← Documentation

Secure access & VPN

Access your services securely—no open firewalls, no separate VPN to manage. Kaja provides a built-in VPN on top of WireGuard so you can register your devices, connect to the cluster, and reach the services you expose—from your laptop, CI runner, or another network. All from the same dashboard you use to develop and deploy.

What you get

  • Your devices, one place — Create and manage devices in Kaja. Each device can connect to the cluster over the built-in VPN. No need to install and run a separate VPN product; Kaja bundles it.
  • WireGuard under the hood — The VPN is built on WireGuard for performance and security. You get a simple experience in the app; we handle the details.
  • Access public services — Once your device is connected, you can reach the services you've made available (e.g. APIs, UIs) on the cluster—without exposing them to the whole internet or opening firewall rules. Ideal for dev, staging, or internal tools.
  • Same dashboard — Devices and VPN config live in Kaja. Connect new devices, revoke access, or see status alongside your environments and apps.

So: create devices, connect via the in-built VPN, and start accessing your services. No VPN sprawl, no manual WireGuard config.

How it works (at a glance)

  1. In Kaja, you create a device (e.g. your laptop, a build runner). Kaja generates what that device needs to connect.
  2. You install the VPN client or use the config Kaja provides (WireGuard-compatible). Your device then connects to the cluster over the built-in VPN.
  3. You access the services you've exposed. Traffic goes over the secure tunnel. For VPN access the cluster must expose a UDP port (used by WireGuard); you don't need a public IP or open ports for your app services—only that one VPN port.

We're rolling this out so you get secure access without the hassle of running your own VPN or opening up the cluster.

Who it's for

  • Developers — Connect your laptop and hit staging or dev services without VPN gymnastics.
  • CI/CD — Register a runner as a device and let pipelines reach internal services over the VPN.
  • Teams — Give each developer or machine a device; revoke when they're done. One place to manage who can reach what.

Summary

WhatWhat you get
Built-in VPNWireGuard-based VPN inside Kaja. No separate VPN product to run.
DevicesCreate devices in Kaja; connect them to the cluster and access exposed services.
Secure accessReach your services without opening firewalls or exposing the cluster to the internet.

Secure access. Your devices. One dashboard. We'll share more as the feature lands.

Next steps

  • Architecture — How Kaja fits together and where we're headed (service mesh, WireGuard).
  • Connecting clusters — Connect your clusters so you can use VPN and services on them.
  • Environments — Spin up environments; Apps — Deploy the services you'll access.