TUN Nova is an enterprise-grade smart multi-scenario VPN. A single client covers going global, back-to-China, work-from-home and intranet interconnect, automatically routing traffic to the right exit based on the user's location and identity — no manual node selection or config changes.

Which platforms does TUN Nova support?

TUN Nova runs on macOS, Windows, iOS and Android with a consistent experience across every platform.

Does TUN Nova keep my data private?

Yes. TUN Nova integrates with your existing identity system and keeps your data with you. All access is fully auditable, so IT can see who connected to what.

How hard is TUN Nova to deploy?

It works out of the box. Employees connect with a single access code and zero deployment, while administrators get audit logs and node management from a central console.

Smart multi-scenario VPN

One client,
every scenario

Going global · Back to China · Work-from-home · Intranet interconnect — an enterprise VPN that switches across scenarios intelligently. Consistent everywhere, your data stays with you.

Get started →

macOS · Windows · iOS · Android Smart rule-based switching One access code · Zero deploy

Enterprise cross-platform secure access TUN Nova Platform

Scenarios

One client, smart switching across scenarios

By the user's location and identity, traffic is routed to the right exit automatically — no manual node-picking, no reconfiguring. One enterprise VPN covers every scenario.

Going global

Teams in China reach overseas SaaS, code repos and sites — fast and stable, no broken pages.

→Auto route to overseas exit

Back to China

Overseas staff and travelers reach mainland systems, video and payments — like being right at home.

→Auto route to China exit

Work from home

Securely connect back to the office intranet from home — encrypted throughout, auto-reconnect on drop.

→Auto route to office intranet

Intranet interconnect

Link multiple sites, data centers and branch intranets into one network — visit each other directly.

→Site-to-site secure mesh

The problem

Three hurdles of remote & cross-border work

Teams want to connect back to the office, but get stuck — can't connect, not secure, hard to control. Employees struggle, and so does IT.

Before · fiddly, and worrying

Switch devices and you can't connect; configs are a hassle
Cross-border links drop; login pages won't open
IT can't see who connected to what — no traceability
Worried about account / data leaks; audits are hard to pass

After · connect out of the box, controlled and worry-free

One account, consistent across four platforms; switch devices and still connect
Cross-border pre-tunneling + auto-reconnect on drop
Who, when, connected where — fully auditable
Integrates your SSO; your data stays in your own hands

The value

What it brings to your company

4 OS

Employee experience

Consistent everywhere

One account across macOS / Windows / iOS / Android — no relearning when switching devices.

1 code

IT peace of mind

Works out of the box

Employees just need an access code; IT doesn't deploy device by device or configure servers.

100%

Secure & compliant

Your data, your side

Integrates your SSO; connection audits go into your own database; data never leaves your account.

Capabilities · Shipped

Core capabilities, already shipped

Not a roadmap — capabilities you can deploy today.

Cross-platform clients

macOS / Windows / iOS / Android, consistent experience.

Short-code onboarding

One access code, zero-deploy launch.

Dual login

SSO (OIDC) or username & password, fits any identity system.

Connection audit

Sessions / connections / events go into your own database, traceable.

Rules & subscriptions

Visual config push from the console — no hand-written YAML.

Role / routing / overrides

Access control down to the individual.

TUN Console · Highlight

Smart GEO routing

Push different nodes and routing configs by the user's location / identity.

▤Visual template editingProxy groups / rule sets / routing rules — drag to reorder, bulk import.
⧉Shared-group reusePublic proxy groups + upstream groups — maintain once, reference across rules.
⚿Secure deliveryScheduled UUID rotation (old links expire) + AES-256-GCM encryption.

TUN Console · Highlight

Client log system

The console acts as a log relay: clients report → buffer → async batch forward to an external backend, auto-retry on failure with no log loss.

Client reportingUnified across apps

→

Console relayBuffer · async batch · retry

→

External backendLoki / ClickHouse / Syslog

Three log types

Connection sessions / access connections / events (login, force-logout, etc.).

No log loss

Async batching + auto-retry on backend failure, never blocks the client.

Retention cleanup

Expired records purged on schedule; query page searches by type + keyword.

TUN Console

Unified resource management

Scattered operations gathered into one console — users, nodes, plans, versions on a single screen.

⛁Users & subscriptionsCRUD · traffic reset · ban · bulk export · force update.
▣Node & load monitoringAdvanced node editing, online count, CPU / memory trends, one-click deploy script.
⇪App version managementMulti-platform · multi-channel · force update · client auto-check.

Deployment

Three delivery models — choose by your compliance & ops

The same client and console capabilities, with a deployment shape you choose — trade off control, data ownership, and time-to-launch freely.

Option 1 · Enterprise favorite

On-premise deployment

The full console + data deployed on your own servers / intranet; the vendor never touches your data.

Private backend controlConsole runs in your environment — admins, permissions, nodes, plans, versions all in your hands.
Log queryConnection sessions / access records / event logs go into your own database, searchable by type + keyword, purged by retention.
Data stays in-domainIdentity, audit, subscription keys all within your boundary, meeting internal-audit and compliance requirements.
Self-managed upgradesCore / client versions and node deploy scripts self-managed, no external dependency.

Option 2 · Out of the box

SaaS / hosted

Control plane hosted by the vendor — no servers or ops to build, sign up and go, ideal for small & mid teams to launch fast.

Zero-ops launchNo deploy, no maintenance, spin up an org in minutes.
Same capabilitiesAlso supports SSO login, connection audit, rule & subscription push.
Elastic billingSubscribe by scale, expand on demand, low upfront cost.

Option 3 · Flexible mix

Hybrid / dedicated-line

Control plane hosted or self-built; traffic exits through your existing dedicated line / data center, fitting your current network.

Fits existing networksReuse enterprise IPLC / SD-WAN / self-built nodes as the exit.
Optional control planeHosted control plane + your own traffic exit, balancing speed and cost.
Compliant exitMeets fixed-exit-IP and dedicated-line compliance scenarios.

Onboarding

Employees onboard in three steps

With the access code from IT, you're up in seconds — no manual config import, no IT visit.

Enter access code

A 6-digit org code; the client auto-configures.

Log in

Use your company SSO or username & password.

Connect with one tap

One big switch — connect / disconnect at a glance.

macOSWindowsiOSAndroid 中文 · English · 日本語

Get Started

Leave your contact and we'll reach out soon

Tell us your scenario — going global, back to China, WFH or intranet — and we'll tailor a plan and trial for you.

—A specialist reaches out — not a sales bot
—A deployment plan matched to your scenarios
—Your info is only used to contact you

Company*

Contact*

Phone*

WeChat

Team size

Preferred deployment

Notes

We only use it to contact you, nothing else.

Received, thank you! We'll be in touch soon.

Manifesto

Keep your team secure
and worry-free

Consistent everywhere · Out of the box · Your data, your side.

Secure access for every employee

One account, connect out of the box.

Admins can see it and control it

Role routing, full audit, controllable data.

Zero-deploy for IT, instant to use

Just hand out one access code.

One client,every scenario