Welcome¶
Welcome! Enclave is a modern, software-defined mesh network designed to simplify the connection of users, workloads, and systems without requiring open firewall ports, changes to network infrastructure, or "edge" devices like Virtual Private Network (VPN) servers.
What is Enclave?¶
It's like a VPN, but without the VPN server.
Unlike traditional VPNs that route all traffic through a central server, Enclave establishes direct, point-to-point connections between systems. This approach simplifies the setup of secure, private access while ensuring that participating systems remain hidden and inaccessible by default.
By design, all systems within Enclave are “dark” to the public internet — isolated behind closed firewalls, unaware of one another, and unable to communicate until explicitly allowed. Connectivity is only granted on a strictly need-to-know basis.
Once a policy is defined, Enclave checks the security posture and establishes direct, end-to-end encrypted connections. Systems must mutually authenticate using digital certificates, meet conditional access constraints, and pass requirements such as multi-factor authentication (when configured) before communication is permitted.
Get Started with Enclave¶
If you're new to Enclave, check out our Getting Started Guide to get up and running in just a few minutes. Have questions or need help? Join our Slack community for answers and support. To learn more about Enclave’s secure connectivity model, visit our How it works page.
| VPN | Enclave | |
|---|---|---|
| Serverless | ❌ VPN Server Hub and spoke architecture |
✅ Serverless Peers connect directly using UDP/TCP hole punching |
| On-demand connectivity | ❌ Always on Tunnel is either on or off |
✅ On-demand Tunnels are per-system, and don't need to be always on |
| Unreachable network | ❌ Discoverable VPN servers require open ports (e.g. udp/500, tcp/443, udp/1194) |
✅ Unreachable Outbound only traffic. No open ports or ingress traffic, firewalls can be completely closed |
| Dynamic IP tolerant | ❌ Site-to-site VPNs require ACLs to isolate Client-to-site requires advanced IP knowledge to isolate |
✅ Works with dynamic IPs You don't care where the "other side" is ahead of time |
| Low-ops | ❌ Complex deployment Segmenting is hard, configuration is complex |
✅ Low-ops deployment Works on the network you've already got, no changes |
| Static IP address | ❌ DHCP Reservations for static IP |
✅ Static IP Private, static IP addresses "out of the box" |
| DNS | ❌ Run your own DNS server No native support for DNS |
✅ DNS DNS built-in, no nameservers required |
| Precision access | ❌ Allows lateral movement VPN places hosts directly onto the network |
✅ Zero Trust Network Access Lateral movement prohibited, reduced attack surface |
Supported Platforms¶
We support most major operating systems and CPU architectures.
| Platform | Architecture | Status |
|---|---|---|
| Linux | x64, arm, arm64 | ✅ Supported |
| Windows | x64, arm64, x86 | ✅ Supported |
| MacOS | x64, arm64 | ✅ Supported |
| iOS | x64, arm64 | ✅ Supported |
| Android | x64, arm64 | ✅ Supported |
Other resources¶
- Enclave developer community forum: https://community.enclave.io/
- Enclave platform status: https://status.enclave.io/
Stay in touch¶
Slack¶
We're building a community space for Engineers, Developers, Architects, Security Professionals, DevOps Practitioners and Hobbyists using Enclave to ask questions, get help from the team and interact with each other. Come and join us!