Back to overview
Bastion

Vlux Bastion — the shield for your network

Security add-on for any Vlux network. Blocks the port for everyone except the gateway — maximum data sovereignty for your sensitive data. Strong enough for law firms and medical practices (GDPR-compliant), simple enough for any private user. Made in Germany.

Five layers of defense

Each layer works on its own. Together they form a defense in depth that holds even if a single layer fails.

1

IP allowlist at the firewall level

Only allowed IPs reach the Bastion container at all. Everything else is blocked before the server.

2

mTLS client certificate

Every connecting device identifies itself with its own certificate. Without a valid certificate — no connection.

3

Container isolation

Docker with AppArmor and Seccomp profiles. The Bastion process can’t reach anything outside its sandbox.

4

Vlux protocol auth (trust token)

Inside the tunnel, another Vlux-specific token check. Two independent layers of auth instead of one.

5

Rate limiting & anomaly detection

Suspicious behavior — many failed logins, unusual load spikes — is throttled and reported automatically.

No single layer makes a system secure. But anyone facing five hurdles usually gives up before that — and that’s exactly what Bastion is built for.

In preparation Concept ready, build phase starts with the first pilot user — gladly with you.

Skeleton mode — sensitive data stays on the server

Sensitive data sits only on the Bastion server. Your laptops only show the skeleton. If a device is stolen, zero data remains on the disk — for private users, businesses and law firms alike.

What laptops hold today

On many laptops the most important files sit locally — family photos, business documents, client files. Practical for quick access in meetings, on the train, working from home. But risky: a lost or stolen laptop means your data may end up on someone else’s disk. For licensed professionals (lawyers, tax advisors, doctors) it also triggers a reporting obligation with fine risk.

What skeleton mode changes

In skeleton mode your laptop only shows a "skeleton" — the file list with metadata, without contents. Only when you open a file are the needed documents loaded temporarily from the Bastion server. On close or lock, the local copy is cleanly wiped.

What this means in the worst case

If your laptop is stolen or lost — there’s no sensitive data on the disk. Private users keep their family photos and financial records safe. Businesses protect customer and employee data. Law firms additionally avoid the reporting obligation and reputational damage.

Skeleton mode is in preparation — the concept is ready, the build phase starts with the next step. If you have questions about it: get in touch.

In preparation Vlux Drive — coming as the next premium layer on top of Bastion.

Vlux Drive — collaborative files, without the cloud

The office-server alternative for anyone who takes their data seriously — families, businesses, law firms. On save, the file goes back to the server, the local copy is wiped. Your own hardware, full data sovereignty.

How it works

The Vlux server (Pi, PC or server) shares folders. All authorized devices see the files as skeletons in their normal file view — small reference files, not actual contents. Only on click does the file download temporarily; you edit it as usual with Word, Excel or a PDF editor. On save, the file flows back to the server, the local copy is wiped.

Conflict avoidance like Git

While you’re editing a file, it’s locked for others — no double work, no version collisions. When you’re done (or your lease expires), the system releases the file again. Works the same in a family setup or a multi-person firm.

Per-file versioning

Every change is recorded with timestamp and device identity. Traceable at any time who changed what when — useful for everyone, indispensable for licensed professionals on legal inquiry.

Secure on the road

When you or your team access a file remotely, it goes through Vlux Bastion — hardened, vetted, approved by you. As soon as you go offline: local copy gone, risk on device loss is zero. Whether you’re a freelancer with customer files or a law firm with client data.

Vlux Drive is being built as a foundation library. First runnable version coming soon. If you have questions: get in touch.

Who benefits most from Bastion

Three setups where Bastion becomes essential — law firms, tax advisors, medical practices. Private users and businesses get the same security level for their own data.

Law firm

Client files and evidence stay inside the firm. Clients don’t need an account, just a trust code.

Vlux Bastion · VluxPC · VluxApp Learn more

In law firms, client data is the most valuable — and the most risky. With cloud solutions like SharePoint or DATEV, data flows through provider infrastructure, clients need accounts with logins, and every new client onboarding costs PostIdent (5–15 €) for the money-laundering act identification.

Vlux Bastion changes that: client files stay on a hardened server inside the firm. Clients get a one-time trust code — no account, no password. Identification runs via NFC reading of the German ID card, compliant with the money-laundering act. The free client app is enough.

On top of that: recordings of client meetings, video damage assessment and other evidence media are managed in the same system — end-to-end encrypted, evidence-grade versioned, full data sovereignty of the firm.

What you need:

  • Vlux Bastion on a Pi box or mini-PC inside the firm
  • VluxPC on the lawyers’ computers
  • Free VluxApp for the clients

Roadmap In preparation: Skeleton mode + Vlux Drive — files and evidence sit only on the central Bastion server, lawyers’ PCs show skeletons. If a laptop is stolen, no client data remains on the disk.

Tax advisor firm

Receipts, payroll and advisory documentation safely between client and firm — without DATEV lock-in.

Vlux Bastion · VluxPC · VluxApp Learn more

Receipts, payroll, annual statements — sensitive client data that often moves through the DATEV cloud or unencrypted email today. Both paths have downsides: DATEV costs 5–15 € per user per month, email is insecure.

With Vlux Bastion, clients get a free app. They send receipts via photo straight into the firm, end-to-end encrypted, without an account. The receipts land sorted on the firm’s Bastion server, the tax advisor accesses them directly — no cloud in between.

Advisory recordings, conference documentation and client meeting audio are managed in the same system — versioned, evidence-grade, never in a foreign cloud.

What you need:

  • Vlux Bastion on a Pi box or mini-PC inside the firm
  • VluxPC on the tax advisors’ computers
  • Free VluxApp for the clients

Medical practice

Patient data, sonography videos and OR recordings stay inside the practice — hardened against outside attacks.

Vlux Bastion · VluxPC · VluxApp Learn more

Medical practices face strict privacy requirements — patient records must not end up in cloud services subject to foreign law. At the same time, practices need practical ways to share findings between staff and exchange patient data with referring specialists.

Vlux Bastion provides a hardened server inside the practice. Patient records, finding photos, sonography videos and OR recordings stay physically inside the practice network. The Bastion server protects with five layers of defense against outside attacks, without the practice team having to be IT pros.

Media evidence — image findings, OR recordings, progress documentation — are managed in the same system as the records. Patients receive their own recordings via trust code to their phone, without an account.

What you need:

  • Vlux Bastion on a Pi box or mini-PC inside the practice
  • VluxPC on the practice computers
  • Free VluxApp for mobile finding capture

What makes Bastion unique

Three properties we don’t find with any direct competitor — particularly relevant for licensed professionals, but available to every Vlux user.

ID verification via NFC

Clients identify themselves on first contact using the German ID card (eID via NFC on the phone). It’s compliant with the German Money Laundering Act and replaces PostIdent — typically 5–15 € saved per client.

Clients don’t need an account

No login, no password, no forgotten credentials on the client side. A single trust code is enough for the whole engagement. Usable even for less tech-savvy clients.

Free client app

The VluxApp is free for clients. Unlike DATEV, where client accounts cost 5–15 € per user per month, the firm pays once for Bastion. Scales without per-client running costs.

Premium features for Bastion users

Four properties that lift Vlux Bastion above classic security solutions — useful for any user, especially valuable in a business or law-firm setup.

Live today

VluxPC as admin cockpit

A Windows application manages your entire private infrastructure — Pi, Bastion, soon Drive and Mail. UX on par with cloud consoles, technically fully on premise. Synology has browser admin, Microsoft has a cloud console — Vlux has a desktop cockpit with automatic certificate authentication.

In pilot

Plug-and-play setup

Plug the Pi into your PC via LAN cable — the browser opens the setup page automatically. Click through the wizard, then plug the Pi into the router, done. Like an iPhone out of the box, no IT service needed. Factory-reset button for arbitrarily repeatable onboarding (second site, new employee).

Live today

Your own relay server

Premium bundle customers run their own Vlux relay instead of using our public one. That puts the connection metadata (who-talks-to-whom) in your hands too — for private users the data-sovereignty maximum, for licensed professionals BSI audit-ready and compatible with duty of confidentiality. With Vlux, everything is yours: data, gateway, address book.

In preparation

Per-user anomaly detection

The admin configures per-user a download threshold with an alert — low in a family setup, role-staggered in a multi-person business. When someone suddenly downloads 10 GB per day (data theft, stolen identity, malware), the admin sees it immediately.

Four promises you can rely on

What Bastion delivers in every use — and what professional rules of conduct require.

Full data sovereignty

Your data sits on your own devices. You keep full control — no foreign server, no provider looking in.

End-to-end encrypted

AES-256-GCM between sender and recipient. Nobody in the middle reads along.

Made in Germany

Built in Schleswig-Holstein. Relay servers in Germany.

GDPR-compliant

No cookies, no tracking, no third-party services — on this site or in the product.

Thank you.

The beta phase is starting now — with a fixed group of testers.

Beta running

Thank you to our beta testers

You're entering the beta with us while VluxNet is still young, and you're giving us your trust. You report bugs, shape features and help decide where the journey goes. That is exactly what makes the difference. From the heart: thank you.

Applications currently closed

The beta is running with a fixed group — we're not accepting further applications at this time. General availability is coming; then VluxNet will be open to everyone.

Urgent case?

If you need a secure solution right now, reach out anyway — we'll find a way.

Send urgent request