Get AI summaries of any video or article — Sign up free
the END of VPNs?! thumbnail

the END of VPNs?!

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Twin Gate is presented as zero-trust remote access that grants only explicitly defined resources and ports, avoiding the broad exposure associated with VPNs.

Briefing

Remote access is shifting away from traditional VPNs toward “zero trust” access that grants only the specific services people need. The core claim is that VPNs are too blunt for modern teams: once access is granted, careless or compromised users can reach far more systems than intended, potentially spreading malware across an entire network. Twin Gate is presented as a faster, more granular alternative that avoids firewall configuration and port forwarding while enforcing per-user, per-device, and per-port permissions.

The setup starts with a Twin Gate account (the cloud-based controller) and a connector deployed as a Docker container inside the organization’s network—on a NAS, an old laptop, or even a Raspberry Pi. After deployment, the controller defines a “remote network” and then explicitly lists resources that are allowed. In the demo, the NAS is added as a resource and access is restricted to TCP port 5000 only (with UDP and ICMP blocked). Access is then granted to a team group, and a client app is installed on a laptop to connect from a mobile 5G network. The result: the client can reach the allowed service, while basic connectivity tests like ping and SSH fail until the relevant ports are added.

Under the hood, Twin Gate is described as building a secure end-to-end TLS tunnel between the client and the connector, authenticated using multiple tokens issued by the controller. A relay service acts as a matchmaker and helps devices “discover” each other across NAT and firewalls. Because NAT often blocks inbound connections to private devices, the relay supplies the public IP/port mapping details needed for the client and connector to establish a direct connection. This NAT traversal is likened to using a STUN-like mechanism to coordinate endpoints so they can communicate securely.

The system is also positioned as not being a VPN at all, but a programmable private proxy. That matters because traffic can be split: by default, only traffic destined for explicitly allowed resources travels through the Twin Gate tunnel, while general internet browsing continues through the normal local internet gateway. Performance is attributed to a “Quick” transport protocol built on UDP, with features like multiplexing (multiple data streams over one connection) and client-side roaming (maintaining sessions when moving between networks like Wi‑Fi and 5G).

Beyond access control, Twin Gate adds device security policies. Admins can block entire operating systems, require screen lock or biometric settings, and integrate with endpoint protection platforms such as CrowdStrike, Intune, and Sentinel One to allow only “trusted” devices. DNS-based routing is another major capability: the connector can act as a DNS proxy so domain names configured in Twin Gate resolve to internal resources, enabling routing by hostname rather than only by IP. An “alias” feature lets admins create custom domain aliases for specific services and ports. Finally, the platform supports headless clients and automation via infrastructure tools like Terraform, plus identity-provider integrations (Google Workspace, Okta, Azure AD) and secure DNS options using DoH.

Cornell Notes

Twin Gate is pitched as a zero-trust replacement for VPN-style remote access, granting users only the specific internal resources and ports they’re allowed to use. The workflow pairs a cloud controller (for identity, access rules, and token generation) with a Docker-based connector deployed inside the private network. Access is enforced through ACLs delivered to the connector, and connectivity is established via authenticated TLS tunnels coordinated through relay services that handle NAT traversal. The approach is framed as a programmable private proxy with split-tunnel behavior by default, so only traffic to approved resources goes through the secure tunnel. Device security policies, DNS-based routing, and aliasing extend the model beyond simple IP/port allowlists.

Why does the transcript treat VPNs as “not secure enough” for team access?

VPN access is described as too broad: once users have VPN access, they can reach servers and services they shouldn’t touch. If a user already has malware, that access can enable lateral movement—downloading malicious software and spreading it across the network. Twin Gate’s alternative is zero trust: per-user (and per-group) ACLs that explicitly define which devices and which ports/services are reachable, instead of exposing the whole internal network.

What are the two main setup steps, and what role does each component play?

First, create an account in Twin Gate’s cloud controller to configure remote networks and access rules. Second, deploy the Twin Gate connector as a Docker container inside the private network (behind the firewall). The connector is the on-prem component that connects back to Twin Gate and enforces the ACLs it receives from the controller, while the controller manages identity, tokens, and the list of allowed resources.

How does Twin Gate enforce “only this port” access in the demo?

A resource is added for the NAS using its private IP, then protocol restrictions are set so only TCP port 5000 is allowed. UDP and ICMP are blocked. When the client connects from outside the home network, the NAS web service on port 5000 loads, but ping and SSH fail because those protocols/ports weren’t permitted. When port 22 is later added, SSH becomes reachable after the policy update.

What problem do relays solve in NAT/firewall environments?

Private devices typically lack public IP addresses and can’t accept inbound connections from the internet because NAT blocks unsolicited traffic. The relay coordinates endpoint discovery by knowing the public IP/port mappings for both the connector and the client (based on their outbound connections). It then provides each side the other’s reachable IP/port so they can form a secure end-to-end TLS tunnel despite NAT traversal constraints.

What makes Twin Gate different from a VPN in traffic handling?

It’s framed as a programmable private proxy rather than a VPN. The transcript emphasizes split-tunnel behavior by default: only traffic destined for explicitly allowed resources goes through the Twin Gate tunnel, while other internet traffic (like Facebook or YouTube) goes out through the normal internet gateway. This reduces exposure because the secure tunnel isn’t acting as a pass-through for everything the user does.

How does DNS-based routing work, and what is the “alias” feature?

Twin Gate can proxy DNS requests: the client sends DNS queries for domain names configured as resources, and the connector resolves them using its own configured private DNS server. This enables routing by hostname to internal services. The alias feature lets admins create a custom domain name that maps to a specific internal service and port (e.g., a Plex server alias), so users can access the service via a friendly domain rather than typing internal IPs.

Review Questions

  1. What specific ACL elements (device/group, protocol, and port) are required to restrict access to a single internal service?
  2. How does NAT traversal enable a client outside the network to reach a connector behind a firewall without port forwarding?
  3. What split-tunnel behavior is described, and why does it reduce risk compared with routing all traffic through a VPN gateway?

Key Points

  1. 1

    Twin Gate is presented as zero-trust remote access that grants only explicitly defined resources and ports, avoiding the broad exposure associated with VPNs.

  2. 2

    The cloud controller manages identity, access rules, and token generation, while a Docker-based connector runs inside the private network to enforce those rules.

  3. 3

    Relays coordinate client-to-connector discovery and NAT traversal, enabling secure connections without firewall changes or port forwarding.

  4. 4

    Twin Gate is described as a programmable private proxy with split-tunnel behavior by default, so only traffic to approved resources goes through the secure tunnel.

  5. 5

    Device security policies can block operating systems and enforce requirements, with optional integration to endpoint protection tools like CrowdStrike, Intune, and Sentinel One.

  6. 6

    DNS-based routing and aliasing let admins map domain names to internal services, enabling hostname-based access control rather than only IP/port allowlists.

  7. 7

    Headless clients and infrastructure automation (e.g., Terraform templates) can deploy connectors and clients for monitoring and CI/CD-style access provisioning.

Highlights

Instead of granting VPN users broad network reach, Twin Gate enforces per-resource ACLs—down to specific TCP ports—so a compromised device can’t automatically access everything.
Relays act as matchmakers for NAT traversal, supplying the public IP/port details needed for a direct, authenticated TLS tunnel between the client and the on-prem connector.
Split-tunnel behavior is positioned as a key advantage: only traffic to approved internal resources is carried through the secure tunnel; general internet browsing stays local.
DNS proxying plus aliasing enables access by domain name to internal services, letting policies follow hostnames and ports.

Topics

  • Zero Trust Access
  • VPN vs Proxy
  • NAT Traversal
  • DNS Routing
  • Device Security Policies

Mentioned

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library