Hardware Appliance
The AegisWire hardware appliance is a pre-configured 1U rack-mount unit that runs the complete AegisWire stack locally. It is designed for organisations that require physical control over their VPN infrastructure, have data-sovereignty requirements, or prefer owned hardware over cloud deployments.
Hardware Platform
All AegisWire appliances are built on the Supermicro SYS-5019D platform with Intel Xeon D processors. Every model includes AES-NI and AVX2 hardware acceleration for cryptographic operations, plus Intel QuickAssist Technology (QAT) for offloading encryption workloads.
Node Classes
| Model | CPU | Cores | RAM | PQ Throughput | Max Users |
|---|---|---|---|---|---|
| HW-S | Xeon D-2133IT | 4 | 32 GB ECC | 500 Mbps | 25 |
| HW-M | Xeon D-2146NT | 8 | 64 GB ECC | 1 Gbps | 100 |
| HW-L | Xeon D-2166NT | 12 | 128 GB ECC | 2.5 Gbps | 250 |
| HW-XL | Xeon D-2187NT | 16 | 256 GB ECC | 5 Gbps | 500+ |
All models use ECC memory for data integrity and include enterprise-grade SSD storage.
What Runs on the Appliance
The appliance ships pre-installed with:
- Ubuntu 24.04 LTS — the base operating system
- AegisWire Go Control Plane — full user management, enrollment, policy distribution, and admin interface
- AegisWire Gateway — tunnel termination with post-quantum cryptography
- PostgreSQL — local database for all control plane data
- Full built-in user management — create users, manage groups, assign roles, enforce MFA, all locally
No external database server, identity provider, or cloud service is required for the VPN to function. The appliance is self-contained.
Mandatory Phone-Home
The AegisWire hardware appliance requires internet connectivity for licence validation. The appliance contacts the AegisWire licensing service every 24 hours to validate its licence.
Important: There is no air-gap option. VPN functionality requires active internet connectivity for the phone-home licence check. If the appliance cannot reach the licensing service for more than 48 hours, VPN operations will be suspended until connectivity is restored.
This requirement exists because:
- The appliance is a licensed product with an annual subscription
- Licence revocation must be enforceable (e.g., if payment lapses)
- Security updates and threat intelligence require connectivity
The phone-home check transmits only:
- Device serial number
- MAC address
- Current licence ID
- Software version
- Timestamp
No user data, traffic data, or configuration details are transmitted.
Hardware-Bound Licensing
Each appliance licence is cryptographically bound to the specific hardware unit using Ed25519 signatures. The licence token includes:
- Device serial number
- Primary network interface MAC address
- Licensed user capacity
- Licensed throughput capacity
- Licence expiry date
- Ed25519 signature from the AegisWire licensing authority
The licence cannot be transferred to different hardware. If you replace the appliance, a new licence must be issued for the replacement unit.
Deployment
Physical Installation
- Mount the 1U appliance in a standard 19-inch rack
- Connect Ethernet (1 GbE minimum, 10 GbE recommended for HW-L and HW-XL)
- Connect power (redundant PSU on HW-L and HW-XL)
- Power on — the appliance boots directly into AegisWire
Initial Configuration
On first boot, the appliance starts a setup wizard accessible via the local network:
- Connect a workstation to the same network
- Navigate to
https://<appliance-ip>:8080/admin/ - Complete the initial setup:
- Set the admin password
- Configure network settings (static IP recommended)
- Configure the appliance hostname and domain
- Activate the licence (requires internet connectivity)
- The appliance runs database migrations and generates cryptographic key material
Network Configuration
For production deployment:
- Assign a static IP address
- Configure DNS to resolve your VPN domain to the appliance IP
- Open UDP port for tunnel traffic (configurable) on your firewall
- Open TCP port 443 for the control plane API
- Ensure outbound HTTPS access for licence phone-home
Management
The appliance admin interface is identical to the self-hosted Go control plane admin. You manage:
- Users and groups with the built-in user management system
- Device enrollment via tokens or QR codes
- Policies (full tunnel, split tunnel, DNS, kill switch)
- Gateway configuration and monitoring
- Audit logs and session management
- Optional external IdP integration for SSO
Pricing
Hardware appliance pricing consists of two components:
- One-time hardware purchase: Covers the physical appliance unit
- Annual licence: Covers software updates, support, and phone-home licence validation
Annual billing only — monthly billing is not available for hardware appliances.
| Model | Hardware (One-Time) | Annual Licence |
|---|---|---|
| HW-S | From $4,999 | From $4,799/year |
| HW-M | From $9,999 | From $9,999/year |
| HW-L | From $17,499 | From $19,999/year |
| HW-XL | From $24,999 | From $34,999/year |
Annual licence includes standard support. Premium support with extended warranty is available as an add-on.
Updates
The appliance receives software updates via the phone-home connection. Updates are downloaded and applied during the next maintenance window. You control when updates are applied through the admin interface.
Critical security patches can be configured for automatic application.