Egress
Kasm Workspaces lets administrators define Egress Providers to control how session traffic reaches external or private destinations.
Kasm supports two egress models:
- Gateway-based egress: users choose a gateway at launch and the workspace's outbound traffic tunnels through that route.
- Zero-trust egress: access is identity and policy based.
Use egress to meet security, network segmentation, and geography requirements. Egress Providers can be mapped to a Workspace, User or Group For gateway-based providers, this mapping controls which gateways can be selected at launch. Credentials can also be assigned on workspace/group/user objects. For example, username/password for OpenVPN, or private key for Wireguard.
For operational logs, troubleshooting commands, and forensics considerations, see Operations and Troubleshooting.
When using Banners, Kasm can expose egress environment variables (provider, gateway, location).
Choose An Egress Model
Gateway-based
Gateway-based providers use provider-specific gateway configs and optional user credentials. Administrators may use the Egress feature to grant access to secure environments via a VPN or have Kasm traffic be routed through a location geographically separated from the Kasm Deployment.
- Custom: Flexible provider model for non-standard or internal integrations.
- OpenVPN: Classic VPN workflow using username/password credentials.
- PureVPN (Managed): Managed gateway catalog synchronized through Kasm licensing.
- Wireguard: Lightweight VPN workflow using user private key credentials.
Zero-trust
Zero-trust egress is a security model that treats every connection as untrusted until verified by identity and policy. Instead of giving broad network path access through a selected gateway, administrators define who can access which services under what conditions.
- OpenZiti: Identity-driven, policy-based egress without launch-time gateway selection.
Video tutorial
Operational Guidance
Shared runtime, diagnostics, and maintenance guidance is in: