Design principles

Read an overview of Zero Assumption's design principles.

Zero Assumptions (ZA) is built for businesses that value security, but not at the expense of their users' experience. It's also as transparent to your users as you want it to be. ZA is friction-less, flexible, and offers on-prem monitoring and data collection at a lower market cost.

Unlike our competitors, we deliver IAP features via VPN, without constraints on users.


Zero Assumptions is built on Rust, WireGuard, and Ory/Kratos. Overall, the combination of these three technologies gives ZA multiple advantages, including the following:

  • We have less resources required to run our product, and it's faster - on average, WireGuard is about 58% faster than OpenVPN.
  • The flexibility of our data plane allows placing ingress nodes closer to either where clients or private resources are located.
  • We're not limited to a single server, like with OpenVPN, which allows very flexible deployment topologies: site-to-site, hub-and-spoke, hub-and-hub, and more. Not having a single point of entry allows software clients to pick the best available route.

Learn more about why we selected each technology for our product.


Rust is a modern language that doesn't ignore decades of progress made in software development. Its safety guarantees and zero-cost abstractions ensure that code is safe and fast.


WireGuard runs using just 4,000 lines of code. In comparison, OpenVPN uses 70,000 lines of code. There is less likelihood of bugs impacting WireGuard’s performance and safety.

Given that WireGuard is simply a tunneling protocol, it makes a great building block for a secure overlay network.

"Can I just once again state my love for it [WireGuard] and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPsec, it’s a work of art." — Linus Torvalds, Principal developer of the Linux kernel, August 2018


We use Ory/Kratos as our identity management system. Since Ory/Kratos was originally built for Sainsbury UK, there are more eyes on the software. Because there's a whole team behind the product, this potentially reduces the chances of errors in the authentication stack.


Zero Assumptions is split into two logical sections: control plane and data plane. The split is purely logical, and nothing stops customers from running their entire application on a single Raspberry Pi or VM.

Control Plane

The control plane is the brain of Zero Assumptions and includes:

  • Identity management features
  • ACLs (Access Control Lists)
  • Configuration of data plane nodes

Data Plane

The data plane is where the overlay network's traffic is running. It's designed to be simple and low maintenance. Just connect the control plane to the data plane, and install data plane updates periodically. The logic of the product is handled by the control plane.

Identity Providers