Use Case
DDoS Protection Built for
VPN Providers
Your users trust you with their traffic. When a DDoS attack hits a VPN concentrator, every connected user gets disconnected simultaneously. Flowtriq detects attacks in under 1 second and auto-mitigates at the kernel level, keeping your VPN infrastructure online and your users connected.
The Problem
One attack takes down thousands of connected users
VPN concentrators are high-value targets. A single server running WireGuard or OpenVPN can handle hundreds or thousands of concurrent tunnels. When a volumetric flood saturates that endpoint, every connected user drops simultaneously. Reconnection attempts amplify the load, turning a brief attack into an extended outage.
UDP amplification attacks targeting well-known VPN ports (WireGuard 51820, OpenVPN 1194, IPsec 500/4500) are trivial to launch and devastatingly effective. Attackers know these ports are open by design and use them as attack surfaces. Traditional rate limiting on VPN ports kills legitimate tunnel traffic alongside attack packets.
Uptime is the product. VPN users have zero patience for instability. They have five other providers installed on their device and will switch within minutes if your service degrades. Every attack you fail to mitigate quickly is a permanent loss of subscribers to a competitor.
09:14:03 WireGuard endpoint saturated at 4Gbps
09:14:05 2,400 users disconnected
09:14:12 Reconnection storm begins
09:14:30 Reconnections amplifying server load
09:16:00 NOC alerted via monitoring
09:21:00 Manual firewall rule applied
09:21:00 Total disruption: 7 minutes
Users disconnected: 2,400
Reconnection failures: 840
Users churned within 24h: 190
How Flowtriq Helps
Attack traffic drops. Tunnel traffic continues.
The FTAgent runs on each VPN concentrator, reading kernel-level network statistics every second. When a UDP flood targets port 51820, the agent detects the anomaly within one second, classifies the attack, and applies targeted nftables rules that drop attack packets while preserving legitimate WireGuard handshakes and tunnel traffic.
Port-aware detection understands the difference between a volumetric flood hitting a VPN port and a spike in legitimate tunnel traffic. Flowtriq does not blindly rate-limit your VPN ports. It identifies attack characteristics (source entropy, packet size distribution, protocol violations) and surgically drops only malicious packets.
Your users never notice the attack. No disconnections, no reconnection storms, no degraded performance. The attack is absorbed at the kernel before it reaches your VPN process. When the attack subsides, mitigation rules withdraw automatically.
09:14:01 PPS=312,000 BPS=4.1Gbps THRESHOLD
T+0.1s Incident opened · UDP Flood · port 51820
T+0.3s Auto-mitigation · nftables rules applied
T+0.4s Attack classified · amplification · 96%
T+0.5s Alerts fired · Slack · PagerDuty
09:14:02 PPS=18,450 BPS=425Mbps MITIGATED
09:22:00 Attack subsides · rules withdrawn
Users disconnected: 0
Tunnel traffic: uninterrupted
_
Key Features
Purpose-built for VPN infrastructure
Per-concentrator monitoring
Deploy the FTAgent on every VPN concentrator across every PoP. Each endpoint is monitored independently with its own dynamic baselines, thresholds, and mitigation policies. One dashboard gives your team visibility into every concentrator worldwide.
Port-aware detection
Flowtriq understands VPN port semantics. It monitors WireGuard (51820), OpenVPN (1194), and IPsec (500/4500) with protocol-specific baselines. Attack detection accounts for the fact that these ports must remain open, classifying traffic by pattern rather than volume alone.
Auto-mitigation
When an attack is detected, kernel-level firewall rules drop malicious packets before they reach your VPN process. For attacks exceeding local capacity, BGP FlowSpec filters traffic at the network edge. Rules auto-withdraw when the attack ends. No manual intervention required.
BGP FlowSpec integration
VPN providers operate their own network edge with BGP peering. Flowtriq speaks FlowSpec natively, pushing granular filter rules to your edge routers when attacks exceed what kernel-level mitigation can absorb. Traffic is filtered upstream before it reaches the concentrator.
Multi-region monitoring across PoPs
Whether you run 3 PoPs or 30, every concentrator reports to one workspace. Group nodes by region, datacenter, or provider. Correlate attacks across locations to identify coordinated campaigns targeting your infrastructure globally.
PCAP forensics
Every incident includes a full packet capture starting from pre-attack traffic. Download PCAPs for forensic analysis, share them with upstream providers, or use them to build permanent filter rules for repeat attack patterns targeting your VPN endpoints.
Real-time alerting
Route alerts to the right team at the right time. Send Slack notifications for minor incidents, page your NOC for volumetric attacks, and trigger automated responses via webhooks. Escalation policies ensure nothing falls through during off-hours.
API for automation
Automate node provisioning, threshold configuration, and incident management via the REST API. Integrate Flowtriq into your deployment pipeline so every new concentrator is automatically enrolled and monitored from the moment it goes live.
Prometheus metrics export
Export per-node metrics to Prometheus for custom Grafana dashboards. Track PPS, BPS, incident counts, and mitigation latency alongside your existing infrastructure metrics. Infrastructure-as-code with the Terraform provider.
User-impact correlation
Correlate attack events with user session data. Know exactly how many concurrent tunnels were active on a concentrator when an attack hit, and verify that zero users were disconnected during mitigation. Quantify the impact you prevented.
Getting Started
Deploy across your PoPs in minutes
Rolling out Flowtriq to your VPN infrastructure takes less time than investigating a single attack incident manually. Here is how it works from signup to full coverage.
Create your workspace
Sign up at flowtriq.com and create a workspace for your VPN service. Add your infrastructure team with admin access. The 7-day free trial starts immediately with no credit card required.
Install the FTAgent on each concentrator
The agent installs with pip install ftagent and runs as a lightweight systemd service. It reads kernel-level network statistics with near-zero CPU overhead. Deploy it across your PoPs with Ansible, Terraform, or any configuration management tool you already use.
Configure VPN port baselines
Tell Flowtriq which ports your VPN protocols use. The agent learns normal traffic patterns for each port and sets dynamic thresholds automatically. WireGuard, OpenVPN, and IPsec ports get protocol-aware baselines out of the box.
Enable auto-mitigation
Define mitigation policies per concentrator or globally. Choose which attack types trigger automatic firewall rules, configure BGP FlowSpec integration with your edge routers, and set rule withdrawal timers. Start with conservative settings and tune as you see real traffic patterns.
Monitor and optimize
Within hours, Flowtriq learns your normal traffic baselines across all PoPs and sets dynamic thresholds automatically. Review the analytics dashboard to understand traffic patterns, correlate attacks across regions, and verify zero-disconnection mitigation.
By the Numbers
The impact on your VPN operations
Before & After
How Flowtriq transforms your DDoS response
Without Flowtriq
- Attacks saturate VPN concentrators for minutes
- Thousands of users disconnected simultaneously
- Reconnection storms amplify server load
- Manual firewall rules risk blocking tunnel traffic
- Users switch to competing VPN providers
- No visibility into which ports or protocols were targeted
- Repeated attacks cause sustained subscriber churn
With Flowtriq
- Detection in under 1 second per concentrator
- Zero user disconnections during mitigation
- No reconnection storms because tunnels stay up
- Surgical mitigation preserves legitimate tunnel traffic
- Users never notice the attack happened
- Full port-level forensics and PCAP capture
- Subscriber retention protected automatically
Pricing
Simple per-node pricing. No surprises.
One node = one VPN concentrator. Monitor 5 PoPs or 50 at the same price per node. No bandwidth fees, no overage charges, no contracts. Cancel anytime. Unlimited team seats included.
Compatibility
Works with your existing stack
The FTAgent runs on any Linux server with kernel 3.10 or later. It supports all major distributions including Ubuntu, Debian, CentOS, Rocky Linux, AlmaLinux, and Fedora. Whether you run bare-metal concentrators or cloud-based VPN nodes, the agent works the same way.
The agent is protocol-agnostic. It operates at the kernel level below your VPN software, so it works with WireGuard, OpenVPN, IPsec/IKEv2, SoftEther, or any other VPN protocol. No changes to your VPN configuration required.
Flowtriq integrates with your existing tools. Export incident data via webhooks to your SIEM or ticketing system. Use the REST API to automate provisioning when new PoPs come online. Pull metrics into Grafana or your own monitoring stack via Prometheus.
• WireGuard (UDP/51820)
• OpenVPN (UDP/1194, TCP/443)
• IPsec / IKEv2 (UDP/500, 4500)
• SoftEther, L2TP, SSTP
Operating Systems
• Ubuntu 18.04, 20.04, 22.04, 24.04
• Debian 10, 11, 12
• CentOS 7, 8, 9 Stream
• Rocky Linux 8, 9
Firewalls
• iptables / ip6tables
• nftables
• ufw (Uncomplicated Firewall)
FAQ
Common questions from VPN providers
Can I monitor all my VPN endpoints globally?
Yes. Deploy the FTAgent on every concentrator worldwide and monitor them all from a single dashboard. Whether you run 5 PoPs or 50, every endpoint reports to one workspace with unified alerting, incident history, and analytics.
Will mitigation rules interfere with VPN tunnel traffic?
No. Flowtriq classifies attack traffic vs legitimate tunnel traffic. Mitigation targets attack patterns, not VPN ports. Your WireGuard, OpenVPN, and IPsec tunnels continue operating normally while attack packets are dropped at the kernel level.
Does it support WireGuard, OpenVPN, and IPsec?
Yes. The agent is protocol-agnostic. It monitors at the kernel level and works with any VPN protocol. Whether you run WireGuard on UDP/51820, OpenVPN on UDP/1194, or IPsec on UDP/500 and 4500, Flowtriq detects and mitigates attacks targeting those endpoints.
How does it handle a reconnection storm after a brief outage?
Dynamic baselines adapt to reconnection patterns. A burst of legitimate reconnections is distinguished from an attack by packet characteristics. The agent analyzes packet sizes, source diversity, and protocol handshake signatures to differentiate a reconnection storm from a volumetric flood.
White-Label
Use it internally or resell it under your brand.
You don't have to choose. Run Flowtriq as an internal tool for your infrastructure team, or white-label it and offer DDoS protection as a branded feature of your VPN service. Same platform, two business models.
Internal use: Deploy the agent across your concentrators at $9.99/node. Your team monitors everything from one dashboard. Users never see it.
White-label: Rebrand the entire platform under your company name for a one-time $200 deposit (applied as billing credit). Custom domain, logo, colors, fonts, and login page. Per-node cost drops to $7.99/node/month. Market DDoS protection as a premium feature of your VPN service.
Your team logs into dashboard.yourcompany.com, sees your logo, your colors, and your support contact. No mention of Flowtriq anywhere.
Domain dashboard.yourcompany.com
Logo ✓ Custom uploaded
Colors ✓ Brand primary + accent
Login ✓ Custom heading + text
Branding ✓ All Flowtriq refs removed
Cost $7.99/node/month
Deposit $200 (applied as credit)
Seats Unlimited (no per-user fee)
Related Use Cases
Flowtriq for infrastructure providers
Schedule a Fit Assessment
30-minute call to discuss your specific setup and see if Flowtriq is the right fit. No sales pressure.
Book a CallGet the Implementation Guide
Step-by-step deployment guide tailored to your use case. Sent straight to your inbox.