Waltsoft Serverless VPN - Pay-Per-Session Proxy on Lambda MicroVMs

Serverless VPN by Waltsoft runs on AWS Lambda MicroVMs - Firecracker-based virtual machines that terminate when you disconnect, costing nothing until you reconnect. Your traffic exits from AWS IP addresses through your own dedicated MicroVM, giving you privacy without shared VPN servers.

Unlike traditional VPN subscriptions that charge monthly whether you use them or not, or self-hosted EC2 VPNs that run 24/7, Serverless VPN costs nothing when disconnected. The MicroVM terminates completely - no compute, no storage, no ongoing charges. You pay only a software license plus your own AWS compute costs when active.

All traffic between your machine and the Lambda MicroVM flows through a WebSocket Secure (WSS) tunnel using TLS encryption. Inside the MicroVM, a SOCKS5 proxy (microsocks) routes your TCP traffic to the internet via AWS default egress - no VPC or NAT Gateway needed.

Ephemeral by design: When you disconnect, the MicroVM terminates completely. No logs, DNS queries, session artifacts, or traffic data persist after termination. All data stays within your own AWS account - Waltsoft never sees or stores your traffic.

CloudTrail auditable: All Lambda MicroVM invocations are logged in your AWS CloudTrail, providing enterprise-grade audit trails under your control.

For a developer who connects 2 hours per day on weekdays, the active Lambda compute cost is approximately a few cents per session. Compare this to an always-on t3.micro EC2 VPN instance or a traditional VPN subscription charging a fixed monthly fee regardless of usage. The savings compound for intermittent users who need VPN access for specific tasks rather than 24/7 connectivity.

• Remote developers: Route API calls through a consistent AWS IP for allowlisting on third-party services, then disconnect when done.
• Security researchers: Browse from a disposable, ephemeral MicroVM to avoid fingerprinting. Each session starts fresh from a snapshot with no prior state.
• Compliance-conscious teams: Auditable egress for regulated data access with full CloudTrail logging, deployed entirely within your own AWS account boundary.

• Zero idle cost - MicroVM terminates when you disconnect. No compute, no storage, no charges until you reconnect.
• ~20-second cold start - fresh MicroVM launches from snapshot each session.
• 5 AWS region exit points - us-east-1, us-east-2, us-west-2, eu-west-1, ap-northeast-1.
• No shared infrastructure - your own dedicated MicroVM per session. No IP reputation risk.
• 8-hour max sessions - designed for work hours. Run vpn.sh start again for a new session.
• One-command operation - ./vpn.sh start connects, ./vpn.sh stop terminates.
• Runs in your AWS account - all infrastructure, logs, and traffic remain under your ownership.

1. Subscribe and deploy the CloudFormation template in your AWS account
2. Download vpn.sh and install wstunnel (one-time setup, ~5 min)
3. Run ./vpn.sh start - all traffic routes through AWS (~20s cold start)
4. Run ./vpn.sh stop - MicroVM terminates, back to normal IP

Deployment takes approximately 5 minutes using the provided CloudFormation template. A detailed setup guide and architecture documentation are available to walk you through the process. If you would like a guided deployment walkthrough, contact to schedule a session.

• AWS account with Lambda MicroVMs access (GA in 5 regions listed above)
• AWS CLI v2.27+ (brew upgrade awscli)
• macOS or Linux (Windows via WSL2)
• wstunnel binary (install instructions provided)

• Session VPN, not 24/7 - designed for work sessions with 8-hour max per session.
• SOCKS5 proxy routes TCP traffic (web, APIs). Does not tunnel UDP.
• Streaming services (Netflix, Disney+) may block AWS IP addresses.
• Runs on Graviton ARM64 - Amazon Linux 2023.
• Waltsoft does not collect, store, or inspect any user traffic.