Scanning VPN Networks

If the daemon's host is connected to a VPN, the daemon can scan that network. Scanopy works with WireGuard, Tailscale, Headscale, OpenVPN, and any other VPN that creates a network interface on the host.

Setup

1. Connect the daemon's host to your VPN

Install and configure your VPN client on the machine running the daemon. Verify the VPN interface is up:

# You should see a VPN interface (e.g. wg0, tailscale0, tun0)
ip addr

2. Report the new interface to Scanopy

The daemon needs to detect the new VPN interface. Either:

• Restart the daemon — it reports interfaces on startup
• Run the discovery from Discover > Scan > Scheduled — the daemon re-scans its own interfaces and reports them to the server as part of each discovery run

3. Verify the VPN subnet appears

After the discovery completes, check Assets > Subnets. The VPN subnet should appear as an interfaced subnet for the daemon.

4. Configure scanning

• If your discovery has no specific subnets configured (the default), the VPN subnet is picked up and scanned automatically on the next run.
• If you've configured specific subnets, add the VPN subnet manually via Discover > Scan > Scheduled.

What to expect

Since the daemon has a network interface on the VPN, it gets Layer 2 access — full ARP discovery, MAC addresses, and the ability to find hosts even without open ports. This is the same quality of discovery as a local network.

Multiple VPN networks

If the daemon's host is connected to multiple VPNs, each VPN interface is detected and its subnet is scanned. No additional configuration is needed beyond connecting the VPN client.