VPN Client Support Matrix

Overview

The TYCHON Quantum Readiness supports detection of 19 VPN clients across Windows, macOS, and Linux platforms. Each client is assessed for post-quantum cryptography (PQC) readiness and migration status.

Detection Methods

• Package: Package manager detection (Linux only - high confidence)
• Filesystem: Installation directory and executable detection
• Process: Active process and service detection
• Configuration: Client configuration file analysis

PQC Assessment Levels

● Ready: Full PQC algorithm support available
● Partial: Limited PQC support or in development
● Not Ready: No PQC support currently available

Usage

Enable VPN client detection using the -detect-vpn-clients flag in local scanning mode:

.\certscanner-windows-amd64.exe -mode local -detect-vpn-clients -output vpn-scan.json

./certscanner-linux-x64 -mode local -detect-vpn-clients -output vpn-scan.json

# Intel Macs
./certscanner-darwin-amd64 -mode local -detect-vpn-clients -output vpn-scan.json

# Apple Silicon Macs  
./certscanner-darwin-arm64 -mode local -detect-vpn-clients -output vpn-scan.json

VPN Client	Vendor	Windows	macOS	Linux	PQC Readiness	Detection Method
Palo Alto GlobalProtect	Palo Alto Networks	✅	✅	✅	Partial	Filesystem, Process
Cisco AnyConnect	Cisco Systems	✅	✅	✅	Partial	Filesystem, Process, Package
FortiClient	Fortinet Inc.	✅	✅	✅	Not Ready	Filesystem, Process, Package
Check Point Endpoint Security	Check Point Software	✅	✅	✅	Not Ready	Filesystem, Process, Package
SonicWall NetExtender	SonicWall Inc.	✅	✅	✅	Not Ready	Filesystem, Process
Zscaler	Zscaler Inc.	✅	✅	✅	Partial	Filesystem, Process, Package
Cloudflare WARP	Cloudflare Inc.	✅	✅	✅	Ready	Filesystem, Process, Package
NordLayer	Nord Security	✅	✅	✅	Not Ready	Filesystem, Process
Perimeter 81	Perimeter 81 Ltd.	✅	✅	✅	Not Ready	Filesystem, Process
Twingate	Twingate Inc.	✅	✅	✅	Partial	Filesystem, Process
OpenVPN Connect	OpenVPN Technologies	✅	✅	✅	Partial	Filesystem, Process, Configuration, Package
OpenConnect	Open Source	❌	❌	✅	Not Ready	Filesystem, Package
SoftEther VPN	SoftEther Project	✅	✅	✅	Not Ready	Filesystem, Process, Package
WireGuard	WireGuard LLC	✅	✅	✅	Not Ready	Filesystem, Process, Configuration, Package
Pritunl Client	Pritunl Inc.	✅	✅	✅	Not Ready	Filesystem, Process
Viscosity	SparkLabs Pty Ltd.	✅	✅	❌	Not Ready	Filesystem, Process
Tunnelblick	Tunnelblick Project	❌	✅	❌	Not Ready	Filesystem, Process
ProtonVPN	Proton Technologies	✅	✅	✅	Not Ready	Filesystem, Process, Package
ExpressVPN	Express VPN International Ltd.	✅	✅	✅	Not Ready	Filesystem, Process, Package
NordVPN	Nord Security	✅	✅	✅	Partial	Filesystem, Process, Package
Surfshark	Surfshark B.V.	✅	✅	✅	Not Ready	Filesystem, Process, Package
CyberGhost	CyberGhost S.A.	✅	✅	✅	Not Ready	Filesystem, Process, Package
Built-in VPN (Windows)	Microsoft Corporation	✅	❌	❌	Not Ready	Configuration
Built-in VPN (macOS)	Apple Inc.	❌	✅	❌	Not Ready	Configuration
Built-in VPN (Linux)	NetworkManager	❌	❌	✅	Not Ready	Configuration

IPSec Implementation Support

The TYCHON Quantum Readiness also detects IPSec tunnel configurations across multiple implementations:

Open Source Implementations

strongSwan

Linux, macOS, Windows support with extensive configuration parsing

Config: /etc/ipsec.conf PQC: Partial

Libreswan

Linux and Unix systems

Config: /etc/ipsec.conf PQC: Not Ready

OpenSwan

Legacy Linux implementation (detected but deprecated)

Config: /etc/ipsec.conf PQC: Not Ready

Built-in OS Implementations

Windows IPSec

Built-in Windows IPSec policy and configuration

Registry-based PQC: Not Ready

macOS IPSec

Native macOS IPSec via System Configuration

Config: preferences.plist PQC: Not Ready

Linux IPSec

Kernel-level IPSec with XFRM

Kernel interfaces PQC: Not Ready

Detection Examples

Sample VPN Client Detection

{
  "source_id": "d87c1d880886fd83db018456d742cb83efa0758e",
  "client_name": "Palo Alto GlobalProtect",
  "vendor": "Palo Alto Networks",
  "version": "6.3.2-525",
  "install_path": "/Applications/GlobalProtect.app",
  "status": "active",
  "detection_method": "filesystem",
  "detection_confidence": "high",
  "pqc_assessment": {
    "is_pqc_ready": true,
    "quantum_resistance": "medium",
    "pqc_migration_status": "partial",
    "supported_pqc_algorithms": ["ML-KEM-512"],
    "last_assessed": "2025-09-12T12:54:43.476222-04:00"
  }
}

Sample IPSec Tunnel Detection

{
  "source_id": "90e2352de5c7c9d856327dcfef4ffbd89c2634a1",
  "tunnel_name": "strongSwan Site-to-Site",
  "implementation": "strongswan",
  "config_path": "/etc/ipsec.conf",
  "status": "inactive",
  "tunnel_details": {
    "local_subnet": "192.168.1.0/24",
    "remote_subnet": "10.0.0.0/24",
    "gateway": "203.0.113.1",
    "encryption_algorithms": ["aes256"],
    "integrity_algorithms": ["sha256"],
    "key_exchange_groups": ["modp2048"]
  },
  "pqc_assessment": {
    "is_pqc_ready": false,
    "quantum_resistance": "low",
    "pqc_migration_status": "not_ready"
  }
}

Current Limitations

Known Limitations

• Security Policy: Detection methods never execute third-party VPN binaries to prevent privilege escalation attacks
• Corporate Compliance: Detection methods avoid PowerShell execution to comply with enterprise security policies
• Version Detection (Linux): Linux version detection relies on package managers and filesystem analysis only, not binary execution
• Process Detection: Client must be running or have been recently active for process-based detection
• PQC Assessment: PQC readiness is based on published vendor documentation and may change with updates
• Linux Variations: Detection supports dpkg, rpm, and pacman package managers across major distributions