v1.0 ZTNA without the client. Lives in your browser.

Invisibility for hackers,
instant access for your team.

A high-performance Zero-Trust gateway for admin panels and internal services. Replace bulky VPN with a lightweight browser extension — no client, no MITM, no friction.

No credit card required 14 30-day full-feature trial Self-hosted available
How it works

From browser to destination. Zero agents, zero config.

The extension selectively routes only protected domains through the L7 AG Node, where all checks run — then connects.

1

Admin locks down the panel

Access is restricted to the gateway IP via whitelist

2

Creates configuration

Sets domains, gateway server, and TTL in the L7 dashboard

3

Retrieves a token

A 5-character code to share with the team

4

Team gets access

They install the extension, enter the token — done!

User Browser L7 Admin Guard Website WAN LAN site.com/admFreelance access mon.site.ioInternal tool site.comMigration testing youtube.comDirect streaming L7 AG Extension › Network Console Resolving... Connecting... TLS Handshake... 200 OK L7 AG Node site.comIP via DNS mon.site.io127.0.0.1:3000 site.com55.66.77.88 youtube.comDIRECT L7 AG Node (DE) L7 AG Node (US) DIRECT SNI Pre-auth Basic Auth TTL Valid Traffic Limit Domain Allowed IP/Port override DNS Resolve CONNECT
Top use cases

Four scenarios. Four boring problems, solved.

The live demo isn't a simulation. Install the actual extension, enter a demo token, and run through the scenario step by step.

TTL: 2h Auto-revoked
Case 01 — JIT Access

Secure freelance access that expires on its own.

“Set TTL = 2h. Hand over the token. The access evaporates — you can't forget to revoke it.”
  • Access from 1 minute to any duration, or permanent
  • Access to allowed domains with optional traffic limits
  • Server connections logged, automatic revocation
Read the full case
Old → New No /etc/hosts
Case 02 — /etc/hosts killer

Migration testing without touching system files.

“Switch ‘Old server / New server’ in the extension. QA and clients never edit /etc/hosts again.”
  • On-the-fly IP override: extension OFF = old server, ON = new
  • One token for QA and clients: no admin rights needed
  • Staging on the live domain: no separate subdomains required
Read the full case
DE / US / Direct Per-domain routing
Case 03 — Multi-Geo agency

Three regions in one window. Without the lag.

“German admin in tab one, US admin in tab two, YouTube direct in tab three. All at full speed.”
  • Domain-level split tunneling (SNI) — not whole-OS VPN
  • Pick a different gateway for different resources
  • Direct traffic stays direct — no overhead
Read the full case
404 → 200 SNI routed
Case 04 — Stealth Mode

Your services don't exist for scanners.

“Without the extension — 404. With it — the admin panel. SNI routing makes the host plain invisible.”
  • TLS-SNI routing: no exposed hostnames
  • No client certs, no public DNS records needed
  • Drops Shodan / mass scans cold
Read the full case
Inside the box

Built like infrastructure. Feels like a browser tab.

A Go-engine on the edge, an SNI-aware router, a smart DNS resolver. No agents, no kernel hooks, no man-in-the-middle.

Extension
38 KB

Minimalistic & Open Source

No minification or obfuscation. Available in official stores.

MITM
0

Bytes of payload we can read

TLS terminates at your origin. We route by SNI only — your data is opaque to us by design.

Smart DNS
1.4×

Faster than your provider's resolver

Anycast resolver with internal-name awareness. Solves split-horizon DNS without a forwarder.

Comparison

Why teams move off VPN.

Honest comparison vs. OpenVPN, WireGuard, Cloudflare Tunnel, Tailscale.

Capability L7 Admin Guard OpenVPN / WireGuard Cloudflare / Tailscale
Client install on every PC
No
Browser extension only
Yes
Full client + driver
Yes
System agent
Speed impact
Yes
Minimal · Smart DNS
No
Encapsulation overhead
Yes
Low, but routed
MITM-free by design
Yes
SNI routing only
Yes
End-to-end tunnel
No
TLS terminates at edge
Per-domain split tunneling
Yes
Domain-level SNI routing
No
Whole-OS only
No
Whole-OS only
JIT TTL access tokens
Yes
From 1 min (presets: 15m, 2h...)
No
Manual cert rotation
No
Manual posture
1-click self-hosted data plane
Yes
Auto-deploy via API
Partial
Self-hosted
No
SaaS only
See full comparison
FAQ

Frequently Asked Questions

Everything you want to know — short and honest.

How does L7 Admin Guard work in practice?

Onboarding takes less than a minute and consists of three simple steps:

  • Create a token. The admin generates a token in the dashboard, specifying allowed domains and the session time-to-live (TTL).
  • Share it. The token is sent to the contractor — e.g. dropped in a work chat.
  • Connect. The contractor installs the extension, pastes the token and instantly gets access to protected resources. No heavy clients, no certificates, no route configuration.
Which browsers are supported?

The L7 Admin Guard extension is officially available in the Chrome Web Store and Firefox Add-ons. It natively supports any browser built on these engines: Microsoft Edge, Brave, Vivaldi, Opera, Arc, and other Chromium-compatible solutions.

What is L7 Admin Guard NOT suitable for?

The service is not intended for bypassing regional blocks, spoofing your location, or acting as a general-purpose VPN/proxy for everyday browsing. L7 Admin Guard is built for targeted, secure access to specific resources — whether a complex corporate infrastructure or your personal WordPress admin panel.

Technically, only the domains explicitly configured in the system can be accessed through the gateway. Using wildcards like *.* to route all traffic and access the open internet is not possible.

Do freelancers or clients need to create an account to get access?

No registration, no email required. You simply generate an access token in your dashboard and share it with the contractor. They install the Chrome/Firefox extension, enter the token and start working immediately. Once the TTL you set expires, access automatically burns.

Can I deploy the gateway on my own infrastructure (Self-Hosted)?

Yes. The L7 Engine ships as a single static binary (Single Binary) with no external dependencies. You can deploy it on any Linux server — including ARM architectures like AWS Graviton or Raspberry Pi — with a single command. Configuration is managed via our API with no manual config file editing on the server.

What happens if I change access or revoke a token while a user is active?

Changes take effect instantly without restarting the gateway. When a token is revoked (Kill-Switch), all active sessions for that user are terminated immediately.

Will internet speed drop like it does with a VPN?

No. We use Application-Layer Split Tunneling at the domain level. Only traffic to your admin panel goes through the secure gateway. Your calls, YouTube and messengers continue to work directly through your ISP. In addition, our In-Memory DNS resolver often speeds up protected sites through aggressive caching.

Can you see our passwords, cookies or internal traffic?

No. L7 Admin Guard uses SNI routing without decrypting SSL/TLS (No TLS Termination). We act only as a transport gateway and are physically unable to perform a MITM attack or read your traffic.

How does L7 Admin Guard protect against vulnerability scanners and bots?

Your resources become physically invisible to the external internet (Stealth Mode). Protection is implemented in two ways:

  • Target-server isolation. For existing public domains you add the L7 gateway IP to a whitelist on your web server. All direct bot requests are rejected (404 or connection reset). The attacker won't even know the protection layer exists.
  • Hidden DNS records (Dark Routing). For internal services you can skip public DNS records entirely (e.g. grafana.internal). For the outside world and scanners like Shodan these domains simply don't exist — the domain-to-IP binding is configured exclusively inside L7 Admin Guard.

Ship Zero-Trust by lunch.

Install the extension, drop a token in the chat, and watch your admin panel go invisible.