Pangolin and Zscaler Private Access (ZPA) both provide zero-trust, identity-based access to private resources. They share the same core idea: users get access to specific applications, not a whole network. Under the hood, however, they differ significantly in architecture, traffic routing, deployment model, scope, and who they are built for. This article outlines what each does and where they diverge.
What is Pangolin?
Pangolin is an open-source, identity-based remote access platform built on WireGuard. It is resource-centric: you define specific hosts or applications users can reach, not whole networks. You deploy a lightweight connector (a site) on a machine that has access to a network - office LAN, VPS, cloud VPC, or home lab. Anything that site can reach can be defined as a resource (web app, database, SSH host, internal API). You grant users and roles access to specific resources; users see only what you allow. No open ports: sites use outbound-only tunnels, and clients use NAT hole punching or relay.
The full stack is open source. You can self-host the entire platform, use Pangolin Cloud, or use the cloud control plane and self-host only relay nodes so traffic stays on your infrastructure. Pangolin combines reverse proxy and VPN: web apps can be reached in the browser with no client; databases and SSH use the Pangolin client. Both paths share the same identity and permissions.
What is Zscaler Private Access?
Zscaler Private Access (ZPA) is a cloud-native, enterprise-grade zero-trust access control solution. It is designed for large organizations that need to provide access to private resources - whether on-premises or hosted in the cloud - to all users regardless of location. It is one part of the broader Zscaler platform; a separate subscription, Zscaler Internet Access (ZIA), handles internet and SaaS traffic.
You deploy App Connectors on your private resources. Each App Connector establishes an outbound proxy connection to the nearest Zscaler data center. Users install the Zscaler client, which also connects outbound to the nearest Zscaler data center. Zscaler's Private Service Edges - running across a global network of more than 150 data centers - link the two connections together. All user traffic passes through Zscaler's cloud infrastructure; there are no direct connections between users and resources.
Zscaler's control plane is cloud-hosted and multi-tenant. There is no self-hosted option. Pricing is opaque and requires consultation with Zscaler or a reseller. The platform is aimed at large enterprises with dedicated security teams that need comprehensive policy enforcement, compliance monitoring, and DLP at scale.
How the two compare
The table below summarizes the main differences. The sections after it walk through each area in order.
| Feature | Pangolin | Zscaler Private Access |
|---|---|---|
| Architecture | Hub-and-spoke; control plane + sites; clients connect directly to sites via WireGuard | Proxy-based; all traffic routed through Zscaler's global cloud data centers |
| Access model | Resources (web apps, hosts, ports); FQDN or IP; role-based access control | Resources (apps/hosts); policies based on identity, device, and group |
| Self-hosting | Self-hostable or cloud; full control over data and infrastructure | Cloud-only; all traffic passes through Zscaler's infrastructure |
| Open source | Server and clients fully open source (AGPLv3 or Commercial License) | Closed source; proprietary |
| SSO / IdP | Built-in SSO with OIDC; connects to any OIDC-compatible IdP | Integrates with enterprise identity providers |
| Web app exposure | Clientless browser access; identity-aware reverse proxy; custom domains; automatic SSL | Zscaler Browser portal can be used to access clientless |
| Pricing | Transparent; self-hostable for free; clear cloud plan pricing | Opaque; requires consultation with Zscaler or a reseller |
| Target | Teams of any size; self-hosters to enterprises | Large enterprises with dedicated security teams |
| Scope | Unified platform: VPN + reverse proxy + identity in one product | ZPA for private access; ZIA is a separate subscription for internet/SaaS traffic |
| Device security | Device posture checks; device approvals; device fingerprinting | Device posture checks; identity and device-based access policies |
| Transport | WireGuard; NAT traversal via P2P or relay; no open ports | TLS-based proxy tunnels through Zscaler cloud; no open ports |
Architecture
In both systems you deploy a connector on a network, define resources behind it, grant users access to those resources, and require no open inbound ports. The similarities end there.
Pangolin uses direct connections. When a client accesses a resource, the Pangolin server facilitates discovery and NAT traversal, then the client and site establish a WireGuard tunnel directly - peer-to-peer when possible, through a relay only when NAT prevents a direct link. Data travels on the shortest path.
Zscaler uses a proxied architecture. The App Connector on your resource connects outbound to the nearest Zscaler data center. The Zscaler client on the user's device connects outbound to the nearest Zscaler data center. Zscaler's Private Service Edge in that data center links the two connections together. Every byte of traffic passes through Zscaler's cloud infrastructure. Latency depends on how close users and resources are to their respective nearest data center. There are no direct connections between user devices and resources.
Traffic routing and performance
Because Pangolin establishes direct WireGuard connections between the client and the site, traffic takes the most efficient path between user and resource. Relay is only used as a fallback when NAT traversal cannot establish a direct link. This keeps latency low and avoids routing traffic through third-party infrastructure.
Zscaler routes all traffic through its network of 150+ Private Service Edges globally. This centralized routing means performance is dependent on cloud routing efficiency and the distance to the nearest Zscaler data center. Users and resources that are far from Zscaler edges may experience higher latency.
Web apps and clientless access
Pangolin can expose web applications without a VPN client. Users open a URL, sign in (e.g. with SSO), and reach the app in the browser. Pangolin acts as an identity-aware reverse proxy and provisions SSL certificates automatically. You can add pin codes, passcodes, user auth, email whitelists, and more per resource. Pangolin supports custom domain names for web resources. That fits contractors, BYOD, or quick access to internal tools when you do not want to install a client everywhere.
Zscaler Private Access does have a browser access feature - ZPA Browser Access - that provides clientless access to private web apps through a Zscaler-hosted user portal. It is aimed at BYOD and third-party users on unmanaged devices. However, there are meaningful differences in how the two approaches work. Zscaler's browser access is portal-based: users log in to a Zscaler-managed user portal that lists their authorized apps. Pangolin gives each resource its own URL with a custom domain you control - tools.yourcompany.com, grafana.yourcompany.com - and a single shared portal. Private app FQDNs are obscured from users in Zscaler's model by design, which limits direct linking and bookmarking. Pangolin's resources are first-class URLs.
Deployment and data sovereignty
Pangolin can run fully on your own infrastructure. You can self-host the server, control plane, and all relay nodes. Alternatively, you can use Pangolin Cloud and optionally add your own relay nodes so traffic stays on your infrastructure while using the cloud control plane. Traffic between clients and sites travels directly between them; it does not pass through Pangolin's servers once the tunnel is established unless it needs to be routed through a relay node when it is still end-to-end encrypted.
With Zscaler Private Access, all traffic is routed through Zscaler's global cloud data centers. There is no self-hosted option for the control plane or for the traffic path. All user and resource traffic passes through Zscaler infrastructure by design - that is how Zscaler applies security inspection. If your organization's policy or regulations require that traffic stay on your own infrastructure, or if you simply prefer not to send all traffic through a third-party cloud, Pangolin's architecture supports that; Zscaler's does not.
Scope and product model
Pangolin is a unified platform. Private resource access (VPN-style, via the client) and public web app exposure (reverse proxy, browser-based) are part of the same product, managed with the same identity and permissions, deployed as one system.
Zscaler is a broader security suite split into separate products. Zscaler Private Access handles access to private resources (on-premises or cloud-hosted). Zscaler Internet Access is a separate subscription that manages internet and SaaS traffic - threat protection, secure web gateway, CASB, and DLP for outbound internet traffic. If you need both, you subscribe to both. Zscaler's suite is comprehensive, but it means more products, more complexity, and more cost.
Setup and operational complexity
Pangolin is designed to be lightweight to deploy. You have the server (self-hosted or cloud), deploy a site connector on a network, define resources, and set up users. The setup is approachable for small teams and individual operators and just enterprise IT departments alike.
Zscaler requires substantial configuration before deployment: administrators must define access control policies, security rules, compliance settings, and integrate with identity providers. The platform is designed for large enterprises with dedicated security teams. Smaller teams or those without full-time security personnel will likely find the operational overhead significant.
Pricing and transparency
Pangolin is open source and self-hostable at no cost in addition to the Enterprise Edition which has published pricing. Pangolin Cloud has clear, published pricing. You know what you are paying before you commit.
Zscaler's pricing is opaque. There is no published price list; you must contact Zscaler or a reseller for a quote. Enterprise agreements are custom, and the total cost depends on features, seat counts, and which products (ZPA, ZIA, and others) you need. For teams that want predictable, transparent costs, Pangolin's model is straightforward; Zscaler's is not.
Open source
Pangolin's server and clients are open source under the AGPLv3 or a Commercial License. You can run, inspect, and modify the full stack.
Zscaler is proprietary. The platform is entirely closed source. You cannot self-host any component or inspect the code. If transparency, auditability, or the freedom to run and modify the system matter to you, Pangolin's licensing and architecture support that.
Device security
Both platforms support device posture checks: they collect information about security-relevant settings on the device - disk encryption, firewall status, antivirus, OS version - and allow you to enforce access policies based on posture.
Pangolin adds a device approvals feature. When enabled, all new devices are denied by default. Admins see a queue of pending devices and must explicitly approve each one before it can connect. That gives you explicit control over the device inventory, not just the user account.
Tenancy
Pangolin supports multiple organizations under one account, with the ability to share or assign users and resources across them. That makes it well suited for MSPs or teams managing multiple environments from one place.
Zscaler is single-tenant by signup. Each organization gets its own tenant; managing multiple separate organizations is not a native capability in the same way.
Best fit
Choose Pangolin if you want a zero-trust, resource-centric access platform that is lightweight to deploy, transparent in pricing, and open source. Pangolin is self-hostable if you need full control over your infrastructure and traffic, and it includes both client-based private access and clientless browser access for web apps in one unified system. It fits teams of any size - from a self-hosted home lab to a multi-site enterprise.
Choose Zscaler if you are a large enterprise with a dedicated security team that requires a comprehensive cloud security suite with advanced threat protection, DLP, and a secure web gateway at global scale. Zscaler fits organizations with strict compliance and monitoring requirements that can manage complex configuration and enterprise pricing, and that are comfortable routing all traffic through Zscaler's cloud infrastructure.
Try Pangolin
Get started with Pangolin. You can self-host the server or sign up for the cloud and try it with no commitment.
Get in touch
If you want more detail on how Pangolin can fit your setup, reach out.
