Skip to end of metadata
Go to start of metadata


IPSec VPN allows test virtual machines in the Sauce Labs network to access application servers in customer's private network. However, IPSec VPN doesn't allow application servers to access Sauce test VMs. This diagram illustrates the architecture of IPSec VPN solution. The solution consists of two components, a VPN connection between two IPSec gateways, and a tunnel gateway.

VPN Connection

A IPSec VPN connection is a tunnel between two IPSec gateways, one in the customer network and another in the Sauce Labs network. We recommend that you use an enterprise grade IPSec gateway to set up the IPSec VPN connection.

Tunnel Gateway

The tunnel gateway is always on for the lifetime of the IPSec VPN connection, and plays an important role in DNS resolution, routing and security.


The tunnel gateway runs a firewall and only authorized test VMs are allowed to connect through the firewall. Authorized test VMs include:

  • Test VMs created by the IPSec VPN tunnel owner
  • Test VMs created by accounts with which the tunnel is shared

By default all incoming connections from test VMs are blocked. Firewall rules are dynamically adjusted to allow connections from a new, authorized test VM and to block connections from a terminated test VM.

By default, the firewall allows these ports and protocols through the IPSec VPN connection. 

Outbound from SauceHTTP (TCP/80), HTTPS (TCP/443)
Outbound from SauceDNS (UDP/53, TCP/53, TCP/853)
Outbound from SauceWeb Proxy (TCP/8080, TCP/8443)
Inbound from customer network, OutboundICMP
Inbound from customer networkBGP (TCP/179)

You can request additional ports and protocols to be opened by contacting Sauce Labs Support.


Test VMs authorized to use the IPSec VPN tunnel are configured to route all their test traffic to the tunnel gateway. 

Tunnel gateway routes all predefined customer subnets through the IPSec VPN tunnel and all other traffic is routed to the Internet.

In addition, the tunnel gateway also supports two options called tunnel-domains and direct-domains. Both options are mutually exclusive and provide a list of domain names. Tunnel gateway routes any requests that match tunnel-domains through the IPSec VPN tunnel and any requests that match direct-domains directly to the Internet. Order of precedence is as follows:

  • First, route based on tunnel-domains and direct-domains
  • Next, route based on customer subnets.

We strongly recommend that you use subnets for routing. 

Routing Rules

By default, tunnel gateway uses predefined static routes. However, if you are running a BGP server, then the tunnel gateway can learn about new routes in the customer network. Please contact Sauce Labs Support to update static routes.

DNS Resolution

DNS requests for predefined user domains are forwarded through the tunnel to the user's DNS servers. All other requests are resolved through public DNS servers. 


Sauce Labs IPSec VPN solution supports these protocols - HTTP, HTTPS, DNS, WebSockets and Secure WebSockets.

Self-Signed Certificates

By default, the tunnel gateway acts as a Man-In-The-Middle proxy and re-encrypts all SSL connections with Sauce Labs certificate. If your tests don't access any servers with self-signed certificates, then we strongly recommended that you disable SSL re-encryption. SSL re-encryption can be disabled for all domains, or selected domains, by using that no-ssl-bump-domains configuration option.

WebSocket servers with self-signed certificates are not supported. 

  • No labels