Pricing About

Language

Francais English
Contact Console
Sovereign Zero Trust VPN

The sovereign Zero Trust VPN hosted in Europe

Connect your servers, laptops and VMs in a private network encrypted end to end, with no port exposed to the Internet. The control plane stays in Europe, and it's all reversible. It runs on Headscale and WireGuard, the self-hostable Tailscale alternative.

Talk to an expert See pricing
Control plane in Europe
Encrypted end to end
Open source, reversible
Coordination stays in EuropeBunkermanaged HeadscaleYour serverFrankfurtYour laptopMadridWireGuard encrypted, peer-to-peer

Tailscale, but with coordination in Europe

Tailscale made the VPN that "just works" popular. The server that decides who can talk to whom, the coordination layer, is a proprietary SaaS hosted in the US. Your traffic itself stays encrypted: Tailscale doesn't read its contents. It's the coordination metadata (which machines exist, who's allowed to talk to whom) that passes through that server, under US law.

Bunker runs that same coordination server in Europe, built on Headscale, the open source reimplementation of Tailscale's server. The traffic stays peer-to-peer WireGuard, encrypted end to end. Same ease of use, sovereign coordination metadata, and reversible.

The real weak point

An encrypted VPN is not enough to be sovereign

A modern VPN has two layers. The traffic is already encrypted end to end. What decides who talks to whom, the coordination, is elsewhere, and that's where it all comes down.

The data plane

WireGuard carries the traffic, encrypted end to end, machine to machine. No one in the middle reads it, neither Tailscale nor Bunker.

The control plane

It orchestrates the network: which machines exist, which are allowed to join, and it distributes the keys. It's your network's directory.

The weak point

With Tailscale, that directory lives on a proprietary server outside Europe, under US law. Encryption doesn't change it: that's where sovereignty stops.

A modern VPN has two layersControl planemachine directory, access rights, keys (in Europe)coordinatesData planeWireGuard encrypted end to end, peer-to-peerThe traffic is already encrypted. The coordination stays sovereign.
How it works

The control plane stays in Europe

Managed Headscale, operated in Europe

Headscale is the open source reimplementation of Tailscale's coordination server. Bunker runs it on its European infrastructure and operates it for you.

  • Your network's directory never leaves Europe
  • No non-EU third party knows which machines make up your network
  • Same functions as the Tailscale server, sovereign hosting

You keep the standard Tailscale client

You install the usual Tailscale client and point it at your coordination server hosted at Bunker. Your machines then bring up direct WireGuard tunnels.

  • Peer-to-peer tunnels, no central server on the traffic path
  • Fallback through our own relays in Europe when NAT blocks the direct path
  • The client stays Tailscale Inc.'s software, updated by them

Your VMs are never exposed

Your machines open no port to the public Internet. You reach them only from inside the Zero Trust network.

  • No exposed bastion to defend
  • No public IP open on your VMs
  • Access only through the WireGuard network

The self-hostable alternative, without the ops

It's all open source: you could stand up this coordination server yourself. Bunker runs it for you (updates, availability, backups) without locking you in.

  • Control plane managed end to end
  • Reversible: take it all back onto your hardware whenever you decide
  • No proprietary lock-in, the building block is open source
Technical guarantees

What stays sovereign, what stays encrypted

End-to-end WireGuard encryption

ChaCha20-Poly1305, in the Linux kernel. The traffic content is never visible to the coordination server.

Coordination metadata in Europe

Machine directory, access rights, key distribution: all stays on Bunker's European infrastructure.

NAT fallback through European relays

When two machines can't bring up a direct tunnel, the fallback goes through our relays in Europe. Traffic there stays encrypted, never read, and doesn't leave the region.

Reversible, because open source

Headscale and WireGuard are open source. You keep the right to take it all back onto your own hardware.

Bunker vs Tailscale

Your network's coordination stays in Europe

Same client, same WireGuard encryption. The difference is the server that orchestrates your network, and where it lives.

Criterion Bunker (managed Headscale) Tailscale (SaaS)
Control plane Hosted in Europe Hosted in the US
Coordination metadata Sovereign, EU law Under US law (Cloud Act)
Data plane WireGuard encrypted end to end WireGuard encrypted end to end
Client Standard Tailscale client Standard Tailscale client
Reversibility Open source, re-internalisable Proprietary SaaS
NAT fallback Relays in Europe Tailscale relays
Use cases

What a sovereign Zero Trust network is for

SSH access to your VMs

Your servers are reachable only from the WireGuard network, with no SSH port open to the Internet.

Replace a legacy VPN or bastion

A peer-to-peer WireGuard mesh instead of a VPN concentrator or an exposed bastion to maintain.

Connect multiple sites

Offices, datacenters, dev machines: a single encrypted private network, coordinated from Europe.

Grant access without exposing

A contractor or a team joins the network for as long as needed, without opening anything publicly.

FAQ

Frequently asked questions

What is Headscale?

It's the open source reimplementation of Tailscale's coordination server. It plays the same role, managing machine identities and distributing keys, but you can host it wherever you want. Bunker operates it for you, in Europe.

Is this really WireGuard?

Yes. Traffic runs over WireGuard, the VPN built into the Linux kernel, encrypted end to end with ChaCha20-Poly1305. Tunnels are direct, machine to machine, with no relay reading the contents.

How is this different from Tailscale?

The client experience is the same, by design: you use the standard Tailscale client. The difference is the coordination server: with Tailscale it sits in the US, here it's in Europe and reversible. Your coordination metadata stays sovereign.

Are my VMs exposed on the Internet?

No. They open no public port: you reach them only from inside the Zero Trust network. There's no exposed bastion and no public IP to protect.

Deploy your sovereign Zero Trust network

We run the Headscale control plane in Europe, your machines talk over encrypted WireGuard, with nothing exposed to the Internet. Let's talk about your network.

Talk to an expert See pricing

See also

Sovereign cloud

The re-internalisable European cloud, in detail.

 Host a private LLM in Europe

The same sovereign logic, applied to AI.

WireGuard is a registered trademark of Jason A. Donenfeld. Tailscale is a trademark of Tailscale Inc. Linux is a registered trademark of Linus Torvalds. Bunker is not affiliated with or endorsed by these companies; these names are used descriptively, to refer to the technologies in use. The Tailscale client binary remains Tailscale Inc.'s software, updated by Tailscale Inc.; it falls outside the sovereign perimeter Bunker operates.