HexaWAN

Zero Trust · Control-plane console

HexaWAN

Platform monitoring

checking…

A live overview of the whole HexaWAN platform — nodes, VPN users, reverse-proxy traffic, WAF activity, and end-to-end website uptime.

Website monitoring

Every enabled reverse-proxy route is probed through the local reverse proxy each minute — nginx → WAF → upstream, using the route's own hostname (SNI + Host). Uptime %, HTTP status, response time and the served certificate's expiry are recorded. Dialing nginx directly means results don't depend on public DNS or NAT hairpin, so origin-only routes (not proxied through Cloudflare) report correctly too.

No routes to monitor yet. Add a reverse-proxy route and probing begins within a minute.

Reverse-proxy traffic

No traffic recorded in this window yet.

Infrastructure

WAF activity

No nodes have registered yet. Start a node agent and it will appear here.

VPN users

End users sign in from the HexaWAN client with these credentials and receive a config for each node they're entitled to.

No VPN users yet. Click “Add user” to create one.

Reverse proxy

checking…

nginx isn't deployed in this stack, so routes are stored but not served. Add the nginx service (see the README) and restart.

DNS credentials

Cloudflare API tokens (scoped Zone:DNS:Edit), stored encrypted and shared across routes for DNS-01 certificate issuance and renewal. Reference one from a route's “Cloudflare DNS credential” selector.

No DNS credentials yet. Click “Add credential” to store one.

DNS search domains

Comma-separated bare domain suffixes pushed to split-horizon VPN clients on the DNS = line (e.g. ovoteck.com, corp.internal), so split-tunnel clients can install per-suffix NRPT rules. Applied ONLY to clients using the “gateway” resolver; literal-DNS clients are unaffected.

No proxy routes yet. Click “Add route” to create one.

WAF activity

No WAF events in this window. Turn on the WAF (detect or block) for a route to start collecting.

WAF event

Client config


        

Scan in the WireGuard app

Add route

Disabled rule categories — turn whole CRS groups off for this route

Add VPN user

Entitled nodes
Registered devices

Managed config

Overrides applied to every managed client on this node. Blank / 0 means “use the server default”. Changes take effect on each client's next config pull.

Add DNS credential