A VPN-as-a-Service Tailored Enabler for Computing-constrained Environments

Carolina Fern\'andez-Mart\'inez; C\'esar Cajas Parra; Shuaib Siddiqui

arxiv: 2606.11729 · v1 · pith:E6L2LKUDnew · submitted 2026-06-10 · 💻 cs.CR · cs.NI

A VPN-as-a-Service Tailored Enabler for Computing-constrained Environments

Carolina Fern\'andez-Mart\'inez , C\'esar Cajas Parra , Shuaib Siddiqui This is my paper

Pith reviewed 2026-06-27 09:20 UTC · model grok-4.3

classification 💻 cs.CR cs.NI

keywords VPN-as-a-ServiceZero Trustcloud-nativesecure tunnelskey generationconstrained environmentsIAM integrationper-tenant isolation

0 comments

The pith

A cloud-native VPN-as-a-Service deploys on-the-fly separate tunnels per tenant while integrating with IAM tools and adapting to computing-constrained environments.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents the design and evaluation of a VPN-as-a-Service for Zero Trust architectures in cloud-native settings. It supports orchestration of isolated, secure tunnels for each remote tenant connecting to infrastructure. The solution integrates with standard identity and access management tools and includes customizations for key generation to suit environments with limited computing resources or entropy sources. This enables secure connectivity for experimental infrastructures under strict isolation and least-privilege requirements.

Core claim

This work contributes the design and evaluation of a cloud-native VPN-as-a-Service that can be easily orchestrated to deploy on-the-fly separate tunnels per each tenant remotely connecting to the infrastructure, integrated with common Identity and Access Management tools, and adapted to computing- or entropy-constrained environments by selecting from RSA or Elliptic Curves as key generation algorithm and their parameters.

What carries the argument

The customizable VPNaaS orchestration layer that selects RSA or Elliptic Curve key generation algorithms and parameters to support adaptation to resource limits while maintaining per-tenant tunnel isolation.

Load-bearing premise

The assumption that selecting RSA or Elliptic Curve key generation algorithms and their parameters will achieve adaptation to computing- or entropy-constrained environments and produce more secure keys.

What would settle it

A benchmark measuring CPU usage, connection setup time, or key security metrics for the VPNaaS versus a standard non-customizable VPN in an environment with deliberately limited processor cycles or random number generation entropy.

Figures

Figures reproduced from arXiv: 2606.11729 by Carolina Fern\'andez-Mart\'inez, C\'esar Cajas Parra, Shuaib Siddiqui.

**Figure 2.** Figure 2: VPNaaS deployed with RSA keys To ensure clean re-deployments in any testing environment, a new K8s namespace was generated per test, following the format: 6gbricks-vpnaas-{running mode}-{param iteration}- {num iteration}. Relevant statistical data were computed on the generated data set, including its Standard Deviation (SD) and Inter-Quartile Range (IQR) to understand the best, worse, average and common c… view at source ↗

**Figure 3.** Figure 3: VPNaaS deployed with ECDSA keys of 2030, which translates into 224 to 256 bits for ECDSA keys [21]. Thus, four curves meet such requirements: prime256v1, secp384r1, sect409k1 and secp521r1; ranging between 128 and 256 -bit security level. According to the openssl ecparam -list curves command, all are defined over a bit prime field of the stated number and are NIST/SECG curves except for prime256v1 (X9.62/S… view at source ↗

read the original abstract

Industry has embraced Zero Trust (ZT) architectural tenets and implementations for cloud-native environments, following stricter security requirements to both internal and external tenants. Among others, these approaches combine fine-grained identity management and monitoring for both inventorying and better analysing the devices' security posture for overall protection, along with strict separation of concerns and isolation to enforce minimal privilege. Networking-wise, ZT approaches rely as well on isolation and least privilege; enacted by separate, secure tunnels per tenant connecting to a given infrastructure. Such implementations can also be applied to the connectivity within and towards experimental infrastructures. In this sense, this work contributes the design and evaluation of a cloud-native VPN-as-a-Service (VPNaaS) that can be (i) easily orchestrated to deploy on-the-fly, separate tunnels per each tenant remotely connecting to the infrastructure; (ii) integrated with common Identity and Access Management (IAM) tools, key to ZT deployments; and (iii) adapt to computing- or entropy- constrained environments. This solution is customisable and allows, among others, to select from RSA or Elliptic Curves (EC) as key generation algorithm and their parameters to achieve more secure keys and adapt to resource-constrained environments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper describes a customizable VPNaaS for Zero Trust in constrained settings but asserts adaptation and better keys without any metrics or results to back it up.

read the letter

The core issue is that the work claims a VPNaaS can adapt to computing- or entropy-constrained environments and produce more secure keys simply by letting users choose RSA versus elliptic curves and tweak parameters, yet supplies no measurements, benchmarks, or comparisons to show this holds. The abstract frames the contribution as design plus evaluation, but the provided text stops at the design goals.

What stands out as useful is the focus on cloud-native orchestration for per-tenant tunnels that deploy on demand, plus straightforward IAM integration to support Zero Trust isolation. Those pieces align with practical needs in experimental infrastructures and could give implementers a starting template for separating traffic without heavy custom code.

The tailoring for constrained devices is the main angle presented as new, but it reduces to parameter selection on standard algorithms rather than a new mechanism or first-principles change. No code, no timing data, no entropy figures, and no head-to-head runs against baseline WireGuard or OpenVPN appear in the text.

Soft spots are concentrated in the missing evaluation layer. The stress-test concern lands directly: without evidence that chosen parameters actually lower CPU load or usable entropy while preserving security, the adaptation claim stays untested. The rest of the architecture reads as routine application of known VPN and ZT patterns.

This is aimed at security engineers who need quick ideas for constrained-device VPN setups and might borrow the orchestration or IAM hooks. It does not contain enough grounded results or novel derivation to warrant a serious referee's time in its current form.

Referee Report

1 major / 0 minor

Summary. The paper claims to contribute the design and evaluation of a cloud-native VPN-as-a-Service (VPNaaS) for Zero Trust environments. Key features include easy orchestration for on-the-fly deployment of separate per-tenant tunnels, integration with common IAM tools, and adaptability to computing- or entropy-constrained environments through customizable selection of RSA or Elliptic Curve key generation algorithms and their parameters to achieve more secure keys.

Significance. A working implementation demonstrating measurable adaptation (e.g., lower CPU/time or usable entropy under constraints) while preserving or improving security would be a useful practical contribution for ZT deployments in resource-limited settings. However, the manuscript supplies only high-level architectural assertions with no supporting evaluation, metrics, or implementation details, so current significance cannot be assessed.

major comments (1)

[Abstract] Abstract: The manuscript states that it contributes 'design and evaluation' of a VPNaaS that can 'adapt to computing- or entropy- constrained environments' and 'achieve more secure keys' by allowing selection of RSA or EC algorithms and parameters. No evaluation section, methods, results, benchmarks, timing measurements, entropy data, or comparisons to baseline configurations (e.g., WireGuard/OpenVPN) are present to support these claims. This directly undermines the central contribution, as the adaptation and security benefits are asserted without evidence.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback. We address the single major comment below and will make the corresponding revision.

read point-by-point responses

Referee: [Abstract] Abstract: The manuscript states that it contributes 'design and evaluation' of a VPNaaS that can 'adapt to computing- or entropy- constrained environments' and 'achieve more secure keys' by allowing selection of RSA or EC algorithms and parameters. No evaluation section, methods, results, benchmarks, timing measurements, entropy data, or comparisons to baseline configurations (e.g., WireGuard/OpenVPN) are present to support these claims. This directly undermines the central contribution, as the adaptation and security benefits are asserted without evidence.

Authors: We agree that the abstract and introduction claim a contribution of both 'design and evaluation' together with concrete adaptation and security benefits, yet the manuscript contains only architectural description and no evaluation section, methods, results, benchmarks, timing measurements, entropy data, or baseline comparisons. This is a substantive gap that prevents assessment of the claimed benefits. We will revise the manuscript to remove the unsupported 'evaluation' language from the abstract (and related sections) unless an evaluation section with the required metrics and comparisons is added. revision: yes

Circularity Check

0 steps flagged

No circularity: purely architectural description with no derivations or self-referential reductions

full rationale

The paper describes a cloud-native VPNaaS design, orchestration, IAM integration, and customizability for RSA/EC parameters. No equations, fitted parameters, predictions, or derivation chains appear in the provided text. Claims of adaptation to constrained environments are presented as design features rather than results derived from inputs by construction. No self-citation load-bearing steps, uniqueness theorems, or ansatzes are invoked. The work is self-contained as an engineering contribution without reducing to tautology.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract introduces no free parameters, axioms, or invented entities; the work is a high-level system design description without mathematical or theoretical components.

pith-pipeline@v0.9.1-grok · 5754 in / 1156 out tokens · 19957 ms · 2026-06-27T09:20:36.022868+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

20 extracted references · 1 canonical work pages

[1]

Souppaya and K

M. Souppaya and K. Scarfone,Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, jul 2016, no. NIST Special Publication (SP) 800-46 Rev. 2. [Online]. Available: https://csrc.nist.gov/pubs/sp/800/46/r2/final [3]NIS 2: A Quick Reference Guide, oct 2023. [Online]. Available: https://www.ncsc.gov.ie/pdfs/NCSC NIS2 Guide.pdf ...

2016
[2]

Beyondcorp: A new approach to enterprise security,

R. Ward and B. Beyer, “Beyondcorp: A new approach to enterprise security,”USENIX ;login:, vol. V ol. 39, No. 6, p. 6–11, 2014

2014
[3]

S. Rose, O. Borchert, S. Mitchell, and S. Connelly,Zero Trust Architecture, aug 2020, no. NIST Special Publication (SP) 800-207. [Online]. Available: https://csrc.nist.gov/pubs/sp/800/207/final

2020
[4]

Zero trust cybersecurity: Crit- ical success factors and a maturity assessment framework,

W. Yeoh, M. Liu, M. Shore, and F. Jiang, “Zero trust cybersecurity: Crit- ical success factors and a maturity assessment framework,”Computers & Security, vol. 133, p. 103412, oct 2023

2023
[5]

A critical analysis of zero trust architecture (zta),

E. B. Fernandez and A. Brazhuk, “A critical analysis of zero trust architecture (zta),”Computer Standards & Interfaces, vol. 89, p. 103832, Apr. 2024

2024
[6]

Multivocal literature review on zero-trust security implementation,

C. Itodo and M. Ozer, “Multivocal literature review on zero-trust security implementation,”Computers & Security, vol. 141, p. 103827, jun 2024

2024
[7]

Maintaining zero trust with federation,

V . U. Institute for Defense Analyses (IDA), Alexandria, W. R. Simpson, and K. E. Foltz, “Maintaining zero trust with federation,”International Journal of Emerging Technology and Advanced Engineering, vol. 11, no. 5, p. 17–32, may 2021

2021
[8]

An interoperable zero trust federated architecture for tactical systems,

A. Poirrier, L. Cailleux, and T. H. Clausen, “An interoperable zero trust federated architecture for tactical systems,” inMILCOM 2023 - 2023 IEEE Military Communications Conference (MILCOM), oct 2023, p. 405–410. [Online]. Available: https://ieeexplore.ieee.org/document/ 10356247

2023
[9]

Zero trust vpn (zt-vpn): A systematic literature review and cybersecurity framework for hybrid and remote work,

S. M. Zohaib, S. M. Sajjad, Z. Iqbal, M. Yousaf, M. Haseeb, and Z. Muhammad, “Zero trust vpn (zt-vpn): A systematic literature review and cybersecurity framework for hybrid and remote work,”Information, vol. 15, no. 1111, p. 734, nov 2024

2024
[10]

[Online]

mar 2022. [Online]. Available: https://cloudsecurityalliance.org/artifacts/ software-defined-perimeter-zero-trust-specification-v2/

2022
[11]

Toward zero-trust 6gc: A soft- ware defined perimeter approach with dynamic moving target defense mechanism,

Z. Abdelhay, Y . Bello, and A. Refaey, “Toward zero-trust 6gc: A soft- ware defined perimeter approach with dynamic moving target defense mechanism,”IEEE Wireless Communications, vol. 31, no. 2, p. 74–80, apr 2024

2024
[12]

Assessment of sdn technology for an easy-to-use vpn service,

R. Van Der Pol, B. Gijsen, P. Zuraniewski, D. F. C. Rom˜ao, and M. Kaat, “Assessment of sdn technology for an easy-to-use vpn service,”Future Generation Computer Systems, vol. 56, p. 295–302, Mar. 2016

2016
[13]

A zero- touch and nfv-based vpnaas solution,

R. Direito, D. Gomes, D. Gomes, and R. L. Aguiar, “A zero- touch and nfv-based vpnaas solution,” in2023 IEEE International Mediterranean Conference on Communications and Networking (MeditCom), Sep. 2023, p. 175–180. [Online]. Available: https: //ieeexplore.ieee.org/document/10266615

arXiv 2023
[14]

[Online]

6G-BRICKS,D2.3: Requirements and Specifications Analysis, jun 2024. [Online]. Available: https://6g-bricks.eu/wp-content/uploads/2024/07/ D2.3 Requirements-and-Specifications-Analysis v1.0.pdf

2024
[15]

[Online]

——,D4.4: Experimentation facility end-to-end security framework and zero-trust establishment, dec 2024. [Online]. Available: https://6g-bricks.eu/wp-content/uploads/2025/02/6G-BRICKS-D4.4- Experimentation-facility-end-to-end-security-framework-and-zero- trust-establishment M24 FINAL-1.pdf

2024
[16]

Trusted access to 6g testbeds through a security intent-driven software-defined perimeter framework,

C. Fernandez-Martinez, A. Bikos, C. Verikoukis, and S. Siddiqui, “Trusted access to 6g testbeds through a security intent-driven software-defined perimeter framework,” sep 2024. [Online]. Available: https://doi.org/10.5281/zenodo.13626977

work page doi:10.5281/zenodo.13626977 2024
[17]

[Online]

6G-BRICKS,D5.1: Initial deployment and Configuration of enablers at 6G sites, mar 2023. [Online]. Avail- able: https://6g-bricks.eu/wp-content/uploads/2024/06/D5.1 Initial deployment and Configuration of enablers- at 6G sites FINAL.pdf

2023
[18]

Barker and A

E. Barker and A. Roginsky,Transitioning the Use of Cryptographic Algorithms and Key Lengths, mar 2019, no. NIST Special Publication (SP) 800-131A Rev. 2. [Online]. Available: https://csrc.nist.gov/pubs/ sp/800/131/a/r2/final

2019
[19]

NIST Special Publication (SP) 800-131A Rev

——,Transitioning the Use of Cryptographic Algorithms and Key Lengths, oct 2024, no. NIST Special Publication (SP) 800-131A Rev. 3 (Draft). [Online]. Available: https://csrc.nist.gov/pubs/sp/800/131/a/r3/ ipd

2024
[20]

Towards quantum-safe vpns and internet,

M. v. Heesch, N. v. Adrichem, T. Attema, and T. Veugen, “Towards quantum-safe vpns and internet,” no. 2019/1277, 2019, publication info: Preprint. MINOR revision. [Online]. Available: https://eprint.iacr.org/2019/1277

2019

[1] [1]

Souppaya and K

M. Souppaya and K. Scarfone,Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, jul 2016, no. NIST Special Publication (SP) 800-46 Rev. 2. [Online]. Available: https://csrc.nist.gov/pubs/sp/800/46/r2/final [3]NIS 2: A Quick Reference Guide, oct 2023. [Online]. Available: https://www.ncsc.gov.ie/pdfs/NCSC NIS2 Guide.pdf ...

2016

[2] [2]

Beyondcorp: A new approach to enterprise security,

R. Ward and B. Beyer, “Beyondcorp: A new approach to enterprise security,”USENIX ;login:, vol. V ol. 39, No. 6, p. 6–11, 2014

2014

[3] [3]

S. Rose, O. Borchert, S. Mitchell, and S. Connelly,Zero Trust Architecture, aug 2020, no. NIST Special Publication (SP) 800-207. [Online]. Available: https://csrc.nist.gov/pubs/sp/800/207/final

2020

[4] [4]

Zero trust cybersecurity: Crit- ical success factors and a maturity assessment framework,

W. Yeoh, M. Liu, M. Shore, and F. Jiang, “Zero trust cybersecurity: Crit- ical success factors and a maturity assessment framework,”Computers & Security, vol. 133, p. 103412, oct 2023

2023

[5] [5]

A critical analysis of zero trust architecture (zta),

E. B. Fernandez and A. Brazhuk, “A critical analysis of zero trust architecture (zta),”Computer Standards & Interfaces, vol. 89, p. 103832, Apr. 2024

2024

[6] [6]

Multivocal literature review on zero-trust security implementation,

C. Itodo and M. Ozer, “Multivocal literature review on zero-trust security implementation,”Computers & Security, vol. 141, p. 103827, jun 2024

2024

[7] [7]

Maintaining zero trust with federation,

V . U. Institute for Defense Analyses (IDA), Alexandria, W. R. Simpson, and K. E. Foltz, “Maintaining zero trust with federation,”International Journal of Emerging Technology and Advanced Engineering, vol. 11, no. 5, p. 17–32, may 2021

2021

[8] [8]

An interoperable zero trust federated architecture for tactical systems,

A. Poirrier, L. Cailleux, and T. H. Clausen, “An interoperable zero trust federated architecture for tactical systems,” inMILCOM 2023 - 2023 IEEE Military Communications Conference (MILCOM), oct 2023, p. 405–410. [Online]. Available: https://ieeexplore.ieee.org/document/ 10356247

2023

[9] [9]

Zero trust vpn (zt-vpn): A systematic literature review and cybersecurity framework for hybrid and remote work,

S. M. Zohaib, S. M. Sajjad, Z. Iqbal, M. Yousaf, M. Haseeb, and Z. Muhammad, “Zero trust vpn (zt-vpn): A systematic literature review and cybersecurity framework for hybrid and remote work,”Information, vol. 15, no. 1111, p. 734, nov 2024

2024

[10] [10]

[Online]

mar 2022. [Online]. Available: https://cloudsecurityalliance.org/artifacts/ software-defined-perimeter-zero-trust-specification-v2/

2022

[11] [11]

Toward zero-trust 6gc: A soft- ware defined perimeter approach with dynamic moving target defense mechanism,

Z. Abdelhay, Y . Bello, and A. Refaey, “Toward zero-trust 6gc: A soft- ware defined perimeter approach with dynamic moving target defense mechanism,”IEEE Wireless Communications, vol. 31, no. 2, p. 74–80, apr 2024

2024

[12] [12]

Assessment of sdn technology for an easy-to-use vpn service,

R. Van Der Pol, B. Gijsen, P. Zuraniewski, D. F. C. Rom˜ao, and M. Kaat, “Assessment of sdn technology for an easy-to-use vpn service,”Future Generation Computer Systems, vol. 56, p. 295–302, Mar. 2016

2016

[13] [13]

A zero- touch and nfv-based vpnaas solution,

R. Direito, D. Gomes, D. Gomes, and R. L. Aguiar, “A zero- touch and nfv-based vpnaas solution,” in2023 IEEE International Mediterranean Conference on Communications and Networking (MeditCom), Sep. 2023, p. 175–180. [Online]. Available: https: //ieeexplore.ieee.org/document/10266615

arXiv 2023

[14] [14]

[Online]

6G-BRICKS,D2.3: Requirements and Specifications Analysis, jun 2024. [Online]. Available: https://6g-bricks.eu/wp-content/uploads/2024/07/ D2.3 Requirements-and-Specifications-Analysis v1.0.pdf

2024

[15] [15]

[Online]

——,D4.4: Experimentation facility end-to-end security framework and zero-trust establishment, dec 2024. [Online]. Available: https://6g-bricks.eu/wp-content/uploads/2025/02/6G-BRICKS-D4.4- Experimentation-facility-end-to-end-security-framework-and-zero- trust-establishment M24 FINAL-1.pdf

2024

[16] [16]

Trusted access to 6g testbeds through a security intent-driven software-defined perimeter framework,

C. Fernandez-Martinez, A. Bikos, C. Verikoukis, and S. Siddiqui, “Trusted access to 6g testbeds through a security intent-driven software-defined perimeter framework,” sep 2024. [Online]. Available: https://doi.org/10.5281/zenodo.13626977

work page doi:10.5281/zenodo.13626977 2024

[17] [17]

[Online]

6G-BRICKS,D5.1: Initial deployment and Configuration of enablers at 6G sites, mar 2023. [Online]. Avail- able: https://6g-bricks.eu/wp-content/uploads/2024/06/D5.1 Initial deployment and Configuration of enablers- at 6G sites FINAL.pdf

2023

[18] [18]

Barker and A

E. Barker and A. Roginsky,Transitioning the Use of Cryptographic Algorithms and Key Lengths, mar 2019, no. NIST Special Publication (SP) 800-131A Rev. 2. [Online]. Available: https://csrc.nist.gov/pubs/ sp/800/131/a/r2/final

2019

[19] [19]

NIST Special Publication (SP) 800-131A Rev

——,Transitioning the Use of Cryptographic Algorithms and Key Lengths, oct 2024, no. NIST Special Publication (SP) 800-131A Rev. 3 (Draft). [Online]. Available: https://csrc.nist.gov/pubs/sp/800/131/a/r3/ ipd

2024

[20] [20]

Towards quantum-safe vpns and internet,

M. v. Heesch, N. v. Adrichem, T. Attema, and T. Veugen, “Towards quantum-safe vpns and internet,” no. 2019/1277, 2019, publication info: Preprint. MINOR revision. [Online]. Available: https://eprint.iacr.org/2019/1277

2019