> ## Documentation Index
> Fetch the complete documentation index at: https://pentest-tools.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# VPN profiles overview

> Scan internal networks securely using VPN profiles and agents

## Why VPN profiles?

By default, Pentest-Tools.com scans targets over the public internet. VPN profiles let you scan internal networks, private infrastructure, and resources not exposed to the internet.

VPN profiles can be shared with team members so your whole team can run scans through the same VPN connection. See [Sharing VPN profiles](#sharing-vpn-profiles) for details.

<Info>
  VPN profiles require the **Internal network scanning** add-on. [Learn more about add-ons](/account-billing/plans-and-limits/plan-overview).
</Info>

## How it works

<Steps>
  <Step title="Create a VPN profile">
    Create a new VPN profile in Settings > VPN Profiles.
  </Step>

  <Step title="Deploy an agent">
    Install a VPN agent in your internal network using VM, Docker, or cloud deployment.
  </Step>

  <Step title="Establish connection">
    The agent creates a secure outbound tunnel to the platform.
  </Step>

  <Step title="Run scans">
    Scans route through the agent to reach internal targets.
  </Step>
</Steps>

## Deployment options

Choose the deployment method that fits your environment:

<CardGroup cols={2}>
  <Card title="Virtual machine" icon="server" href="/capabilities/vpn/virtual-machine">
    Pre-configured appliance for VMware, Hyper-V, VirtualBox, or ESXi.
  </Card>

  <Card title="Docker agent" icon="docker" href="/capabilities/vpn/docker-agent">
    Containerized agent for Docker environments.
  </Card>

  <Card title="Cloud deployment" icon="cloud" href="/capabilities/vpn/cloud">
    Deploy in AWS or Azure cloud environments.
  </Card>

  <Card title="Custom OpenVPN" icon="shield-halved" href="/capabilities/vpn/openvpn">
    Use your own OpenVPN server configuration.
  </Card>
</CardGroup>

## Use cases

| Scenario                 | Description                               |
| ------------------------ | ----------------------------------------- |
| Internal applications    | Scan intranet sites and internal tools    |
| Development environments | Test staging servers not exposed publicly |
| Corporate networks       | Assess internal infrastructure security   |
| Cloud VPCs               | Scan private cloud resources              |

<Note>
  The VPN agent needs outbound internet access (TCP port 22 to vpn2.pentest-tools.com) to function. It cannot operate in fully air-gapped networks.
</Note>

## Network requirements

The VPN agent requires **outbound** connectivity only:

| Protocol | Port | Destination            | Purpose             |
| -------- | ---- | ---------------------- | ------------------- |
| TCP      | 22   | vpn2.pentest-tools.com | Agent communication |

<Tip>
  No inbound ports need to be opened. The agent initiates all connections outbound.
</Tip>

## Security considerations

* The agent only communicates outbound to Pentest-Tools.com (TCP port 22)
* Traffic is encrypted via SSH tunnel
* Each scan establishes its own VPN tunnel
* You can use firewall rules to limit which internal subnets the agent can reach, so it only accesses the targets you intend to scan

## VPN profile settings

When creating a VPN profile, you can configure:

| Setting                | Description                                                                |
| ---------------------- | -------------------------------------------------------------------------- |
| **Name**               | Descriptive name for the profile                                           |
| **DNS**                | Custom DNS servers for resolving internal hostnames (must include 8.8.8.8) |
| **Max parallel scans** | Limit parallel scans through this profile                                  |
| **Workspaces**         | Associate profile with specific workspaces                                 |

For Custom OpenVPN profiles, you also configure:

* **OVPN file**: Your OpenVPN configuration file
* **User authentication**: Optional username and password if your OpenVPN server requires authentication

## Monitoring VPN profiles

### Agent status (Online/Offline)

For **VPN Agent** deployments only, the platform shows real-time agent status:

| Status      | Description                                     |
| ----------- | ----------------------------------------------- |
| **Online**  | The agent is connected and ready to route scans |
| **Offline** | The agent is not connected to the platform      |

The status updates in real time when an agent connects or disconnects.

<Note>
  Online/Offline status only applies to **VPN Agent** deployments (VM, Docker, Cloud). Custom OpenVPN profiles do not show online/offline status because the platform connects to your OpenVPN server on-demand when running scans.
</Note>

### Test connection

Use the **Test connection** button to verify your VPN profile configuration. This feature works for **both VPN Agents and Custom OpenVPN profiles**.

1. Go to **Settings > VPN Profiles**
2. Select a VPN profile or click on its name to open the details panel
3. Click **Test connection**
4. Wait for the test to complete

The test attempts to establish a VPN tunnel and reports the result.

| Profile Type       | What Test Connection Does                                                   |
| ------------------ | --------------------------------------------------------------------------- |
| **VPN Agent**      | Verifies the agent is reachable and can establish a tunnel                  |
| **Custom OpenVPN** | Attempts to connect to your OpenVPN server using the uploaded configuration |

### Connection status

After running a connection test, the profile shows one of these statuses:

| Status             | Description                              |
| ------------------ | ---------------------------------------- |
| **Untested**       | No connection test has been run yet      |
| **Success**        | The VPN connection test was successful   |
| **Refused**        | The connection was refused by the server |
| **Timeout**        | The connection attempt timed out         |
| **Auth Failed**    | Invalid user credentials                 |
| **TLS Error**      | TLS key negotiation failed               |
| **Options Error**  | Bad or unsupported configuration options |
| **Unsupported**    | Unsupported VPN configuration            |
| **Internal Error** | An internal error occurred               |

### Connection logs

When you click on a VPN profile, the details panel shows **Connection logs**. These logs contain output from the last connection test and are helpful for troubleshooting failed connections.

<Tip>
  If the connection logs show "No logs. Run a connection test first.", run a test to populate the logs.
</Tip>

## VPN profile details

Click on a VPN profile name to open the details panel, which shows:

* **VPN Profile UUID**: The unique identifier used to configure agents
* **Workspaces**: Associated workspaces
* **Network Settings**: DNS servers and VPN gateway (for Custom OpenVPN)
* **Max parallel scans**: Parallel scan limit
* **Connection logs**: Output from the last connection test

From the details panel, you can also:

* Test the connection
* Deploy the agent (for VPN Agent profiles)
* Edit or delete the profile

## Sharing VPN profiles

You can share VPN profiles with team members. Shared profiles let them run scans against your internal networks.

### Permission levels

| Permission    | What they can do                                                      |
| ------------- | --------------------------------------------------------------------- |
| **No access** | Cannot see or use your VPN profiles                                   |
| **View**      | Can view and use VPN profiles to run scans, but cannot edit or delete |
| **Edit**      | Full access to view, use, edit, and delete VPN profiles               |

### How to share VPN profiles

1. Go to **Settings > Team**
2. Select the team members you want to configure sharing for
3. Click **Share**
4. Set the **VPN Profiles** permission level
5. Click **Save**

Shared profiles appear in your team members' VPN profile list when they run scans.

<Tip>
  Use View permission so team members can run internal scans without accidentally modifying the VPN configuration.
</Tip>

For more on team management and sharing, see [Teams and roles](/capabilities/teams-and-roles).

## Resource requirements

| Resource | Minimum | Recommended |
| -------- | ------- | ----------- |
| vCPUs    | 1       | 2           |
| Memory   | 1 GB    | 2 GB        |
| Disk     | 10 GB   | 20 GB       |

## Related topics

* [Troubleshooting VPN issues](/capabilities/vpn/troubleshooting)
* [Teams and roles](/capabilities/teams-and-roles)
