The Problem We Solve
Every Open Port Is an Open Invitation
Every exposed server is found by automated scanners within minutes of going online. Open ports invite credential stuffing, exploit attempts, and brute-force attacks — 24/7.
The ZTGuard connector runs on your server and dials out — your server never accepts inbound connections. Add email OTP authentication to any website in minutes. No VPN. No firewall changes.
14-day free trial · ✓ No credit card required · Setup in under 10 minutes
Your server never listens on the internet. The connector dials outbound — no ports exposed, nothing to scan or exploit.
Domain allow-listing, one-time codes by email, and 30-day trusted sessions. No passwords. No apps.
One Docker command. Point a domain. Done. Automatic TLS. Works from any network, anywhere.
Securely publish any web-based application or service
Every exposed server is found by automated scanners within minutes of going online. Open ports invite credential stuffing, exploit attempts, and brute-force attacks — 24/7.
No firewall changes. No certificate management. No helpdesk calls. Install the connector, publish the site, and your users authenticate via email OTP.
One command. Your server reaches out to ZTGuard — ZTGuard doesn't reach in. No open ports. No firewall rules. Works behind any NAT.
In the dashboard, point any domain you own at your internal application. TLS certificates are provisioned and renewed automatically.
Visitors are redirected to your branded login portal. Enter email, receive OTP, access granted — no passwords, no apps, no friction.
A lightweight agent creates an outbound encrypted tunnel from your local network to the ZTGuard gateway — making your internal app accessible without touching your firewall.
The connector runs as a Docker container or binary on any Linux machine. It dials outbound — no inbound rules, no port-forwarding, no coordination with your ISP or IT department.
When a user visits your protected site, they're redirected to a branded login portal. They enter their email — if it matches your approved domain list, a one-time code is sent immediately. No account creation. No password resets.
From small business admin panels to MSP-managed client networks — one connector, any application, any domain.
Remote employees access internal apps through any browser. No VPN client. No certificate errors. No IT calls.
Each client gets a unique email domain restriction. Client A can't see Client B's portal. Ever.
One connector per client network. Deploy a new client site in 5 minutes. All managed in one dashboard.
Expose Grafana, Portainer, Home Assistant, or any service — publicly accessible, privately protected.
ZTGuard enforces Zero Trust: no implicit trust, ever. Every access request must prove identity — regardless of where it comes from.
ZTGuard is built for MSPs. One dashboard manages all your client organizations — each with their own connector, domains, users, and domain policies. Volume pricing for partners.
Calculate your exact monthly savings by switching from VPN to ZTGuard — based on your real team size and support overhead.
"We replaced our VPN with ZTGuard in an afternoon. Our remote staff stopped calling IT about connection issues — they just use their browser."
From MSPs managing dozens of clients to solo admins protecting home lab tools — ZTGuard works in every scenario.
"We replaced our office VPN in an afternoon. Our remote staff stopped calling IT about connection issues — they just open a browser. Incredible."
"We expose client portals for 12 different customers through ZTGuard. Setup takes 5 minutes per client. The email OTP means nobody ever forgets a password."
"The 30-day trusted session is the feature that sold me. Our field staff log in once and just work — no OTP prompt every single day. Zero complaints since switching."
One plan. All features. No per-site fees, no setup costs, no hidden charges. Cancel anytime.
14-day free trial · All features · No credit card · Cancel anytime · 99.9% uptime
✓ No credit card required · ✓ Full access trial · ✓ Cancel anytime
Enter your work email and we'll set up your workspace — most teams are live within 24 hours.
✓ No credit card required · 14-day free trial · Setup in under 10 minutes
How ZTGuard compares to the tools your team is already considering.
| Capability | ZTGuard | Tailscale | Cloudflare Tunnels | Plain Reverse Proxy |
|---|---|---|---|---|
| No open firewall ports on server | ✓ Yes | ✓ Yes | ✓ Yes | ✗ No |
| Browser-only — no client app for users | ✓ Yes | ✗ No (requires Tailscale client) | ✓ Yes | ✓ Yes |
| Email OTP — no authenticator app needed | ✓ Yes | ✗ No | Add-on cost | ✗ No |
| Email domain allow-listing | ✓ Yes | ✗ No | ✓ Yes | ✗ No |
| 30-day trusted device sessions | ✓ Yes | ✗ No | ✗ No | ✗ No |
| No DNS migration required | ✓ Yes | ✓ Yes | ✗ Required | ✓ Yes |
| Automatic TLS certificate management | ✓ Yes | ✓ Yes | ✓ Yes | Manual |
| Works for external clients/contractors | ✓ Yes | ✗ Primarily internal teams | ✓ Yes | ✓ Yes |
| White-label branded login portal | ✓ Yes | ✗ No | Limited | ✗ No |
| Pricing per user (not per device) | ✓ $12/user | $6+/device | Free (limited) / $7+ | Free |
← Swipe to compare all options →
Everything you need to know. No corporate non-answers.
No. Users access protected websites through any standard web browser. No VPN client, no browser extension, no app to install. They enter their email, get an OTP, and they're in.
No. The ZTGuard Connector dials outbound from your server. Your server has zero open inbound ports. It works behind NAT, corporate firewalls, and home routers — anywhere with outbound internet.
Cloudflare Tunnels is a solid tool. ZTGuard wins on three things: 30-day trusted device sessions (users aren't re-prompted daily), email OTP with domain allow-listing without requiring Cloudflare accounts for every user, and no DNS migration — your registrar stays the same.
You can — but it takes 6–8 hours initial setup plus ongoing cert management, no built-in OTP, no audit trail, and no browser-only access for users. ZTGuard does it all in 10 minutes and handles renewal, monitoring, and user management automatically.
After OTP authentication, users see a "Stay signed in?" prompt. If accepted, a secure cookie is stored in their browser for 30 days. On subsequent visits, they skip the OTP entirely. Clearing cookies or using a new browser requires re-authentication.
The Connector auto-reconnects within seconds if connectivity is interrupted. For planned maintenance we provide 48-hour advance notice. ZTGuard targets 99.9% uptime. Check our status page for live availability.
Access is revoked immediately — no token expiry delay. Their active session is terminated, trusted-device cookies are invalidated server-side. They cannot authenticate again until re-enabled.
No. Traffic passes through the encrypted WireGuard tunnel — ZTGuard does not inspect or retain it. Email addresses are used only for OTP delivery and are never sold. Authentication event logs are stored for 90 days for audit purposes. Canadian infrastructure (Ottawa, ON).
No open ports. No VPN. Just secure, simple access to any internal website.
⚡ Setup assistance included for all trial signups this month