Trusted End Node Security (formerly Lightweight Portable Security) is a live, read-only Linux distribution that loads entirely into RAM via SquashFS and OverlayFS. Out of the box it offers a minimal Xfce desktop (with Fluxbox fallback), a handful of core network tools, and no persistent package manager—you won’t find apt or yum to leave traces on the host. Its typical user is a security consultant or government official who needs a sterile, ephemeral environment on any workstation. To expand functionality—such as adding a VPN client—you must carry portable binaries or self-contained archives on a USB stick and execute them in RAM.
Why These VPN Clients Suit Trusted End Node Security
Any VPN client for TENS must:
- Work without a persistent package manager (no apt or yum).
- Have minimal dependencies or be a self-contained binary/archive.
- Use standard TUN/TAP kernels (already built into TENS).
- Be easy to configure from the command line or a small GUI.
Based on those criteria, the standout choices are:
- OpenVPN – the community standard, simple CLI, minimal deps.
- OpenConnect – Cisco AnyConnect–compatible, DTLS/TLS, pure userspace.
- SoftEther VPN Client – multi-protocol, precompiled archive, single binary.
Comparison of Recommended VPN Clients
| VPN Client | Protocol(s) | Binary Type | Dependencies | Kernel Modules |
|---|---|---|---|---|
| OpenVPN | OpenVPN over UDP/TCP | DEB/RPM or compile-from-source | libssl, tun/tap device | tun/tap (built-in) |
| OpenConnect | AnyConnect, DTLS, TLS | DEB/RPM or compile-from-source | libssl or libgnutls | tun/tap (built-in) |
| SoftEther VPN Client | SoftEther, L2TP/IPsec, SSTP | Precompiled archive | glibc only | none (uses TUN/TAP) |
Installation Configuration Guides
1. OpenVPN
Since TENS won’t let you install packages persistently, build OpenVPN in RAM or on a separate Linux box, then copy the openvpn binary onto a USB stick.
Example (build in RAM):
mkdir -p /mnt/usb/vpn/openvpn cd /mnt/usb/vpn/openvpn wget https://swupdate.openvpn.net/community/releases/openvpn-2.5.8.tar.gz tar xzf openvpn-2.5.8.tar.gz cd openvpn-2.5.8 ./configure --disable-lzo --disable-plugin-auth-pam make -j(nproc) cp src/openvpn /mnt/usb/vpn/bin/
Run it against your client.ovpn (make sure your config and CA live on the same stick):
/mnt/usb/vpn/bin/openvpn --config /mnt/usb/vpn/config/client.ovpn
Ensure your client.ovpn includes the CA path, for example:
ca /mnt/usb/vpn/config/ca.crt
2. OpenConnect
OpenConnect is pure userspace and can be compiled on-the-fly or pre-built elsewhere. Below is a RAM build approach:
mkdir -p /mnt/usb/vpn/openconnect cd /mnt/usb/vpn/openconnect wget https://www.infradead.org/openconnect/download/openconnect-8.10.tar.gz tar xzf openconnect-8.10.tar.gz cd openconnect-8.10 ./configure --disable-shared make -j(nproc) cp src/openconnect /mnt/usb/vpn/bin/
To establish a VPN session:
/mnt/usb/vpn/bin/openconnect vpn.example.com --protocol=anyconnect
3. SoftEther VPN Client
SoftEther ships as a precompiled tarball that only needs glibc. No build chain required if you grab the correct archive for your architecture.
mkdir -p /mnt/usb/vpn/softether cd /mnt/usb/vpn/softether wget https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.38-9768-rtm/softether-vpnclient-v4.38-9768-rtm-2021.02.11-linux-x64-64bit.tar.gz tar xzf softether-vpnclient-.tar.gz
Start the client service:
cd vpnclient ./vpnclient start
Use vpncmd to configure and connect:
./vpncmd # At the vpncmdgt prompt, execute: ServerPasswordSet yourServerPass NicCreate mynic AccountCreate myacct /SERVER:vpn.example.com /HUB:DEFAULT /USERNAME:alice /NICNAME:mynic AccountPasswordSet myacct /PASSWORD:secret /TYPE:standard AccountConnect myacct
All of these solutions run entirely in memory on TENS, preserving its read-only security posture while giving you full VPN connectivity. Cheerio!
Leave a Reply