---
title: Zero Trust
kind: note
description: Definition Zero Trust is the concept/philosophy of not assigning any trust to physical networks , but instead to authenticated users . In traditional networking, once a device is connected to a…
words: 324
readingMinutes: 1
created: '2026-02-08T00:00:00.000Z'
updated: '2026-06-29T13:10:58+02:00'
---
# Definition
**Zero Trust** is the concept/philosophy of not assigning any trust to *physical networks*, but instead to *authenticated users*.

In traditional networking, once a device is connected to a network, e.g. an Ethernet/wireless LAN within an organization, (at least some) implicit trust is assigned to it (i.e., fewer firewalls restrict connections between the device and services). This trust model does not work well in a world of disconnected sites, WFH, and BYOD.

In the Zero Trust model, devices are untrusted regardless of their physical location. Instead, users authenticate in a cryptographically secure way, and firewall policies are defined using **identities instead of network addresses** (i.e., *these roles may connect to the fileshare* instead of *this CIDR network...*).

Many "Zero Trust" solutions designed to replace traditional site-to-site [VPN](/notes/vpn-software)s are based on <span class="dead-link">Wireguard</span> and/or <span class="dead-link">HTTPS</span> as their secure transport protocol and on <span class="dead-link">OIDC</span> identity providers, such as [Azure](/notes/azure) or <span class="dead-link">Google</span>, for authentication.
# Providers
In general, all of these solutions use NAT hole punching (e.g. using STUN) to enable direct connections, and fall back to relay notes for very restrictive networks (e.g. those that prohibit the UDP connections required by <span class="dead-link">Wireguard</span>).
## Hub-and-spoke
These networks resemble traditional [VPN](/notes/vpn-software)s, such as <span class="dead-link">OpenVPN</span>. Each virtual or physical site has a "connector" (gateway/proxy), which terminates encryption and routes traffic to the local subnet:

- <span class="dead-link">Cloudflare Zero Trust</span>
- <span class="dead-link">Pangolin</span>
- <span class="dead-link">Twingate</span>
## Mesh
These networks run one connector per device/appliance:
- <span class="dead-link">Tailscale</span>
- <span class="dead-link">Netbird</span>
# Features to compare
## Reverse proxy
Some solutions support identity-aware reverse proxying, i.e. they can be configured to allow clientless resource access via a browser by authenticating the (same or different set of) users before allowing access:
- <span class="dead-link">Cloudflare Zero Trust</span> ([Docs](https://developers.cloudflare.com/learning-paths/clientless-access/concepts/what-is-clientless-access/))
- <span class="dead-link">Pangolin</span>
## [Open source](/notes/open-source)
These providers are fully [open source](/notes/open-source) (client *and* server):
- <span class="dead-link">Netbird</span>
- <span class="dead-link">Pangolin</span>
## Device security (posture checks)
Most providers can validate device security before allowing access (e.g. OS version, client version), some go further and can require specific endpoint security (e.g. anti-virus) software to be installed/up-to-date/enabled.
