Zero-Trust Networking
Zero-Trust Networking
Section titled “Zero-Trust Networking”Helm Enterprise routes all remote connections through a self-hosted WireGuard mesh network — no open inbound ports on client endpoints, no VPN client required for technicians.
How It Works
Section titled “How It Works”Every Helm agent installed on a client endpoint registers with your WireGuard mesh coordinator. When a technician connects to an endpoint:
- The technician’s Helm client authenticates with the coordinator
- The coordinator establishes an encrypted peer-to-peer WireGuard tunnel
- All traffic flows through the mesh — no public internet exposure on the endpoint side
No Open Ports
Section titled “No Open Ports”Client endpoints don’t expose any inbound ports. The WireGuard connection is initiated outbound from the endpoint to your coordinator. Firewalls don’t need to be modified. NAT traversal is handled automatically.
Access Control
Section titled “Access Control”ACL rules define which technicians can reach which endpoints. Access is policy-driven:
- Role-based (senior techs vs. junior techs)
- Client-based (tech only sees their assigned clients)
- Time-based (on-call windows)
Self-Hosted Coordinator
Section titled “Self-Hosted Coordinator”The WireGuard coordinator runs on your infrastructure — a single VM or container. Helm never proxies your traffic through our servers. You own the mesh.
Availability
Section titled “Availability”Zero-trust networking is an Enterprise tier feature.