🔒 Complete Zero Trust Platform

Two Products.
One Complete Zero Trust Platform.

ZTGuard secures both layers of your infrastructure: Application Gateway publishes web apps with Email OTP, and Private Mesh connects admins and infrastructure over encrypted WireGuard tunnels.

Start Free Trial → See Both Products

14-day free trial  ·  ✓ No credit card required  ·  Each $12 / Bundle $20/user

  • Application Gateway — web apps with Email OTP, no VPN
  • Private Mesh — WireGuard mesh for SSH, RDP, infrastructure
  • Zero open firewall ports on your servers
  • Canadian infrastructure — full data sovereignty
  • Bundle both products and save $4/user/month
Product 1 — Application Gateway

Publish Web Apps Securely

Browser users access internal apps with Email OTP and 30-day trusted sessions — no VPN, no client software.

  • No open ports — outbound connector
  • Email OTP — no app needed
  • 30-day trusted sessions
  • Auto HTTPS on every site
Product 2 — Private Mesh

Secure Infrastructure Access

Connect admins, servers, and sites over encrypted peer-to-peer WireGuard. SSH, RDP, any protocol.

  • P2P WireGuard tunnels
  • ACL group policies
  • Proxmox, SSH, RDP, K8s
  • Close public port 22 forever
🌐

Application Gateway

Browser users access web apps via Email OTP — no VPN, no client, no open ports.

🔗

Private Mesh

Admins reach SSH, Proxmox, RDP over encrypted WireGuard. Infrastructure hidden from internet.

🇨🇦

Canadian Sovereignty

Fully self-hosted. Your keys, your data. Ottawa, ON — PIPEDA compliant.

Trusted by teams at
50+Sites secured
99.9%Uptime SLA
0
Open ports required
servers stay invisible
<60s
Connector install
one Docker command
30d
Trusted sessions
Gateway product
P2P
Direct WireGuard
Mesh product
$20
Bundle both products
per user / month
The ZTGuard Platform

Two Layers. Complete Zero Trust.

Modern Zero Trust requires two separate layers: application access for browser users, and infrastructure networking for admins. ZTGuard delivers both.

Application Gateway

Secure Web App Publishing

Publish any internal web app to the internet behind Email OTP. Browser users — no software to install.

  • Outbound connector — zero open firewall ports
  • Email OTP — no authenticator app needed
  • Email domain allow-listing
  • 30-day trusted device sessions
  • Automatic HTTPS — Let's Encrypt managed
  • Branded login portal
  • Instant user revocation
$12
per user / month
Start Gateway Trial →
Private Mesh

Encrypted Infrastructure Networking

Connect admins, servers, and sites in a secure WireGuard mesh. SSH, RDP, any protocol — peer-to-peer.

  • WireGuard peer-to-peer tunnels
  • ACL policies — least-privilege access
  • SSH, RDP, any TCP/UDP protocol
  • Network routes — entire subnet access
  • Device approval workflow
  • Peer expiry — revoke instantly
  • Close public SSH port forever
$12
per user / month
Start Mesh Trial →
Combined Architecture

How Both Products Work Together

Browser users reach web apps through Application Gateway. Admins reach infrastructure through Private Mesh. Two independent, complementary layers.

🌐 Internet Browser HTTPS WireGuard Mesh 🛡 Application Gateway Email OTP · Reverse Proxy 🔗 Private Mesh WireGuard · ACL Policies PRIVATE INFRASTRUCTURE Web Apps · CRM Proxmox · SSH Portals · Dashboards Kubernetes · Backups HTTPS proxy p2p tunnel 👤 Browser Users 🔧 Admins
🌐 Application Gateway
How It Works

Gateway: Secure Web Apps in 3 Steps

No firewall changes. No certificate management. Install the connector, publish the site, users authenticate via Email OTP.

1
🔌

Install the Connector

One Docker command on any server. Dials outbound — no inbound ports needed.

  • Works behind NAT
  • No public IP needed
  • One connector, many apps
2
🌐

Publish Your Website

Point any domain at your internal app. Automatic HTTPS. Live in under 5 minutes.

  • Any domain you own
  • Any LAN IP or container
  • Auto-renewing TLS certs
3
📧

Users Authenticate

Enter email, receive OTP code, access the app. No passwords. No apps to install.

  • Email OTP only
  • Domain allow-listing
  • 30-day trusted sessions
ZTGuard Platform — Application Gateway and Private Mesh architecture
Live Platform Topology
All systems online
👤 Browser Users HTTPS · No client HTTPS 🛡 Application Gateway Email OTP · OTP Auth 📊 Dashboard 🤝 Portal 📋 CRM APPLICATION GATEWAY 🔧 Admin Laptop Mesh enrolled 🔗 Private Mesh Control Plane WireGuard · ACL 🖥 Proxmox 100.64.0.10 💻 SSH Server 100.64.0.11 ⚙️ Kubernetes 100.64.0.12 P2P WireGuard PRIVATE MESH 🚫 Port 22 Blocked Direct public internet → infrastructure: DENIED All admin access flows through Private Mesh only ← Gateway Mesh →
▶ ZTGuard Platform — See it in action
🔗 Private Mesh
How It Works

Mesh: Secure Infrastructure in 3 Steps

Replace VPNs, close public SSH ports, give admins encrypted peer-to-peer access to any infrastructure from anywhere.

1
💻

Enroll Your Devices

Install the mesh client on admin laptops and servers. One command to join the mesh.

  • Linux, macOS, Windows
  • Docker server peers
  • Setup keys for automation
2
🔐

Define Access Policies

Create groups (Admins, Infrastructure, Clients) and ACL rules. Each peer only talks to permitted peers.

  • Group-based ACLs
  • Port-level rules
  • Client isolation
3
🔒

Close Public Ports

Move SSH, RDP, and Proxmox behind the mesh. Block port 22 from the internet. Zero public exposure.

  • SSH over mesh IP
  • Proxmox via mesh
  • Admin laptops only

The Platform Pays For Itself on Day One.

VPN helpdesk calls and exposed port incidents carry real dollar costs. Calculate your exact savings.

💡 Your savings calculator
Team size 10
VPN support tickets/month 8
Tech hourly rate ($) $85
Monthly savings with ZTGuard Complete
$163
Bundle $200/mo · VPN support ~$283/mo
$1,956
Recovered per year
~0
VPN helpdesk calls after switching
"We replaced our VPN and exposed SSH with ZTGuard. Browser apps through Gateway, admin access through Mesh. Attack surface dropped to near zero."
Pricing

Choose the Products You Need

Individual products at $12/user/month. Bundle both and save $4/user/month.

Application Gateway
$12
per user / month
  • Unlimited published sites
  • Email OTP + domain allow-listing
  • 30-day trusted sessions
  • Auto HTTPS / TLS
  • Branded portal
  • Instant user revocation
Start Free Trial
ZTGuard Complete
$20
Save $4/user vs buying separately
per user / month — both products
  • Everything in Application Gateway
  • Everything in Private Mesh
  • WireGuard peer-to-peer mesh
  • SSH / RDP / any protocol
  • ACL policies + device approval
  • Close public SSH port
Get Complete Bundle →

✓ No credit card · 14-day trial

Private Mesh
$12
per user / month
  • WireGuard peer-to-peer
  • ACL group policies
  • SSH, RDP, any protocol
  • Device approval workflow
  • Subnet routes
  • Peer expiry policies
Start Free Trial

Ready to start your 14-day free trial?

Enter your work email — most teams are live within 24 hours of signing up.

✓ No credit card  ·  ✓ Both products in trial  ·  ✓ Cancel anytime

Comparison

ZTGuard vs. The Alternatives

How the complete ZTGuard platform compares to piecing together individual tools.

CapabilityZTGuard Complete Tailscale + CloudflareTraditional VPNTailscale Only
Web app publishing (browser users)✓ Gateway✓ CF Tunnels✗ No✗ No
Email OTP — no client for users✓ YesAdd-on✗ No✗ No
30-day trusted device sessions✓ Yes✗ No✗ No✗ No
WireGuard p2p infrastructure mesh✓ Mesh✓ TailscalePartial✓ Yes
SSH, RDP, any protocol✓ Yes✓ Yes✓ Yes✓ Yes
No client install for browser users✓ Yes✓ CF side✗ No✗ Requires client
Full self-hosted data sovereignty✓ Canadian✗ US-hostedVaries✗ US-hosted
Single vendor, both access layers✓ Yes✗ Two vendors✗ No✗ No
Pricing (combined)$20/user/mo$7–$18/user/moHardware + IT$6+/device

← Swipe to compare on mobile →

FAQ

Common Questions

Both products covered.

Do browser users need to install anything?

No. Application Gateway users access protected sites through any browser — no VPN, no extension, no app. Email, OTP code, done.

What does Private Mesh require on admin devices?

The NetBird client — install once on Linux, macOS, or Windows. Servers enroll automatically via setup keys — no interactive auth needed.

Can I use just one product or do I need both?

Each product works independently at $12/user/month. The bundle at $20 is for teams wanting complete Zero Trust coverage. Start with one, add the other anytime.

Why not Cloudflare Tunnels for everything?

Cloudflare handles web apps (like Gateway) but not SSH, RDP, or direct protocol access. It also requires DNS migration and routes control data through US infrastructure. ZTGuard gives both layers on Canadian infrastructure without DNS migration.

Can Mesh peers reach each other by default?

No. The default "All to All" policy is removed. Each peer only reaches peers explicitly permitted by ACL policy. A compromised device has a blast radius limited to its policy group.

How does the 30-day trusted session work?

After Gateway OTP, users see "Stay signed in?". If accepted, a secure cookie is stored. Subsequent visits skip OTP. Clearing cookies or new browser requires re-authentication.

What happens when I disable a user?

Both products: access revoked immediately. No token expiry delay. Gateway: session terminated. Mesh: peer deleted — all tunnel access lost within seconds.

Does Mesh work for MSPs managing multiple clients?

Yes. Each client site runs one mesh peer. All devices behind that peer become reachable through the mesh without installing the client on every device. Per-client ACL policies prevent cross-client access.

Is this truly self-hosted — no ZTGuard cloud dependency?

Yes. Both products run entirely on your infrastructure. Your keys never leave your servers. Canadian data centres, Ottawa, ON. PIPEDA compliant.

What happens if the ZTGuard server goes down?

Gateway: protected apps temporarily unavailable. Mesh: existing WireGuard tunnels remain active — only new enrollments pause. ZTGuard targets 99.9% uptime. status.ztguard.net

Complete Zero Trust.
Both Layers. One Platform.

Application Gateway for browser users. Private Mesh for infrastructure. Deploy together or start with one.

⚡ Setup assistance included for all trial signups this month

Start Free Trial → Talk to Sales
No credit card 14-day full trial Both products in trial Canadian infrastructure
🛡 ZTGuard Application Gateway + Private Mesh
✓ Bundle $20/user · No CC Start Free Trial →