Why VPN profiles?
By default, Pentest-Tools.com scans targets over the public internet. VPN profiles let you scan internal networks, private infrastructure, and resources not exposed to the internet.
VPN profiles can be shared with team members so your whole team can run scans through the same VPN connection. See Sharing VPN profiles for details.
How it works
Create a VPN profile
Create a new VPN profile in Settings > VPN Profiles.
Deploy an agent
Install a VPN agent in your internal network using VM, Docker, or cloud deployment.
Establish connection
The agent creates a secure outbound tunnel to the platform.
Run scans
Scans route through the agent to reach internal targets.
Deployment options
Choose the deployment method that fits your environment:
Use cases
| Scenario | Description |
|---|
| Internal applications | Scan intranet sites and internal tools |
| Development environments | Test staging servers not exposed publicly |
| Corporate networks | Assess internal infrastructure security |
| Cloud VPCs | Scan private cloud resources |
The VPN agent needs outbound internet access (TCP port 22 to vpn2.pentest-tools.com) to function. It cannot operate in fully air-gapped networks.
Network requirements
The VPN agent requires outbound connectivity only:
| Protocol | Port | Destination | Purpose |
|---|
| TCP | 22 | vpn2.pentest-tools.com | Agent communication |
No inbound ports need to be opened. The agent initiates all connections outbound.
Security considerations
- The agent only communicates outbound to Pentest-Tools.com (TCP port 22)
- Traffic is encrypted via SSH tunnel
- Each scan establishes its own VPN tunnel
- You can use firewall rules to limit which internal subnets the agent can reach, so it only accesses the targets you intend to scan
VPN profile settings
When creating a VPN profile, you can configure:
| Setting | Description |
|---|
| Name | Descriptive name for the profile |
| DNS | Custom DNS servers for resolving internal hostnames (must include 8.8.8.8) |
| Max parallel scans | Limit concurrent scans through this profile |
| Workspaces | Associate profile with specific workspaces |
- OVPN file: Your OpenVPN configuration file
- User authentication: Optional username and password if your OpenVPN server requires authentication
Monitoring VPN profiles
Agent status (Online/Offline)
For VPN Agent deployments only, the platform shows real-time agent status:
| Status | Description |
|---|
| Online | The agent is connected and ready to route scans |
| Offline | The agent is not connected to the platform |
Online/Offline status only applies to VPN Agent deployments (VM, Docker, Cloud). Custom OpenVPN profiles do not show online/offline status because the platform connects to your OpenVPN server on-demand when running scans.
Test connection
Use the Test connection button to verify your VPN profile configuration. This feature works for both VPN Agents and Custom OpenVPN profiles.
- Go to Settings > VPN Profiles
- Select a VPN profile or click on its name to open the details panel
- Click Test connection
- Wait for the test to complete
The test attempts to establish a VPN tunnel and reports the result.
| Profile Type | What Test Connection Does |
|---|
| VPN Agent | Verifies the agent is reachable and can establish a tunnel |
| Custom OpenVPN | Attempts to connect to your OpenVPN server using the uploaded configuration |
Connection status
After running a connection test, the profile shows one of these statuses:
| Status | Description |
|---|
| Untested | No connection test has been run yet |
| Success | The VPN connection test was successful |
| Refused | The connection was refused by the server |
| Timeout | The connection attempt timed out |
| Auth Failed | Invalid user credentials |
| TLS Error | TLS key negotiation failed |
| Options Error | Bad or unsupported configuration options |
| Unsupported | Unsupported VPN configuration |
| Internal Error | An internal error occurred |
Connection logs
When you click on a VPN profile, the details panel shows Connection logs. These logs contain output from the last connection test and are helpful for troubleshooting failed connections.
If the connection logs show “No logs. Run a connection test first.”, run a test to populate the logs.
VPN profile details
Click on a VPN profile name to open the details panel, which shows:
- VPN Profile UUID: The unique identifier used to configure agents
- Workspaces: Associated workspaces
- Network Settings: DNS servers and VPN gateway (for Custom OpenVPN)
- Max parallel scans: Concurrent scan limit
- Connection logs: Output from the last connection test
From the details panel, you can also:
- Test the connection
- Deploy the agent (for VPN Agent profiles)
- Edit or delete the profile
Sharing VPN profiles
You can share VPN profiles with team members. Shared profiles let them run scans against your internal networks.
Permission levels
| Permission | What they can do |
|---|
| No access | Cannot see or use your VPN profiles |
| View | Can view and use VPN profiles to run scans, but cannot edit or delete |
| Edit | Full access to view, use, edit, and delete VPN profiles |
How to share VPN profiles
- Go to Settings > Team
- Select the team members you want to configure sharing for
- Click Share
- Set the VPN Profiles permission level
- Click Save
Shared profiles appear in your team members’ VPN profile list when they run scans.
Use View permission so team members can run internal scans without accidentally modifying the VPN configuration.
Resource requirements
| Resource | Minimum | Recommended |
|---|
| vCPUs | 1 | 2 |
| Memory | 1 GB | 2 GB |
| Disk | 10 GB | 20 GB |
