MindFront Perimeter
Each organization receives its own dedicated, isolated MindFront. Perimeter is the security layer around it. It’s not just a VPN — it’s the whole set of controls that decide what reaches your appliance, what reaches your internal systems through it, what your AI is allowed to do on the way out, and what record is kept of all of it.
This page covers the parts of Perimeter in turn.
1. Private Network Access
Perimeter is the private gateway into your MindFront server, built on top of WireGuard — the modern VPN standard now adopted by most global enterprises in place of older protocols like IPsec and OpenVPN.
Your MindFront is unreachable from the public internet. Anyone wanting to talk to it — a user, a connected mobile device, an admin from home — first has to be on the tunnel. No tunnel, no MindFront.
Standard Mode
flowchart LR U["`User Device`"] -- "`MindFront traffic`" --> S["`MindFront Mainframe`"] U -. "`(web, video, downloads)`" .-> I["`Public Internet`"]
Standard Mode is the default for day-to-day work. It tunnels only MindFront data while everything else — web browsing, video calls, software updates — leaves on the local line as usual.
Full Coverage Mode
flowchart LR F["`User Device`"] -- "`ALL traffic`" --> S2["`MindFront Mainframe`"] S2 --> I["`Public Internet`"]
Full Coverage Mode is enabled per-user on request. Typically used for senior staff working from hotels, airports, or client sites where the network can’t be trusted. Every packet — mail, web, video — runs through the WireGuard tunnel into the mainframe; the user gets one encrypted path that hides location and blocks local snooping, and IT gets one audit point for traffic if the trip involves sensitive material.
It’s not the everyday default — adds latency and offers no benefit outside these specific scenarios.
2. Device Management
Perimeter manages WireGuard access per-user and per-device. A user can have a laptop, a phone, a tablet, and a VR headset all connected at once, each with its own profile. Each device is tracked individually so an admin can revoke a single profile (e.g. a lost phone) without disconnecting the user’s other devices.
Per device, the system records:
- Which user the device belongs to
- Device type (computer, phone, tablet, headset)
- Public key, allowed IP, last-seen endpoint
- Data transferred in / out
- Last handshake timestamp (so you know if it’s currently connected)
- Approximate geographic location (city + country) resolved locally from the endpoint IP via an on-appliance GeoLite2 database
Geographic location is resolved entirely on the appliance — no third-party IP-lookup API is called.
Beyond user devices, Perimeter also handles infrastructure peers — directly connecting routers (e.g. MikroTik) and dedicated gateway boxes (Raspberry Pi style) into the same tunnel mesh, so a small office can have its whole local network reach MindFront without per-user profiles.
3. Reverse Proxy for Internal Tools
Perimeter includes a reverse-proxy engine that lets MindFront sit in front of your internal services — an on-prem ERPNext, a Frappe instance, a file share with a web UI, a custom dashboard, an internal API. The appliance terminates TLS (the cert is issued and renewed automatically) and forwards the request to the backend.
The effect: any internal service you put behind Perimeter inherits the same access posture as MindFront itself — only reachable over the tunnel, no public attack surface, audited at the gateway.
Configuration is admin-controlled. Each proxied service has a label, a public DNS name, and a backend URI.
4. Outbound Action Gating
Perimeter is also the boundary on the way out. Every action MindFront takes that touches the outside world — sending an email, updating a CRM record, calling a third-party API, triggering anything irreversible — carries a risk level. Low-risk actions (reading data, internal searches) run on their own. Anything with real-world consequence goes through inline machine-tier triage that can:
- Approve the action and let it run, with the AI’s reasoning logged,
- Block it outright if the triage decides it’s unsafe, or
- Escalate to a human with a one-sentence explanation shown on the approval card.
High-risk and irreversible actions always require explicit human approval. Some actions are configurably forbidden regardless of context.
The result: there is no path from the AI to the outside world that doesn’t go through risk evaluation. A bad prompt can’t sneak an outbound email past the gate.
5. Audit Trail
Every mutation Perimeter performs is recorded in an append-only audit log — peer created, peer updated, peer deleted, WireGuard server started, stopped, restarted, configuration reloaded — with the requesting admin’s user ID and the exact before/after state. The log is stored in an append-only engine: no delete, no overwrite. If something changes, you can find out when, by whom, and what it was before.
Outbound-action decisions (approved / blocked / escalated) are similarly preserved, including the AI’s reasoning, so an auditor can trace any action that touched the outside world back to the decision that let it through.
6. What Sets Perimeter Apart
| Feature | Why It Matters |
|---|---|
| No Public Attack Surface | MindFront is unreachable without the tunnel. |
| Built-in Reverse Proxy | Your on-prem ERP, dashboards, and internal APIs inherit the same private-network posture as MindFront itself. |
| Per-Device Management | Revoke one lost phone without disconnecting the user’s other devices. GeoIP-resolved last-seen location per device. |
| Action Gating at the Edge | Every outbound action MindFront takes is risk-scored, with high-risk actions always going through human approval. |
| Append-Only Audit Log | Every infrastructure change recorded. No delete, no overwrite. |
| Works with or without a Corporate VPN | Already running a company-wide VPN? MindFront can live inside it. Perimeter can stay disabled or run as a second layer. |
| One-Tap Setup on Any Device | Import a profile or scan a QR code. Click Connect. That’s it. |
Frequently Asked Questions
Will the VPN slow down my internet?
In the Standard Mode, no. Only MindFront data travels through the tunnel; everything else uses your regular line.
Do I need the VPN every time I use MindFront?
Yes. The tunnel is the front door to your company’s MindFront. If the tunnel is off, MindFront stays locked.
How can I confirm the tunnel is active?
Visit access.mindfront.systems. This will confirm if your VPN is active and connected, and if so, will route you over to your organization’s private MindFront server.
We already run a corporate VPN. How does Perimeter fit?
Perimeter is optional when a corporate VPN is in place. MindFront can run inside your existing tunnel, or you can keep both. Administrators decide what meets policy.
Can I connect from several devices at once?
Yes. Laptop, phone, and tablet can stay online together. Each device receives its own profile for clarity and control, and admins can revoke any single one without affecting the others.
Will MindFront Perimeter hide my personal internet traffic?
In the Standard Mode, no. MindFront Perimeter secures only the data that flows between your device and your company’s private MindFront server. Everything else — web browsing, streaming, social media — continues to use your normal connection, exactly as before.
Your organisation keeps full visibility of its own MindFront data while avoiding any responsibility for your personal traffic.
If you need a tool that hides or re-routes all of your internet activity, you would use a consumer privacy service (for example NordVPN or SurfShark), or use the Full Coverage mode via special request to MindFront.
Can I use Perimeter to protect ALL of my traffic?
Yes. MindFront can configure your Perimeter gateway for a full-tunnel profile on request. Ask your administrator to issue a WireGuard file (or QR code) that routes 0.0.0.0/0. After you import it and tap Connect, every packet — MindFront and non-MindFront — runs through the same encrypted link. Expect a small increase in latency, similar to any commercial VPN.
Is it safe to use MindFront on public Wi-Fi?
Yes. Once the Perimeter VPN shows “Connected,” every packet headed for MindFront travels inside an encrypted WireGuard tunnel; anyone on the same hotspot sees only cipher text. The standard profile protects MindFront traffic only — your web browsing, mail, and other apps still ride the open network unless you switch to a full-tunnel setup.
Which devices are supported?
Windows, macOS, Linux, iOS, iPadOS, and Android — via the free WireGuard app.
Will Perimeter drain my battery?
Impact is minimal. WireGuard stays idle until data flows; battery life remains near normal.
What happens if the Wi-Fi drops mid-session?
WireGuard automatically re-handshakes. Once connectivity returns, MindFront resumes without user action.
Can I set Perimeter to connect automatically?
Yes. Enable “On-Demand” (iOS), “Always-on VPN” (Android), or auto-start at login on desktop clients.
Does Perimeter work over mobile data?
Yes. 4G, 5G, and tethered hotspots behave the same as Wi-Fi.
Can other users access my computer through MindFront?
No. Packet forwarding is disabled by design, so traffic flows only between your device and the MindFront server — never peer-to-peer.
What if I lose a device with a profile?
Alert your server administrator. They will revoke the lost profile and issue a replacement. The other devices on your account stay connected.
Do I have to rotate keys on a schedule?
Not for normal operation. WireGuard keys already use strong, modern cryptography. Some organisations still rotate keys to satisfy formal policies — PCI-DSS, ISO 27001, SOC 2, or government frameworks — that mandate scheduled credential changes. If your compliance team insists, your administrator can issue a fresh WireGuard profile in a few minutes.
Does the VPN log everything I do online?
Only MindFront traffic enters the tunnel. Session records stay under your company’s data policy. Traffic itself is not logged. This data is governed by the same data policy as everything else in MindFront. See “Your Data in MindFront”.
Can I connect to my organization’s MindFront when I travel abroad?
Yes. Almost anywhere.
A few places — mainland China, some corporate guest Wi-Fi chains — may block or interfere with WireGuard-based VPN connections.
If difficult areas are expected, MindFront suggests asking your IT department for a fallback OpenVPN-TCP 443 profile into a bridged network to ensure your access to MindFront is available.
What is “DNS” and why should I care?
DNS is the internet’s address book. Perimeter answers those look-ups inside the tunnel so nothing leaks outside.
The tunnel will not connect — what next?
Please contact your system administrator. They will likely ask you for the WireGuard log and request that you confirm if a handshake is detected on your device.
Can I run Perimeter and Surfshark (or another service) at the same time?
Yes, provided the other service also uses WireGuard. Your admin can widen the allowed range so both tunnels coexist. A sample dual-VPN file is below:
[Interface]
PrivateKey = <your_private_key>
Address = 10.16.0.6/16
DNS = 10.250.0.1 # MindFront internal resolver
[Peer]
# MindFront - mindfront traffic only
PublicKey = <mindfront_public_key>
AllowedIPs = 10.250.0.0/24
Endpoint = perimeter.your_org.com:51820
PersistentKeepalive = 25
[Peer]
# Surfshark – all other traffic
PublicKey = <surfshark_public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = us-moon.prod.surfshark.com:51820
PersistentKeepalive = 25
Plain-Language Glossary
| Term | In Plain English |
|---|---|
| VPN (Virtual Private Network) | A private, encrypted “pipe” through the internet. |
| WireGuard | The modern tool that builds that pipe. |
| Tunnel | The secure pathway created by the VPN; only approved data fits through. |
| Reverse Proxy | A gateway that sits in front of an internal service. Outside callers reach the proxy; the proxy reaches the service. The service stays private. |
| Peer | A connected device or piece of infrastructure on the tunnel. |
| Profile | A small file or QR code that holds your keys and settings. Import once, tap “Connect.” |
| Key | A long secret code that proves you are allowed in. |
| DNS (Domain Name System) | The internet’s address book: turns names like mindfront.ai into the numbers computers use. |
| Handshake | A quick hello between your device and the server that confirms both sides have the right keys. |
| Audit Log | An append-only record of every infrastructure change — who did what, when, and what changed. |