Skip to main content
VPN configuration lets Neo reach targets on private networks, internal environments, and isolated infrastructure. Once configured, agents connect to the VPN automatically when a task requires access to internal hosts. Go to Settings → VPN to configure your provider. Providers marked “Configured” have credentials stored and are ready to use. You can store credentials for multiple providers and switch between them as needed. If your provider is not listed, you can still configure it by adding the required environment variables directly in Secrets.

Supported providers

WireGuard

Upload your WireGuard .conf file.
VariableDescription
WIREGUARD_CONFIGYour WireGuard .conf configuration file

OpenVPN

Upload your OpenVPN .ovpn file and provide credentials if your server requires authentication.
VariableDescription
OPENVPN_CONFIGYour OpenVPN .ovpn configuration file
OPENVPN_USERVPN username
OPENVPN_PASSWORDVPN password

OpenConnect

Used for Cisco AnyConnect-compatible servers and other OpenConnect-supported gateways.
VariableDescription
OPENCONNECT_SERVERVPN server hostname (e.g. vpn.company.com)
OPENCONNECT_USERVPN username
OPENCONNECT_PASSWORDVPN password
OPENCONNECT_PROTOCOLProtocol to use (default: anyconnect)

Tailscale

Connects Neo as a node on your Tailnet. Get your auth key from the Tailscale Admin Console.
VariableDescription
TAILSCALE_AUTHKEYAuth key from Tailscale Admin Console (format: tskey-auth-...)

IPsec/IKEv2

Upload your IPsec configuration and secrets files.
VariableDescription
IPSEC_CONFIGYour IPsec .conf configuration file
IPSEC_SECRETSYour IPsec secrets file

Cisco Meraki

Connects via Meraki Client VPN. Find your PSK in the Meraki Dashboard under Security & SD-WAN > Client VPN.
VariableDescription
MERAKI_SERVERMeraki VPN server hostname (e.g. vpn.meraki.example.com)
MERAKI_USERVPN username
MERAKI_PASSWORDVPN password
MERAKI_PSKPre-shared key from Meraki Dashboard

Twingate

Connects Neo as a service account on your Twingate network. Get your service key from Twingate Admin Console under Service Accounts.
VariableDescription
TWINGATE_SERVICE_KEYService key from Twingate Admin Console > Service Accounts

Cloudflare WARP

Supports both site-to-site tunnel mode and Zero Trust enrollment.
VariableDescription
WARP_CONNECTOR_TOKENConnector token for site-to-site tunnel. Leave empty for consumer mode.
WARP_ORGANIZATIONYour Cloudflare organization name for Zero Trust enrollment (e.g. mycompany)