minutes apart they hit two more. The visible signature of "your VPN" stops being a single hostname and starts being a moving cloud.

read the design →

operations

Multi-admin, multi-region, self-healing.

  • Always-on, self-healing control plane. A reconcile sweep checks every node on an interval and re-applies config when it drifts or a data plane goes stale; provisioning a profile or device pushes to the affected nodes automatically. A controller restart re-reconciles the whole fleet. Tested live on a cloud fleet (provision → auto-deliver, drift → heal, restart → recover).
  • Live admin UI. Every open admin page holds a WebSocket. coxswain pushes state changes to all of them — open the dashboard on three machines, all three update together. A client connecting to a node appears immediately, not on a thirty-second poll.
  • Optimistic concurrency. Every mutable record carries a version integer. If two admins edit the same user, the second writer is rejected with HTTP 409 and asked to reload. Live replication usually means they see the change first.
  • Pre-positioned idle nodes. Bring up regions ahead of demand, leave them stopped. When you need capacity in a region, coxswain starts the corresponding node; existing tunnels in other regions are unaffected.
  • Per-region relays. Reduce client latency to the relay by deploying remote relays in regions where your users live. The controller stays behind NAT regardless.

managed clients

MDM as a first-class profile source.

caravel reads profiles from a local store; profiles enter that store from interchangeable sources. MDM managed config is one of those sources. When an MDM config is present, the app hides account login and the admin section, and profiles are locked. One app, one store listing — no separate "enterprise build."

Pair that with iOS / Android per-app VPN configuration and you get a tunnel that only carries the traffic of the apps you designate, all driven from your existing MDM.

control plane · security & observability

Tokens, a tamper-evident audit log, and live monitoring.

  • Scoped API tokens. A token-authenticated management API alongside session login, with least-privilege scopes (readonly / monitor / admin), optional expiry, hashed at rest (plaintext shown once), and revocable. Create and manage them from the CLI or the dashboard.
  • Tamper-evident audit log. Every management action — API and CLI — records who, what, to what, from where, and success/failure. Rows are hash-chained, so an edit or deletion is detectable (cox audit verify). Queryable, with retention sized for compliance.
  • Live + persisted monitoring. Client connect/disconnect events stream off each node over gRPC, carrying the per-session source IP and resolved device/user, and are persisted with per-session rx/tx byte counts. Surfaced in the dashboard and queryable via the API.
  • SIEM stream. A first-class gRPC event stream (monitor-scope token, off by default, TLS in production) carries the same events to your SIEM, alongside SSE/WebSocket for dashboards.
  • End-to-end-encrypted profiles. The controller never holds usable user secrets — a controller compromise yields ciphertext, not profiles. The CA stays inside the controller's store and is never copied off it or exposed publicly.
  • Postgres posture. SQLite by default; an optional pure-Go Postgres backend (selected by DSN, single static binary preserved) for always-on/enterprise scale. The analytics engine warns when run on SQLite.

analytics · anomaly detection (experimental)

An engine that watches the session history.

An in-process engine sweeps persisted session history on an interval and raises alerts with severity and evidence, acknowledge/resolve-able from the dashboard, CLI, or API. These rules are best-effort and experimental — useful signal, not a guarantee.

  • Leaked profile — one profile seen from multiple source IPs in a window.
  • Impossible travel — geographically impossible IP changes (geo-velocity).
  • Revoked-profile-active — a revoked or disabled device still connecting.
  • Auth-failure spike — repeated failed logins from one source IP.
  • Off-hours / new-geo / dormant-then-active — connections that don't fit a device's learned baseline.
  • Fleet-health — a node going Unreachable or Error, auto-resolved when it recovers.
  • Data-volume / exfil — an upload well beyond a device's historical median (conservative baseline).