Loading...
Loading...
Send VPN server addresses, usernames, and passwords securely to team members.
VPN credentials are the front door to a company's internal network. A leaked OpenVPN profile, a Cisco AnyConnect username-password pair, or a WireGuard config with embedded private key places the holder onto the same broadcast domain as Jira, internal Grafana, finance file shares, and unprotected RDP hosts. Most internal services assume anyone reaching them has already passed the network boundary.
Sending these via Slack, Confluence, or a calendar attachment fails predictably. A WireGuard `.conf` uploaded to a channel keeps the [Interface] PrivateKey readable to every channel member and to exports run during legal discovery. Pritunl profiles, OpenVPN Access Server `.ovpn` bundles, and Tailscale auth keys all carry the same problem. Worst is the shared service account — one login reused by twelve engineers means your audit log lists one anonymous actor.
PasteOnce works when a per-user profile must reach its actual user. Generate the profile in OpenVPN Access Server, Pritunl, or Tailscale's admin console, paste the file or enrollment code, send the link, and the recipient imports it before the ciphertext is destroyed. Pair with same-day revocation when the user offboards.
Client-side encrypted. We can't see your data.
Your data is encrypted in your browser before it leaves your device.
Messages are automatically deleted after being read once.
We never see your data. Only encrypted blobs pass through our servers.
Links work exactly once. Refresh the page and it's gone forever.
Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.
Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.
When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.
In OpenVPN Access Server use the per-user PKI; in Pritunl tie one profile to each user's email as the cert CN; in WireGuard generate a unique keypair per device with `wg genkey | tee privatekey | wg pubkey`. Audit logs only work if identities are unique.
Push `redirect-gateway def1 bypass-dhcp` in OpenVPN or set `AllowedIPs = 0.0.0.0/0, ::/0` in WireGuard for admins and finance. DNS-leak and split-horizon attacks vanish. Reserve split-tunnel for engineers who need LAN printers.
Tailscale and Twingate replace the static credential with a short-lived token tied to your IdP. Revocation in Okta or Google Workspace immediately drops the device. PasteOnce remains useful for the bootstrap auth key (`tailscale up --auth-key=tskey-...`) but the steady-state credential is gone.
Enable Always-On VPN on Windows or the on-demand rule on macOS so the tunnel is required before any traffic flows. Combine with EAP-TLS certificate auth to neutralize captive-portal MITM. Rotate pre-shared keys quarterly.
IT generates an AnyConnect profile bound to the new hire's certificate, paste-onces the `.xml` profile and enrollment password, and texts the link out-of-band. The engineer imports during standup, IT confirms the session in ASA logs, and the link is dead by lunchtime.
A penetration-testing contractor requires inbound access to a staging segment. The admin creates a Pritunl user scoped to that organization, sets cert expiry to fourteen days, paste-onces the `.ovpn` file, and schedules auto-revoke for the engagement end date.
A senior engineer regenerates `wg0.conf` after rotating server keys. Each developer receives a separate paste containing only their own `[Interface]` block and the new public key — so one leaked file cannot expose the team's other peers.
Production alerts at 4 AM and the responder's saved profile no longer authenticates because the certificate rotated overnight. The on-call lead generates a fresh OpenVPN profile, paste-onces it, the responder connects, and the temporary cert is revoked next morning.
No. Beyond the audit-trail problem, concurrent-session limits in Cisco ASA and FortiGate trigger random disconnects. Use per-user accounts with an SSO bridge — every modern concentrator supports SAML or RADIUS against Okta, Entra ID, or JumpCloud.
Paste the entire `.conf` contents — including the `[Interface] PrivateKey` line and the `[Peer]` block — and instruct the recipient to import directly into the WireGuard client without saving to disk.
If your team is under 100 people and your IdP is Okta, Google, or Microsoft, yes — Tailscale's identity-bound model eliminates most credential-sharing problems. OpenVPN Access Server and Pritunl remain better when you need on-prem control of the concentrator.
Partially. MFA on a shared account just means six people share one TOTP seed. MFA only adds value when paired with per-user identities. Configure your concentrator to require Duo Push or WebAuthn per session, tied to the unique username.