INCYBER Forum — Meet us on March 31, 2026 at Lille Grand Palais Learn more →

Open Source · BSD-2-Clause

Secure your access.
Stay in control.

Open source security bastion built in Rust, designed to protect and control SSH and RDP access to critical infrastructure across enterprise, industrial, and defense environments.

View on GitHub Explore

Rust · Memory Safety TLS 1.3 Self-hosted PQC Compliant

vauban — bastion

$ ssh admin@bastion.corp.local

Vauban v0.6.0 — Security Bastion

▸ MFA required — TOTP code: ••••••

✓ Authenticated: admin (role: infra-ops)

✓ Session recording started

✓ RBAC policy enforced

Authorized servers:

1. prod-db-01 PostgreSQL — SSH

2. prod-app-02 Application — SSH

3. win-srv-03 Windows — RDP

$ connect prod-db-01

✓ Secure tunnel established via Vauban

admin@prod-db-01:~$ ▌

Rust

Guaranteed memory safety,
no garbage collector

Capsicum

DARPA-funded
sandboxing

NIS2

Compliant traceability
and auditing

BSD-2

Free and open license,
no restrictions

Everything a bastion should do

Secure access, full traceability, and granular control — with no proprietary vendor lock-in.

SSH & RDP Proxy

Access your Linux and Windows servers directly from the browser. SSH terminal in the browser, RDP remote desktop in the browser.

MFA Authentication

TOTP, HOTP, and SSO integration (OIDC, SAML). Compatible with LDAP and Active Directory to integrate with your existing directory.

Access Control

Granular policies by roles, groups, and assets groups through the access policy and access rules engine. Just-In-Time access to limit temporal exposure.

Session Recording

MP4 video recording with BLAKE3 cryptographic integrity. Replay any session for audit or investigation.

Real-Time Monitoring

Live dashboard: active sessions, metrics, security alerts, and recent activity.

Secrets Vault

Encrypted storage for SSH keys, passwords, and certificates. AES-GCM encryption with HKDF-SHA3 key derivation.

Modular Architecture

Seven isolated services, orchestrated by a single supervisor. OpenSSH-inspired privilege separation, Capsicum sandboxing.

Orchestrator

vauban-supervisor

Lifecycle management, privilege separation, Capsicum sandboxing

vauban-web

Web interface, REST API, WebSocket

vauban-auth

MFA, SSO, LDAP, Active Directory

vauban-access

Access policy and access rules engine

vauban-vault

Encrypted secrets management

vauban-proxy-ssh

Sandboxed SSH proxy

vauban-proxy-rdp

Sandboxed RDP proxy with H.264 video streaming

vauban-audit

Recording and storage

Why Vauban

A sovereign approach to access security, with no compromises.

Open Source and Auditable

Source code available under BSD-2-Clause license. No black box: every line is verifiable by your teams or an independent auditor.

Full Sovereignty

Deployed on your infrastructure, under your control. No data flows through a third-party cloud.

Secure by Design

Rust eliminates memory vulnerabilities. Privilege separation and Capsicum sandboxing limit the impact of a compromise.

NIS2 Compliance

Full traceability, session recording with cryptographic integrity, and granular access control.

Vauban vs. Proprietary Solutions

	Vauban	Proprietary
Source code	Open (BSD-2)	Closed
Hosting	Self-hosted	Vendor cloud
License cost	Free	Per user / asset / year
Language	Rust (memory-safe)	Java / C++ / Go
Code audit	Possible	Not possible
Vendor lock-in	None	Full

Frequently Asked Questions

What is a security bastion?

A bastion is a hardened intermediary server that controls and traces all access to your servers and network equipment. It acts as a single gateway between your teams and your infrastructure, eliminating unsupervised direct access.

What protocols are supported?

SSH and RDP (with optimized H.264 encoding). SSH connections are accessible through a virtual terminal in the browser, and RDP sessions through video streaming for native rendering with no plugin and no thick client required.

What is Capsicum sandboxing?

Capsicum is a confinement mechanism developed with funding from DARPA (U.S. Department of Defense). It restricts each process's capabilities to the bare minimum required, drastically limiting the impact of a potential compromise.

How does Vauban help with NIS2 compliance?

NIS2 requires access traceability and audit capabilities for essential and important entities. Vauban records every session with cryptographic integrity (BLAKE3), enforces RBAC access control, and provides detailed audit logs.

How much does Vauban cost?

Vauban is free and open source under the BSD-2-Clause license. You can use, modify, and redistribute it freely. Subscriptions are available for priority security fix notifications, 5-year LTS (long-term support) release cycles, certified builds, and priority bug resolution. Integration services and professional support are also available on request, along with Vauban-qualified hardware (hardware appliance).

INCYBER Forum — March 31, 2026

Ready to take back control?

Meet the team at INCYBER Forum in Lille, or contact us for a demo of Vauban on your infrastructure.

Secure your access. Stay in control.