Heavy-Duty Computer Systems, ELC IANA 61215
VPN and advanced networking

Private Device Networking for H-DCS Workspaces

H-DCS VPN connects enrolled devices to H-DCS services through a managed WireGuard network, with split-tunnel routing, internal DNS, device-to-device controls and reviewed cross-user access rules.

A VPN for systems, not for hiding internet traffic

The H-DCS VPN is designed as a secure service and workspace network. It does not push a default route: normal internet traffic stays on the user device, while H-DCS service traffic and approved private device traffic move through the encrypted tunnel.

WireGuard device enrollment

Windows, Linux and Android devices can receive per-device WireGuard configuration through the H-DCS enrollment flow.

Split-tunnel routing

Only H-DCS service routes and approved private routes are sent through the tunnel; the user's default internet route is left untouched.

Internal DNS

VPN clients use the H-DCS resolver on 172.16.0.1 for H-DCS service names and private device hostnames.

Default-deny segmentation

Client-to-client traffic is controlled by policy instead of being broadly open across the VPN address pool.

Current H-DCS VPN parameters

Area Parameter Behavior
VPN technology WireGuard on UDP 51820 Fast encrypted tunnels with one stable peer identity per enrolled device.
Client address pool 172.16.0.0/20 Each enrolled device receives a dedicated /32 VPN address from the managed pool.
VPN service endpoint 172.16.0.1 Internal DNS and H-DCS management traffic are available through the VPN endpoint.
Service routes 10.66.0.0/16, 10.67.0.0/16, 10.68.0.0/16 H-DCS service networks are reachable without taking over public internet traffic.
Device route model Per-device /32 peers WireGuard peers are synchronized with narrow device-specific allowed IPs.
Firewall model Default deny with explicit policy Own-device and cross-user connectivity is governed by generated firewall rules.

What users can manage in VPN settings

Integrated VPN devices

See enrolled devices, their VPN IP addresses, DNS names and operating systems.

Own-device visibility

Devices owned by the same user can be visible to each other, with a per-device disconnect control when isolation is needed.

Cross-user requests

Request access from one of your devices to another H-DCS user's selected device.

Protocol and port rules

Approved rules can target TCP, UDP or ICMPv4. TCP and UDP requests include the destination port.

Approve, reject, cancel, revoke

Both sides can manage the lifecycle of requested VPN connectivity from the webapp.

How approved device access works

1

Enroll the source device and target device into the H-DCS VPN.

2

Choose the source device, target user, target device, protocol and port in VPN settings.

3

The target user reviews the request and approves only the intended connection.

4

H-DCS updates VPN and firewall policy so the approved devices can communicate.

5

Either side can later cancel or revoke the rule, returning the network to default-deny behavior.

Need a private network that is reviewable?

H-DCS can plan device enrollment, VPN routing, DNS, firewall policy and cross-user access rules for a practical private workspace. Requests start with a structured networking review.

An unhandled error has occurred. Reload 🗙

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please retry or reload the page.