RG versus VPN and bastion patterns¶
RG differs from VPN, bastion, and jump-host patterns on one structural point: those approaches reach devices by creating an inbound path, and RG reaches them with an outbound-only tunnel and no inbound path at all. VPNs work well for small static fleets on networks you own; they strain on scale, CGNAT, customer sites, per-device access control, and audit. This page compares them honestly.
Comparison at a glance¶
| Dimension | VPN / bastion / jump host | RG Platform |
|---|---|---|
| Inbound exposure | Inbound endpoint or listening service to reach and defend | Zero inbound at the edge; device connects outward only |
| Per-site network changes | Firewall rules, routes, or client per site | None; device dials out from wherever it is |
| Credential sprawl | Shared VPN creds, device logins, jump-host keys | Per-component identity; one-time-reveal API secrets; auto-rotating device keys |
| Per-device access granularity | Network-level reach, often all-or-nothing | Per-device authorization via two-tier RBAC |
| Audit coverage | Connection logs; device logins often shared/invisible | Investigation-grade trail per action, including native-GUI sessions |
| Behind CGNAT | Fails without a reachable endpoint | Works; connection is device-initiated outbound |
| MSP multi-tenancy | Per-customer VPNs; manual separation | Enforced tenant isolation on shared clusters |
What VPNs and bastions do fine¶
VPNs, bastions, and jump hosts are a reasonable fit for a small, static fleet on networks you administer end to end. When you own the network, can add a firewall rule or route per site, and have a handful of devices at known addresses, a VPN concentrator or a bastion host gives working remote access with familiar tooling. For a single office, a lab, or a data center you control, the per-site setup cost is paid once and the fleet doesn't move. RG is not claiming these patterns are broken everywhere — for that shape of deployment they are perfectly serviceable, and the differences below only start to bite as the deployment leaves those conditions.
Where they break¶
The VPN/bastion model breaks along predictable seams as deployments grow. Scale: per-site network changes and credential distribution become a standing operational burden across hundreds of sites. CGNAT and cellular: an inbound-dependent approach has nothing to connect to when the device has no reachable address, which RG sidesteps by connecting outward. Customer sites: you cannot reshape a network you don't own, and asking customers to open inbound access is a hard sell and a liability. Per-device RBAC: a VPN grants network reach, not scoped authority over one device, so "operator may reboot this camera but not that controller" is awkward to express. Audit: connection logs show that someone entered the network, but device logins are frequently shared and their use invisible, leaving an accountability gap. RG addresses each of these by construction — outbound-only reach, per-device two-tier RBAC, and an investigation-grade audit trail that records native-GUI sessions and configuration changes per actor.