Publish a Service Tunnel to Users

This guide shows how to publish a Service Tunnel (via the Banyan Access Tier) so end users can set up encrypted network connectivity to network segments

  • Updated on Mar 16, 2022

This article describes features that are only available in the Banyan Enterprise edition.
This article describes features that require Banyan Netagent v1.39.0+.
This article describes features that require Banyan Desktop App v2.4.0+


The diagram below shows your setup:

  1. A Banyan Access Tier should be installed in the same network segment as the private network which we need to connect to.

  2. The Banyan User Directory should be configured to integrate with your Identity Provider.

  3. The latest Banyan Desktop App should be installed and registered on devices used to access internal resources in the private network.


  • Admin privileges on the device to enable the Tunnel Service (which contains WireGuard tools).
  • Currently, we recommend enabling Service Tunnels on an Access Tier running any of the following Operation Systems:
    • Amazon Linux 2.0
    • Ubuntu 20.04 (and later)


Set up a Service Tunnel to one or more private network segments.

Step 1. Enable the Access Tier Tunnel Settings

1.1 In the Directory, navigate from Infrastructure > Access Tiers.

1.2 In Edit Access Tiers, enable Service Tunnel for End Users.

1.2 Enter your preferred UDP Port Number.

  • Ensure UDP traffic is allowed on this preferred port, since this is where WireGuard will be running. We generally recommend using port 51820.

1.3 Enter your preferred Keepalive interval.

1.4 Enter the CIDR range values that pertain to your private network(s).

A single Access Tier cannot currently support overlapping CIDR ranges. If you would like to provide a tunnel for overlapping CIDR ranges, we recommend using multiple Access Tiers.

1.5 Enable Private DNS to register names that can only be resolved on your internal network’s private DNS.

  • Private Domains include any internal domains that do not resolve publicly.
  • DNS Search Domains are a subset of domains that will automatically be added as a prefix during DNS resolution.

1.6 Select Save.

Step 2. Create a Tunnel Policy

2.1 Log into the Banyan Command Center, and navigate from Secure Access > Policies > + Create Policy.

2.2 Create a new Policy using the Tunnel Policy template.

2.3 Enter a Policy Name (such as, hosted-service) and a Description.

2.4 Define your policy, configuring Access Group 1 according to each parameter (i.e., Role, Trust Level, Protocol, CIDR range, Port).

2.5 Note that, by default, the above parameters are for Allow access. If you wish to deny access, select Add exceptions (DENY rules) for Protocols, CIDRs, and Ports to configure exceptions within these parameters.

2.6 If you want to define an additional Access Group, select + New Access Group.

2.7 Finally, select Create Policy.

Step 3. Register a Service Tunnel

3.1 Navigate from Manage Services > Service Tunnels, and then select + Register Service.

3.2 Enter the Service Name (such as, AWS Prod VPC) and Description (such as Access to AWS Production VPC).

3.3 Select the cluster where the applicable Access Tier is located.

3.4 Select one or more Access Tiers for the Service Tunnel.

If selecting multiple Access Tiers, ensure that there are no overlapping CIDR ranges. If CIDR ranges overlap, two separate Service Tunnels will need to be created.

3.5 Attach the policy you previously created in Step 2, and then set the Enforcement mode.

3.6 Select Save.

Step 4. Connect to a Service Tunnel

4.1 Launch the Banyan Desktop App, locate the Service Tunnel from the list of Service Tunnels, and then select Connect.

End users may be prompted once for their admin password to install the Banyan Tunnel Service.

  • Banyan will continuously evaluate your device posture, enforce your security policies, and grant access accordingly.

4.2 Access your internal resources.


If there is an issue connecting to, or accessing a resource from, a Service Tunnel, check the following logs or components:

1) Banyan App Main Logs

  • Reference this log if you cannot get a Service Tunnel started via the Banyan App.

2) Banyan App Tunnel Service Logs

  • If a Service Tunnel can be connected via the Banyan App, reference this log to ensure traffic is being sent from the tunnel interface to the Access Tier.

3) Access Tier

  • Ensure traffic is getting to the Access Tier via the UDP port selected for the tunnel. This can be done via a tcpdump of the UDP port that is open for the tunnel. tcpdump -i eth0 port 51820

Common Errors

1) ‘Error: Could not set service tunnel config.’

Check the Banyan App logs for detailed information. It is likely that port 8119 is in use or your TrustScore does not meet the policy requirements.