Your Network Gateway. Managed From Anywhere.
A managed WireGuard gateway appliance for home and small business networks. Deploy the hardened OVA, connect to your VeloGuardian account, and manage WireGuard peers from anywhere through a web dashboard. No command-line WireGuard setup required.
- WireGuard VPN gateway with automatic peer configuration
- Access your LAN from anywhere — NAS, cameras, servers, printers
- Runs as a hardened OVA on VMware, VirtualBox, or Proxmox
- Web dashboard for peer management and connection monitoring
- Works with the VeloGuardian app on all platforms
A WireGuard Gateway You Can Manage From Anywhere
Setting up a WireGuard server normally means generating keys, editing config files, managing firewall rules, and repeating the process for every peer. NetGuard eliminates all of that.
Deploy the OVA on your local network, sign in with your VeloGuardian account, and manage everything from the web dashboard. Add peers, monitor connections, and configure settings — whether you're at home or on the other side of the world. The VeloGuardian app connects seamlessly, giving you secure access to your entire LAN.
Who It's For
Home Labs
Access your NAS, media server, security cameras, and home automation from anywhere. No port forwarding, no dynamic DNS hassles — just a secure WireGuard tunnel to your entire home network.
Small Offices
Give your team secure access to office resources — file shares, printers, internal tools — without expensive enterprise VPN hardware. Deploy on existing virtualization infrastructure and manage peers from the dashboard.
Remote Teams
Let remote workers connect to the office LAN as if they were on-site. Each team member gets their own WireGuard peer managed through the dashboard — no manual configuration on either end.
Built for Security, Designed for Simplicity
WireGuard Protocol
Built on WireGuard — the modern, high-performance VPN protocol. Faster connections, lower latency, and a smaller attack surface than OpenVPN or IPsec.
Peer Management
Add, remove, and monitor peers from the web dashboard. Automatic key exchange and configuration — no manual WireGuard config files to edit.
Web Dashboard
Monitor connected peers, view traffic stats, and manage your gateway from any browser. Runs over HTTPS with a self-signed TLS certificate. All API calls proxied server-side.
Console CLI
Configure network settings (IP, gateway, DNS) through a lightweight console interface on first boot. SSH access available for advanced administration.
Signed Auto Updates
Ed25519-signed update packages ensure tamper-proof updates. Download and apply updates from the web dashboard — no manual file transfers or SSH sessions required.
Hardened Appliance
Purpose-built OVA with a minimal attack surface. Locked-down OS, no unnecessary services, server-side API proxy so your credentials never reach the browser.
How It Compares
VeloGuardian NetGuard vs popular VPN gateway solutions for home and small business.
| Feature | NetGuard | OpenVPN AS | pfSense / OPNsense | Tailscale | Manual WireGuard |
|---|---|---|---|---|---|
| Protocol | WireGuard | OpenVPN | OpenVPN / WireGuard | WireGuard (modified) | WireGuard |
| Setup complexity | Import OVA & sign in | Install + license | Full OS install + config | Install agent per device | CLI per peer |
| Web management | Yes | Yes | Yes | Yes (cloud) | No |
| Self-hosted | Yes (OVA appliance) | Yes | Yes | Coordination server is cloud | Yes |
| Hardened OS included | Yes | No | Yes (is the OS) | N/A | No (BYO OS) |
| Automatic peer config | Yes | Yes | Manual | Yes | Manual |
| Dedicated app | Yes (all platforms) | Yes | Third-party clients | Yes | WireGuard app |
| Signed updates | Yes (Ed25519) | Package manager | Package manager | Auto-update | Manual |
| Free tier | With Citadel plan | 2 connections free | Free (open source) | Free (limited) | Free |
Get Started in 3 Steps
Deploy the VM
Download the OVA file and import it into your hypervisor — VMware, VirtualBox, or Proxmox. Boot the VM and follow the console wizard to set a static IP and configure network settings.
Connect to Your Account
Open the web dashboard from any browser on your network and sign in with your VeloGuardian account. NetGuard authenticates against the VeloGuardian API and configures the WireGuard gateway automatically.
Add Peers
Add your devices as peers from the dashboard. Install the VeloGuardian app on each device, and it will connect to your NetGuard gateway automatically. Access your LAN from anywhere.
System Requirements
Hypervisor
- VMware Workstation / ESXi 6.5+
- VirtualBox 6.0+
- Proxmox VE 7.0+
Minimum Resources
- 1 vCPU
- 1 GB RAM
- 8 GB disk
- 1 network adapter (bridged mode)
Pair With VeloGuardian DNS
Deploy both appliances on your network for layered protection. NetGuard handles secure remote access while VeloGuardian DNS filters ads, malware, and trackers for every device on your LAN. Both run as lightweight OVAs on the same hypervisor.
Learn More About VeloGuardian DNSLearn More
What is WireGuard VPN?
Why WireGuard is the protocol of choice for modern VPN deployments — speed, security, and simplicity compared to OpenVPN and IPsec.
Read moreVPN for Remote Workers
How a VPN gateway lets remote teams access office resources securely — without exposing your network to the internet.
Read moreCommon Questions
VeloGuardian NetGuard is a managed WireGuard gateway appliance distributed as a hardened OVA virtual machine. Deploy it on your home or office network to create a WireGuard VPN gateway that lets you securely access your LAN from anywhere. Manage peers, monitor connections, and configure settings through a web dashboard.
Yes. NetGuard authenticates against the VeloGuardian API to manage peer configurations and tunnel settings. You need a VeloGuardian account with a Citadel subscription to use NetGuard.
Manual WireGuard setup requires generating keys, editing configuration files, managing firewall rules, and configuring each peer by hand. NetGuard handles all of this automatically — deploy the OVA, sign in, and manage peers from a web dashboard. No command-line WireGuard configuration needed.
Yes. Use the VeloGuardian app on your phone to connect to your NetGuard gateway. Once connected, you can access any device on your home LAN — NAS, cameras, servers, printers — as if you were physically there.
NetGuard is distributed as an OVA file that works with VMware Workstation, VMware ESXi 6.5+, VirtualBox 6.0+, and Proxmox VE 7.0+. It requires 1 vCPU, 1 GB RAM, 8 GB disk, and one bridged network adapter.
NetGuard uses an Ed25519-signed update package system. Updates are downloaded and verified automatically through the web dashboard. Each update package is cryptographically signed to prevent tampering.
Yes. The dashboard runs over HTTPS with a self-signed TLS certificate on port 443. All API calls are proxied server-side, so your VeloGuardian credentials never reach the browser. The appliance OS is hardened with no unnecessary services.
Yes. Deploy both appliances on the same network for layered protection. NetGuard handles encrypted remote access while VeloGuardian DNS filters malicious domains and ads for all devices on your LAN. Both run as lightweight OVAs on the same hypervisor.
Yes. You need to forward the WireGuard UDP port (default 51820) from your router to the NetGuard appliance IP. This is a single port forward — no complex firewall rules needed. The console CLI guides you through the initial network setup.
If your internet connection drops, remote peers won't be able to reach the gateway — but your local network continues to function normally. When the connection is restored, WireGuard peers reconnect automatically with no manual intervention needed.
Secure Your Network Today
Deploy VeloGuardian NetGuard and access your home or office LAN from anywhere. Managed WireGuard gateway with web dashboard — no command-line setup required.
Get Started View Features