docs-v2/about/pangolin-vs-vpn.mdx

---
title: "Pangolin vs. VPN"
description: "Learn how Pangolin provides application-specific access with zero-trust security compared to traditional VPNs"
---

Pangolin and VPNs serve different purposes: Pangolin focuses on secure ingress and application routing, while VPNs provide remote access to internal networks. They offer different approaches to secure connectivity.

## Traditional VPN Limitations

<CardGroup cols={2}>
<Card title="Over-Permission" icon="key">
  Users get access to entire networks, not just the applications they need.
</Card>

<Card title="Client Software Required" icon="download">
  Users must install and configure VPN client software.
</Card>

<Card title="Network Complexity" icon="network-wired">
  Requires public IP addresses, open ports, and complex network configuration.
</Card>

<Card title="Limited Access Control" icon="shield">
  Basic network-level security with few granular controls or complicated ACLs.
</Card>

<Card title="Single Point of Failure" icon="heart-crack">
  If the VPN server goes down, all access is lost.
</Card>

<Card title="Security Risk" icon="triangle-exclamation">
  Broad network access can be risky if user devices are compromised.
</Card>
</CardGroup>

## Pangolin's Ingress-First Approach

Pangolin provides secure, application-specific ingress and routing without the limitations of traditional VPNs:

### Zero-Trust Access Control

<CardGroup cols={2}>
<Card title="Application-Specific" icon="window-maximize">
  Users access only the applications they're authorized to use.
</Card>

<Card title="Browser-Based" icon="globe">
  No client software installation required - works with any web browser.
</Card>

<Card title="Granular Permissions" icon="shield-check">
  Role-based access control, path-based rules, and contextual policies.
</Card>

<Card title="Multi-Factor Authentication" icon="key">
  Support for SSO, OIDC, 2FA, and passkeys.
</Card>
</CardGroup>

### Simplified Ingess Infrastructure

<CardGroup cols={2}>
<Card title="No Public IPs" icon="network-wired">
  Edge networks don't need public IP addresses.
</Card>

<Card title="Highly Available Mesh" icon="circle-nodes" href="/manage/remote-node/ha">
Multiple nodes ensure high availability.
</Card>
</CardGroup>

## Key Differences

| Feature | Traditional VPN | Pangolin |
|---------|----------------|----------|
| **Access Scope** | Full network access | Application-specific access |
| **Client Software** | Required | Not needed (browser-based) |
| **Network Requirements** | Public IP, open ports | No public IP needed |
| **Access Control** | Network-level | Zero-trust, granular |
| **Authentication** | Basic credentials | Multi-factor, SSO, OIDC |
| **Infrastructure** | Single server | Distributed nodes |
| **Security Model** | Network-based trust | Identity-based trust |

<Card title="Try Pangolin Cloud" icon="rocket" href="https://app.pangolin.net/auth/signup">
   Get application-specific access with zero-trust security and no client software required.
</Card>

# Pangolin vs. Mesh VPN (e.g., Tailscale, Netbird)

Pangolin and mesh VPNs like Tailscale or Netbird both provide secure remote access, but they differ in their approach and functionality. Mesh VPNs focus on creating peer-to-peer connections between devices for full network access, while Pangolin is designed to expose specific applications or services securely through nodes, with no need for client-side software on user devices.

Pangolin is a better choice for application-specific access with zero-trust security and no client-side software requirements. Mesh VPNs like Tailscale or Netbird are more suitable for full network access and peer-to-peer connectivity. For environments prioritizing granular access control and simplicity, Pangolin offers a more focused and secure solution.