Publish a Service Tunnel to Users

This guide details how to publish a Service Tunnel via the Banyan Access Tier so an end user can conveniently yet securely set up encrypted network connectivity to network segments

This article describes features that are only available in the Banyan Enterprise edition.
This article describes features that require Banyan Netagent v1.39.0+.
This article describes features that require Banyan Desktop App v2.4.0+


For this quick start guide, we have a setup as shown in the diagram below:

  1. A Banyan Access Tier is installed in the same network segment as the private network which we need to connect to.

  2. The Banyan User Directory should be configured to integrate with your Identity Provider.

  3. The latest Banyan Desktop App is installed and registered on devices from which users will access the internal resources in the private network.

Pre Requirements

  • Administrative privileges will be required on the device to enable the Tunnel Service which contains Wireguard-tools.
  • Ubuntu 20.04

Currently, we recommend enabling Service Tunnels on an Access Tier running Ubuntu 20.04. We plan to support more operating systems such as Amazon Linux in the future.


We will now set up a service tunnel to one or more private network segments:

Step 1. Enable the Access Tier Tunnel Settings

1.1 In the Directory, navigate to Infrastructure > Access Tiers.

1.2 On the Edit Access Tiers page, enable Service Tunnel for End Users.

1.2 Enter your preferred UDP Port Number.

  • Ensure UDP traffic is allowed on this preferred port as it is where Wireguard will be running. We generally recommend using port 51820.

1.3 Enter your preferred Keepalive interval.

1.4 Enter the CIDR range values that pertain to your private networks.

A single Access Tier can not currently support overlapping CIDR ranges. If you would like to provide a tunnel for overlapping CIDR ranges, we recommend leveraging multiple Access Tiers.

1.5 Enable Private DNS to register names that can only be resolved on your internal network’s private DNS.

  • Private Domains would include any internal domains that do not resolve publicly.
  • DNS Search Domains are a subset of domains that will automatically be added as a prefix during DNS resolution

1.6 Click Save.

Step 2. Create a Policy

2.1 Log into the Banyan Command Center and navigate to Secure Access > Policies > Create New Policy.

2.2 Create a new Policy using the template TCP Policy.

2.3 Enter a Policy Name (such as, hosted-service) and a Description.

2.4 Configure the Policy Attributes:

Step 3. Register a Service Tunnel

3.1 Navigate to Manage Services > Service Tunnels, and then click + Register Service.

3.2 Enter the Service Name (such as, AWS Prod VPC) and Description (such as Access to AWS Production VPC).

3.3 Select the cluster where the applicable Access Tier is located.

3.4 Select one or more Access Tier’s for the Service Tunnel.

If selecting multiple Access Tiers, ensure that there are no overlapping CIDR ranges. If CIDR ranges overlap, two separate Service Tunnels will need to be created.

3.5 Attach the policy you previously created in Step 2, and then set the enforcement mode.

3.6 Click Save.

Step 4. Connect to a Service Tunnel

4.1 Launch the Banyan Desktop App, locate the service tunnel from the list of Service Tunnels, and then click Connect.

End users may be prompted once for their admin password to install the Banyan Tunnel Service.

  • Banyan will continuously evaluate your device posture, enforce your security policies, and then grant access accordingly.

4.2 Access your internal resources.


And, that’s it! You have created a Zero Trust policy for a service tunnel and accessed your internal resources securely.


In case of an issue connecting to a Service Tunnel or accessing a resource from a Service Tunnel, there are a few logs or components you can check:

1) Banyan App Logs

  • Reference this log if you cannot get a Service Tunnel started via the Banyan App

2) Tunnel Service Logs

  • If a Service Tunnel can be connected via the Banyan App, reference this log to ensure traffic is being sent from the tunnel interface to the Access Tier.

3) Access Tier

  • Ensure traffic is getting to the Access Tier via the UDP port selected for the Tunnel. This can be done via a tcpdump of the UDP port that is open for the tunnel. tcpdump -i eth0 port 51820

‘Error: Could not set service tunnel config.’

Check the Banyan App logs for detailed information. It is likely that port 8119 is in use or your TrustScore does not meet the policy requirements.

Last modified: Dec 01, 2021