GEN
Search Downloads Cloud Contact Status

 Zero Trust Advanced Managed VPN

Secure Gateway or Managed Zero Trust tiers

Zero Trust Advanced Managed VPN

Managed WireGuard networking with modern identity, device checks, and policy-driven access.

Replace the “flat network” VPN with a service designed for least privilege: secure remote access, predictable egress IPs, and—on the advanced tier—granular routes, ports, groups and posture checks.

Discuss your requirements View pricing
Big Data

What you get

This service is a managed WireGuard network with an identity layer (Zitadel) and a policy layer. Instead of “connect = full network access”, we design access around who the user is, what device they’re on, and what they’re trying to reach.

  • Fast and modern VPN transport (WireGuard) with centrally managed keys and configuration.
  • Identity-aware onboarding using Zitadel user accounts and controlled enrolment.
  • Predictable egress via managed Exit Nodes (your “office IP” on the internet).
  • Optional zero trust controls: routes, ports, groups, policies, and posture checks.

Good for

  • Remote teams that need a trusted “office IP” for SaaS allowlists
  • SMBs replacing legacy VPN appliances
  • Compliance-driven access patterns (least privilege, auditability)

Contract

Both tiers

  • 12-month contract
  • Billed monthly
  • UK-based support and management

Pricing

Tier Price Setup Access & controls

Secure Gateway

Simple tier

£8 per user / month

12-month contract, billed monthly
  • Users added to Zitadel
  • Connected to a single high-speed Exit Node
  • Full “open” access through that node
  • No port filtering or internal routing
  • Ideal for consistent internet egress (“office IP”)

Managed Zero Trust

Granular tier

£15 per user / month

12-month contract, billed monthly
  • Full network orchestration
  • Multiple nodes (where required) and route design
  • Ongoing policy and access management
  • Custom internal routes (specific LANs/subnets)
  • Micro-segmentation (ports/protocols per group)
  • Exit node options (multiple nodes / regional routing)
  • Posture checks and access policies

Prices are per named user. Larger deployments, additional regions, or complex routing requirements may require a tailored design.

Zero Trust (in plain English)

Zero Trust means we don’t assume a device is trusted just because it’s “on the VPN”. Every access decision is treated as a new request to be evaluated.

  • Verify explicitly: identity, device, and context before allowing access.
  • Least privilege: users only get the routes and ports they need.
  • Assume breach: segment the network to limit blast radius.

WireGuard (why it matters)

WireGuard is a modern VPN protocol known for strong cryptography, small attack surface, and excellent performance. It’s a great fit for always-on remote access.

  • Fast handshakes and roaming-friendly connections
  • Simple, auditable design
  • Works well across desktop and mobile devices

Key concepts

Exit Nodes

An Exit Node is where your VPN traffic leaves the private network and accesses the internet. It’s how remote users appear to come from a known, consistent IP address (your “office IP”).

On the Secure Gateway tier, all users share one high-speed exit. On Managed Zero Trust, you can have multiple exits (e.g. by region, office, or security zone).

Routes

Routes decide which internal networks a user can reach over the VPN—for example a specific subnet containing file servers, a lab network, or a cloud VPC.

  • Per-group access to subnets (e.g. Finance vs Engineering)
  • Split tunnelling where appropriate
  • Clear separation between internal access and internet egress

Policies & Groups

Policies define what is allowed. Groups keep management simple by applying those policies to a set of users (and optionally devices).

  • Role-based access: “Support”, “Developers”, “Contractors”
  • Time-limited or project-limited access
  • Auditable change history (who got access to what, and when)

Micro-segmentation (Ports & Protocols)

Instead of “VPN gives you the whole network”, we can allow only the specific ports needed. For example: SSH to a bastion, RDP to a jump host, or HTTPS to an internal app.

  • Reduce blast radius and lateral movement
  • Align access with compliance requirements
  • Supports safer third-party/contractor access

Posture checks

Posture checks are rules about the device’s security state—used to allow, restrict, or block access. Typical checks include: OS version, disk encryption, endpoint protection, and device enrolment.

This is where zero trust becomes practical: a user can be valid, but access can still be limited if the device doesn’t meet your baseline.

Want a quote or a quick design call?

Tell us how many users you have, where your apps live (on-prem, cloud, or both), and what you need to protect.

Contact us

Index v1.053 Standard v1.132 Module v1.001   Copyright © 2026 GEN Partnership. All Rights Reserved, Content Policy, E&OE.   ^sales^  0115 933 9000  Privacy Notice   213 Current Users, 14 Hits