Skip to content

RG versus VPN and bastion patterns

RG differs from VPN, bastion, and jump-host patterns on one structural point: those approaches reach devices by creating an inbound path, and RG reaches them with an outbound-only tunnel and no inbound path at all. VPNs work well for small static fleets on networks you own; they strain on scale, CGNAT, customer sites, per-device access control, and audit. This page compares them honestly.

Comparison at a glance

Dimension VPN / bastion / jump host RG Platform
Inbound exposure Inbound endpoint or listening service to reach and defend Zero inbound at the edge; device connects outward only
Per-site network changes Firewall rules, routes, or client per site None; device dials out from wherever it is
Credential sprawl Shared VPN creds, device logins, jump-host keys Per-component identity; one-time-reveal API secrets; auto-rotating device keys
Per-device access granularity Network-level reach, often all-or-nothing Per-device authorization via two-tier RBAC
Audit coverage Connection logs; device logins often shared/invisible Investigation-grade trail per action, including native-GUI sessions
Behind CGNAT Fails without a reachable endpoint Works; connection is device-initiated outbound
MSP multi-tenancy Per-customer VPNs; manual separation Enforced tenant isolation on shared clusters

What VPNs and bastions do fine

VPNs, bastions, and jump hosts are a reasonable fit for a small, static fleet on networks you administer end to end. When you own the network, can add a firewall rule or route per site, and have a handful of devices at known addresses, a VPN concentrator or a bastion host gives working remote access with familiar tooling. For a single office, a lab, or a data center you control, the per-site setup cost is paid once and the fleet doesn't move. RG is not claiming these patterns are broken everywhere — for that shape of deployment they are perfectly serviceable, and the differences below only start to bite as the deployment leaves those conditions.

Where they break

The VPN/bastion model breaks along predictable seams as deployments grow. Scale: per-site network changes and credential distribution become a standing operational burden across hundreds of sites. CGNAT and cellular: an inbound-dependent approach has nothing to connect to when the device has no reachable address, which RG sidesteps by connecting outward. Customer sites: you cannot reshape a network you don't own, and asking customers to open inbound access is a hard sell and a liability. Per-device RBAC: a VPN grants network reach, not scoped authority over one device, so "operator may reboot this camera but not that controller" is awkward to express. Audit: connection logs show that someone entered the network, but device logins are frequently shared and their use invisible, leaving an accountability gap. RG addresses each of these by construction — outbound-only reach, per-device two-tier RBAC, and an investigation-grade audit trail that records native-GUI sessions and configuration changes per actor.