geoctl18h
Show HN: Octelium – FOSS Alternative to Teleport, Cloudflare, Tailscale, Ngrokgithub.com

I have been working on Octelium for quite a few years now but it was open sourced only by late May 2025. Octelium, as described more in detail in the repo's README, is simply an open source, self-hosted, unified platform for zero trust resource access that is primarily meant to be a modern alternative to corporate VPNs and remote access tools. It can operate as a remote access/corporate VPN (i.e. alternative to Twingate, Tailscale, OpenVPN Access Server, etc...), a ZTNA/BeyondCorp platform (i.e. alterntive to Cloudflare Access, Teleport, Google BeyondCorp, etc...), and it can also operate as an API/AI gateway, an infrastructure for MCP and A2A architectures and meshes, an ngrok alternative, a homelab infrastructure or even as a more advanced Kubernetes ingress. It's basically designed to operate like a unified Kubernetes-like scalable architecture for zero trust secure/remote access that's suitable for different human-to-workload and workload-to-workload environments. You can read more in detail the full set of main features and links about how it works in the repo's README or directly in the docs https://octelium.com/docs

121 comments
  • ar-nelson15h

    For everyone who's having a hard time parsing what Octelium does, I found this page to be the clearest explanation: https://octelium.com/docs/octelium/latest/overview/how-octel...

    It's clearer because, instead of starting with a massive list of everything you could do with Octelium (which is indeed confusing), it starts by explaining the core primitives Octelium is built on, and builds up from there.

    And it actually looks pretty cool and useful! From what I can tell, the core funtionality is:

    - A VPN-like gateway that understands higher-level protocols, like HTTP or PostgreSQL, and can make fine-grained security decisions using the content of those protocols

    - A cluster configuration layer on top of Kubernetes

    And these two things combine to make, basically, a personal cloud. So, like any of the big cloud platforms, it does a million things and it's hard to figure out which ones you need at first. But it seems like the kind of system that could be used for a homelab, a small company that wants to keep cloud costs down, or a custom PaaS selling cloud functionality. Neat!

    • ttul13h

      TailScale is wonderful but they do need competition. I imagine an IPO is on the horizon, and as soon as they enter that phase, nasty price increases are sure to follow unless someone else is nipping hard at their heels.

      • braginini54m

        There is https://netbird.io

      • seabrookmx13h

        Hopefully their tolerance to self-hosters (Headscale) doesn't change.

        • wiesbadener7h

          They seem to be fine with it: "You could alternatively host your own trusted control server with Headscale."[1]

          [1] https://tailscale.com/blog/tailnet-lock-ga#self-hosting

        • wkat424211h

          The problem is, commercial services will always enshittify. It's inevitable. Even when they conquer the whole market (see Netflix) they will want to see a rising line in profits so then they will turn the thumbscrews on the customers.

          • candrewlee8h

            It’s especially when they conquer the whole market. It’s why investors favor growth and adoption, even at a loss, until it’s won the market and can turn up the monetization dial.

            • wkat42428h

              Well, they do it anyway.

              All the streaming services are enshittifying, even the smaller ones. And other smaller webshops are enshittifying the same way that Amazon does. Like Cory Doctorow described, there's a few big webshops in the Netherlands like bol.com and coolblue.com and they are now also allowing third party sellers, often even from China. The webshops are absolved of all responsibility but they do cash out on every transaction.

          • sakesun5h

            The term 'enshittification' sounds negative for what an organization needs to do to take care of employees.

            • loloquwowndueo4h

              Sorry no. A stable organization with a good profit margin is enough to take care of employees and pay their salaries. Boundless growth which is what enshittification is associated with, is driven by money-hungry stakeholders and “investors” that demand an ever growing return on investment - they don’t settle for speed, they need constant acceleration.

              • jacobn3h

                Isn’t it more of an “all of the above”?

                A lot of employees at successful startups & FAANG make most of their money from the stock, no? And they need to buy houses and send their kids to fancy schools too, no? So sure, we can reduce it to stock holders, but I’d bet dollars to donuts the 90% of employees who aren’t posting on hn are at least passively ok with “improving metrics”, and some ambitious ones are driving the enshittification initiatives hard.

      • dangoodmanUT7h

        See Nebula by slack

      • wkat424211h

        But there are so so many competing products already?

        Not all are commercial (but why would you want that anyway). But ZeroTier is another one like that. Basically the same thing.

      • PoachedEggs11h

        I’ve been meaning to explore Netbird. Fewer features at the moment, but can be fully self hosted.

      • cchance8h

        I mean the fact headscale exists and is still in decent development, means i doubt it really is an issue, what i'd like to see is an effort for an opensource tailscale client so we could use headscale without the closed source client.

    • toomuchtodo8h

      Programmable network tunnel fabric.

  • therealpygon15h

    Just some feedback to share some problems I personally think you’re going to have and why I suspect you’ll face a healthy amount of skepticism. There is a lack of history of development that ends with a major initial commit of unknown origin, a lack of any public information, a company that does not appear (publicly) to exist, and a product that is going to solve every need that can be imagined by packing it with buzzwords and little to no evidence of security. When faced with those things, my next step would be to consider how much is original versus built on underlying technologies I know and trust; information that is lacking.

    If you’re launching a business, I would suggest making sure the business looks legitimate; if it’s a pet project, trying to make yourself sound like a big business and then not having the footprint gives off “fake”/scam/caution vibes. If you’re a solo dev, drop all the fake business stuff and get rid of the buzz words and “it can do everything” marketing and focus on what it excels at as an open source project.

    People are going to be skeptical (rightfully) that a solo dev/no name company is going to suddenly drop a product that rivals those of massive companies. Either massive shortcuts were taken, or there is a high chance that it will be insecure, which is not something you want from a VPN or any of the other things it claims to do. If you’ve built on existing secure technologies, you should emphasizing them because known names that have a security history are going to build a lot more trust than a no-name product.

    If a software is hard to explain the purpose of to an average person in a single sentence, you have an uphill battle. Listing more features isn’t usually going to be the answer, regardless of how accurate you’re attempting to be. “It’s a VPN! and a PaaS! and a ZTNA! And an API Gateway! and AI!” It screams “please download me” rather than “I’m here to solve a problem“, which is why I wouldn’t even bother to try it; the opposite of what any project is going for.

    My intention isn’t to just be critical, but rather to point out things that are likely harming your efforts.

    • geoctl15h

      Thank you for your insightful feedback. I completely understand the criticism because Octelium is conciously designed to be many things at the same time. As mentioned in the other replies, Octelium is a unified/generic zero trust access platform that can fit in many human-to-workload and workload-to-workload use cases (the docs contain various examples in detail) that's why it might be confusing for newcomers. The initial commit came out of nowhere because I've been working on this project since early 2020 actually and decided to start with a clean public repo when I publicly released the code a month ago, after nearly 9000 manual commits over the past 5 years. I simply could not verify that I could have potentially leaked private info esepcially in early commits and the project itself almost entirely changed over the past 5 years from a simple remote access WireGuard VPN to what it is today in terms of architecture, features and complexity.

      • cyanydeez14h

        I think the primary concern was you look like a State actor using a AI to generate a project you hope private companies will use and your intentions don't appear clear, and the verbose replies & github suggest a lot of effort into a facade without anything else.

        One might posit that you're repackaging a fOSS project from somewhere with no clear ethos.

        • geoctl13h

          I have been developing the project solo on a private GitHub repo since 2020. I am not VC-backed or whatever else, Octelium has been a solo effort so far basically. The project itself is now 100% open source as you can see. However, even if I open sourced the initial private repo, what would make you believe that I am who I really am? maybe even all those git commits from 2020 weren't really from 2020 and their timestamps have been spoofed to make you believe so. If 100% of the codebase of the project being open source is still not enough, I guess nothing can be enough.

          • illiac78641m

            Don’t let these comments get to you.

            If they don’t trust you, it’s their right, but then they should just not use the software, instead of writing this type of caustic comments. Poor form in my view.

            Keep up, it looks amazing!!

            • geoctl17m

              If anything I am actually thankful to HN for the opportunity letting me show my work here. Negative comments are not really that big of an issue for me. I just wish they were generally clearer and more specific so that I can easily fix whatever needs to be fixed. Most of the complaints were simply related to the README while I was expecting and honestly hoping for critique for the architecture and internals of Octelium itself.

          • sieabahlpark11h

            [dead]

    • csomar13h

      Give open source devs a break. We don't know the OP background or his motivations. He might have been working on this for fun. He doesn't need to justify any of this. This is open source and Free software. Take it as it is.

      > If a software is hard to explain the purpose of to an average person in a single sentence, you have an uphill battle.

      It does. If you use tailscale/cloudflare access and ngrok, the product is pretty well described. If you don't, then probably you don't need this product.

      • noname1207h

        I use those but I still don't understand what Octelium does or doesn't

    • canada_dry2h

      > solo dev/no name company is going to suddenly drop a product

      A developer/company with an opaque background that you're to trust to give access to backend systems using passwordless embedded SSH (no keys needed!).

      That's a big NOPE.

      (Also, even the answers OP has provided really give an AI bot vibe)

      • geoctl2h

        Octelium's author here. You don't give me access to anything. The project is 100% open source and designed specifically for self-hosting. I don't even know whether you're using the project or not since there isn't usage telemetry to begin with. As for the SSH part of your weird comment, I wonder whether you even understand what embedded passwordless SSH means in the first place.

  • mzhaase15h

    I have an immediate complete distrust to anything that throws around so many buzzwords. This is the github page and I still don't understand what it even does, specifically.

    • geoctl15h

      I'd appreciate if you could provide me a list of those buzzwords so that I can improve the readme.

      • et13371h

        You’re getting a lot of negative feedback but I think it’s mostly just people who don’t speak (or actively hate) enterprise jargon. Hacker News is not super enterprisey. Just don’t respond. I work for a company called StrongDM and we basically do exactly what Octelium does. I was able to determine that pretty quickly from your website which is not common. Enterprise security is just inherently a buzzwordy, vague cloud of companies all competing to own the magic quadrant.

        That said, you are also including some buzzwords on your homepage that appeal to Hacker News folks, like “self-hosted”. That will get a blank stare from enterprise folks.

        So I think you should pick one audience or the other. Tailscale took the strategy of appealing to Hacker News types and then shifting up market from there. My company appeals directly to the biggest enterprises we can find and the difference is stark.

        I think you’ll get less negative feedback if you choose one of these target audiences and focus on them exclusively.

        edit: by the way, Octelium looks awesome, well done!

        • geoctl1h

          Thank you really for your kind comment. I am not really against negative comments because they might actually lead to improvements. And btw I am personally a fan of what StrongDM has been doing lately especially when it comes with ABAC and Cedar. This is what I've been trying to achieve in Octelium with CEL and OPA.

      • drexlspivey15h

        “A next-gen FOSS self-hosted unified zero trust secure access platform that can operate as a remote access VPN, a ZTNA/BeyondCorp architecture, API/AI gateway, a PaaS, an infrastructure for MCP & A2A architectures or even as an ngrok-alternative and a homelab infrastructure.”

        Literally every single word of it

        • geoctl15h

          I admit that the "next-gen" word might sound cheesy. As I said in the other reply, the more correct definition for Octelium is: a unified zero trust secure access platform. However, as I said this is a term that nobody would relate to. It's a ZTNA/BeyondCorp platform but not in the rigid sense. It's also a WireGuard/QUIC-based remote access VPN but it operates at layer-7 to provide L7 aware access control, secretless access, dynamic configuration and routing as well as OpenTelemtry-native visibility and auditing via identity-aware proxies and policy-decision-points instead of just controlling access at layer-3. As I said, it's designed to be more like a generic Kubernetes-like architecture for secure remote access that can be used for many different use cases.

          • sureglymop15h

            I think the issue here is that while these terms may be very familiar to you (and to me personally also), they are not at all familiar to most people who will encounter your project.

            Thus, those people coming across your project may quickly overlook it instead of giving it a chance which is disappointing.

            By contrast, here is Tailscales tagline: "Fast, seamless device connectivity — no hardware, no firewall rules, no wasted time."

            That kind of tells even a non-technical user what it is for even if it dumbs down all it can do. That user then doesn't need to know any technical jargon or how it works under the hood or even what wireguard is at all. The tagline is what prompts them to install and try it out and from there the UX is the deciding factor in whether they keep using it or not.

            • geoctl14h

              Thank you. I completely understand your point. But as mentioned in the other replies. Octelium is designed to be much more than just a VPN. It is not even tied to provide remote access to "devices" or resources behind NAT. It's zero trust architecture that's equally designed to provide access to internal resources and publicly protected resources such as SaaS APIs, databases, Kubernetes APIservers, SSH, etc... It provides both client-based (i.e. VPN-like) access as well as clientless access for both humans and workloads. For example, Humans can just use their browsers to access internal resources behind NAT like a typical protected SaaS resource. Workloads written in any programming language can access protected HTTP/gRPC APIs, Kubernetes, etc... via standard OAuth2 and bearer authentication without using any clients or special SDKs even such protected resources are protected by different API keys/access tokens.

              • sureglymop14h

                But that's what I'm getting at. Even if it is much more, is all of that immediately relevant to a curious/potential new user?

                I understand it may not be easy to narrow down the explanation, especially if you invested a lot of time and don't want to do a disservice to yourself by underselling it. Looking at the Tailscale tagline I quoted, it is small and ambiguous enough that it works marketing wise, regardless of all the features and solutions they offer. But it was just an example, I should maybe have used a totally different example of a product that is not in the same realm as yours.

                The explanation you gave to me here is good but only because I vaguely know what all this jargon means. Try to think of a short simple sentence that a non-expert could understand.

                • geoctl14h

                  I am sorry that you find whatever I say as nothing but "jargon". I assume that those interested in Octelium are already interested in zero trust architectures as defined by NIST, simply products such as Cloudlfare Access, Teleport, StrongDM, Google BeyondCorp, Zscaler ZTNA, etc... I will do my best to simplify the README soon.

                  • subscribed3h

                    I am the potential target audience and I assure you it's understandable and clear.

                    I share some (very little) from some of the criticism regarding the clarity, but I disagree you need a tagine like Tailscale while your solution does several times more things.

                    Great product, im chewing through the docs already :)

                    • geoctl2h

                      Thank you. You're welcome to ask any questions regarding the internals of Octelium via the emails or Slack/Discord channels. You can find all the contact links in the repo's README or on the website.

                  • mdavid62610h

                    I’ve read “zero trust” more times today, than ever before in my life. Still don’t know what this project does.

                  • swells347h

                    I wouldn't take this line of thinking too much to heart. At some point, a piece of technology is too complex for a person to parse what it means without sufficient background in this space. The "buzzwords" simply aren't buzzwords; you are using real words that accurately describe the project. People look at them, and either don't have sufficient knowledge to parse them in context, or are used to seeing them co-opted for use in low-effort marketing. I have some experience in this space (not a whole lot), and I was able to understand.

                    I like where you are going with the graphics in the readme; I'd spend some effort on creating "intended usecase" scenarios, scenarios that highlight situations where the project is the perfect fit. Using a few of these to highlight very different applications give people a good mental map of where this project would fit well for them.

                    "John is looking for a way to provide access to an internal tool to work-from-home colleagues. This isn't simple to do because [...]. Octelium is a good fit because [...]. Here is how John would set it up: [...]"

          • therealpygon15h

            What you took away from that was that “next-gen” was the problem?

            Buzzwords can still be technically accurate and you seem to be ignoring that when it keeps being confronted. “But it is” doesn’t matter when it comes to “but it sounds like”.

            Let me give you an example; if I was walk into a store, do you think I want to talk to the person who talks about the “bidirectional optoelectromechanical document transcription and reproduction apparatus implementing discrete photonic acquisition and microdeposition techniques for bidimensional substrate encoding”, or do I want to talk to the person who will sell me a “photocopier”?

          • maxmcd15h

            I think "no buzzwords" would be further in the direction of:

            "This software let's you set up peer to peer networking between your devices, expose them to the internet, run applications on them, view useful runtime information, and integrate easily with cloud providers and infrastructure you're familiar with."

            • geoctl14h

              Thank you. Octelium, however, does not operate as p2p and does not directly connect devices since that by itself contradicts the whole point of zero trust. It provides remote access to resources, or even sub-resources via L7 access control (e.g. allow access to some HTTP paths to some users based on identity/context/request content, etc...), not completely to "devices" or to complete subnets.

              • dudeinjapan12h

                How about: “Octelium is a secure, policy-based access gateway to your HTTP services, with both VPN tunnel-based and OAuth/zero-trust modes available. (And it can do a lot more!)”

                • geoctl12h

                  Thank you. I think your description is great but I, as a user myself, might see it as an identity-aware proxy (i.e. something like Pomerium and Ory Oathkeeper IaPs which are great projects) as opposed to a complete Kubernetes-tier platform that does the entire process of remote access, access control, visibility and auditing, user and identtiy management, centralized policy management, etc... from a data-plane and control-plane perspective for an arbitrary number of resources that need to be protected.

                  • bdesimone10h

                    Quick note since it was mentioned. Pomerium does support Kubernetes at pretty much every level you mentioned (although I'm not entirely sure what a "a complete Kubernetes-tier platform" means) including:

                    - "remote access" : https://www.pomerium.com/docs/capabilities/kubernetes-access

                    - "access control" https://www.pomerium.com/docs/capabilities/authorization

                    - "visibility and auditing" : https://www.pomerium.com/docs/capabilities/audit-logs

                    - "user and identtiy management" https://www.pomerium.com/docs/capabilities/authentication to which I'd add device identity as well.

                    - "centralized policy management": https://www.pomerium.com/docs/capabilities/authorization & https://www.pomerium.com/docs/internals/ppl

                    - deployments using Ingress Controller or GatewayAPI https://www.pomerium.com/docs/deploy/k8s/ingress, https://www.pomerium.com/docs/deploy/k8s/gateway-api

                    - "for an arbitrary number of resources" not sure what to link to but there's no limit here

                    Congrats on the release. I saw your thread on MCP and completely agree with the approach. Happy to trade notes :)

                    • geoctl9h

                      I apologize if my reply was seen as critical in any way. I only wanted to make a difference between Octelium as a complete platform compared to Pomerium (I meant the open source project not the entire Enterprise offering which is obviously a complete BeyondCorp solution) and Ory Oathkeeper as identity-aware proxies. A more technical description for Octelium is that it is for IaPs similar to what Kubernetes is for containers. It simply provides a complete control plane to manage and deploy IaPs on top of Kubernetes itself. In fact, I am a fan of Pomerium and their work (I still remember your great work related to Golang's Webauthn and its attestation-related stuff ~3 years ago) if you're part of the team. Funnily enough, Octelium started as a sidecar ext_authz svc for Envoy instances to operate as an IaP but I ended up creating my own Golang-based IaP, Vigil, from scratch because Envoy was just nothing but pain outside HTTP-based resources.

                      • bdesimone9h

                        Genuinely, didn't take it that way at all! I don't expect you to be an expert on Pomerium.

                        > Funnily enough, Octelium started as a sidecar ext_authz svc for Envoy instances to operate as an IaP but I ended up creating my own Golang-based IaP, Vigil, from scratch because Envoy was just nothing but pain outside HTTP-based resources.

                        That's really funny... we went the opposite direction as the original versions were based on a custom Go proxy. Of course there are tradeoffs either way. Envoy is blazing fast, and does great with HTTP naturally, but has a giant configuration surface area (both pro and con), but we are now having to write some pretty low level filters /protocol capabilities in envoy for the other protocols we support (SSH, MCP, and so on) in C++ which does not spark joy. So I totally feel what you are saying.

                        Thanks for the kind words, though I am one of the contributors my colleague did the heavy lifting on the WebAuthN side.

                        Genuinely happy to see the release and where you are headed on the AI/MCP side. If you (or others) are interested, I am trying to bring more light to this model in the spec if you (or others) would like to weigh in: https://github.com/modelcontextprotocol/modelcontextprotocol...

                        • geoctl9h

                          Thank you. Honestly if I had the right to give you my opinion, I'd just advise you to go back to full custom Go-based proxies regardless of how overwhelming that might sound. Octelium itself still does use Envoy as an ingress for the BeyondCorp mode to route to the intended Service based on the FQDN, however, Envoy as great as it is for ingress and HTTP-based service mesh purposes especially when it comes to memory/CPU usage under huge load conditions, it really shows weakness when it comes to building generic multi L7-protocol aware (e.g. HTTP, SSH, Postgres, MySQL, RDP, etc...) IaPs where you need to understand L7 for each of these protocols to provide access control, modifications to the protocol specific messages and providing L7 aware visibility. The amount of work you need to do in ext_proc, ext_authz, proxy-wasm, etc... is just ridiculous and error prone due to the extra round trips yet it is equivalent to what you could have done if you owned the entire data plane yourself.

                  • dudeinjapan11h

                    Much of this writing is about finding the right level of detail to communicate the core ideas.

                    “Octelium is a full-featured access control platform, which provides API gateways and/or VPN tunnels to your HTTP services, paired with an intuitive user, policy, and auditing backplane and policy-as-code.”

                    Something like the above would be much more enticing to potential users including myself. I can get a rough idea of what I can actually use it for and how it can be integrated into my existing stack—and if there are more features I’ll be pleasantly surprised when I read the docs!

                    • geoctl11h

                      I completely agree with you. And tbqh since almost everybody in the thread is complaining about the README then I must be really doing something wrong explaining Octelium and what it does. I will certainly put more effort to make the README and especially the main description section more useful and easier to understand without transforming it into more of a marketing pitch. As I mentioned in other replies, it's actually really hard to concisely describe fairly complex projects (e.g. Kubernetes, Istio, etc...), especially to newcomers. But I will definitely do my best to improve the docs and README. Thank you really for your insightful comments.

                      • dudeinjapan10h

                        One more pointer would be to be very explicit on the homepage about the problems the product solves.

                        For example, many organizations use a mix of gated HTTP over public internet AND VPN, each one will have its own vendor auth product(s), user whitelisting, it's difficult to control or regularly audit. Octelium centralizes this management and gives admins the flexibility to control how services are exposed and to whom, presumably via simple policy change git commits. SOC2, etc. then becomes a breeze to export the state of the world, onboard/offboard employees, etc.

                        Defining the product in terms of use cases/problems/solutions rather that competing alternatives (Tailscale, Okta, ORY Hydra, etc.) will go a long way to increase clarity.

                        • geoctl7h

                          Thank you, I will definitely add more kind of less-technical information on the homepage to make it easier to understand for business people. As for comparisons, I have been actually reluctant to do it because I don't think I can ever do a truly neutral comparison myself and I believe it should come from neutral parties such as blogs as well as users trying to discover the best solution that works for their own use case. But since I have been asked multiple times already I will probably add some comparisons soon.

                          • noname1206h

                            I'm not entirely sure if you realize that people here are highly technical yet don't get the point.

                            The problem isn't that you need to “make it easier to understand for business people” (which many here would take as an offense), the problem is that you're name dropping technologies and concepts without articulating exactly what problem your product solves, and what your exact value proposition is.

                            Something that does everything usually does nothing well, or at least doesn't provide a coherent dev experience with a sane mental model.

                            • geoctl5h

                              Believe me I am the one who's actually still struggling to find where the jargon/buzzwords/naming dropping exactly is in my own README. Is it terms such as ZTNA/BeyondCorp, MCP, A2A, AI/API gateway? Is it secretless access, zero trust? I will do my best to simplify the README and docs. It's not like I am happy that even technical people are struggling to quickly understand the README. I admit that there must be something wrong with the README/docs and I am going to improve it. All those people hinting the same thing cannot just be wrong.

        • pelagicAustral14h

          "...to make the world a better place." was missing from this paragraph.

        • mystraline13h

          It is zero-trust.

          I don't trust this.

  • wkat424211h

    There are so so many of these already...

    - Tinc (the OG of P2P VPN)

    - Hamachi (not open though)

    - ZeroTier

    - Nebula (from Slack)

    - Tailscale

    - Netbird

    I wonder why people keep building more. I know each has its own quirks and things they're better at, but the difference is really quite minimal.

    One of the things I really would like is zero-trust 'lighthouses'. With current Zerotier and Tailscale, you really have to trust them because they can add nodes on your account whenever they want. I don't want that, I want fully self-hosted and for the lighthouses to just coordinate but not to be part of the network. I have to do some research to see what would be best.

    • metmac9h

      Reading through the docs. I feel like a lot of people are missing the value here. This could be a diamond in the rough if it actually delivers on its docs.

      What enterprises want is to move away from perimeter based security models towards the promise that Google überProxy/BeyondCorp popularized many years ago. Which has been lost in the buzzword soup. It’s very simple.

      1. A clean separation between Prod, Corp, and the public internet. And the UX to hop between them as an employee is as transparent as possible. (Often times network segmentation comes with additional painful friction for engineerings.)

      2. One pipe to observe, and clearly attenuate permissions as traffic/messages flows between these boundaries.

      3. Strong proofing of identity for every client, as an inherit requirement.

      The problem is everyone outside Google has incredibly diverse protocol ecosystems. It makes those three promises incredibly difficult to deliver on as a vendor. (I’ve evaluated many)

      To build a proxy that is protocol aware, only solves half the problem. It gets you some coarse grain decision making and a good logging story.

      To build a proxy that is also able to perform type-inference at the request layer, allows for a much richer authZ story. One where businesses can build an authorization layer at the proxy better than their in-house apps could even do natively. (As it turns out, having all the predicates of the request available to a policy engine is super useful).

      The docs are a little verbose, the marketing maybe isn’t amazing. But this is inherently a complex problem. No one has fully solved.

      Teleport was first to the market to OSS and commercialize a lot of these ideas. StrongDM also is doing really interesting work in this space. I wish Hashicorp had invested more in this space.

      Disclaimer: my opinions are my own.

      • wkat42425h

        I work for an enterprise and they don't want this. They still rely on traditional centralised VPNs. How they deal with this is enforcing then everywhere, even in the office. Though there they usually are only on in name.

        I think the reason is that they want to inspect the traffic in central locations, if each endpoint is doing its own you need to log there which means you can't always access it immediately.

        I do use Mesh VPNs privately and love them. I love the way I have this overlay, a personal network that works everywhere. My devices all keep the same address no matter where they are.

        • metmac4h

          Depends on the industry. But many large enterprises in the Fortune 500 are actively trying to move away from your traditional VPN. (F5, Pulse, Cisco, etc).

          Even with VPNs the question should be, what are we gating behind that VPN anyway. Does it actually give us the granularity of controls we want or is this all security theater. (Also what about hybrid infra, between the datacenter and cloud)

          FWIW, my ideal architecture is Wireguard into Corp. (Ala CloudFlare Warp, Tailscale, etc) Corp doesn’t hold a ton of sensitive assets. Or put another way, it’s a lower trust tier.

          And then using something like Teleport, Octelium, etc to reach production assets.

          Admittedly no vendor product I’ve come across yet has bridged this gap nicely. The überProxy tend to focus on the application protocols they support. While the wireguard clients cares more about session control of the tunnel.

      • geoctl8h

        Thank you really for your comment. I was actually hoping myself to get more questions that are related to the internals and architecture of Octelium, especially from those who are familiar with commercial ZTAs such as Cloudflare Access, Teleport, StrongDM, Google BeyondCorp, Pomerium and many other ZTNA/BeyondCorp based solutions.

        • metmac4h

          Will DM after I’ve had a chance to dig.

          • geoctl4h

            Happy to answer any questions regarding Octelium internals/architecture or regarding the project overall whenever you need to. You can find the project's Slack/Discord channels and contact emails in the repo's README or on the website.

    • geoctl10h

      With all respect, regardless of the fact that Octelium can replace the products you just mentioned, its context of interest is much larger and focused towards zero trust rather than just merely a yet another VPN/a remote access tool to access internal resources. I'd really appreciate it if you could read the docs first so that you can understand the features and architecture of Octelium and what it is meant to be. Every product claims to be "zero trust" these days, even VPNs and simple tunneling applications, however, actual zero trust architectures as defined by NIST (i.e. architectures built upon L7-aware identity-aware proxies, policy-decision-points, L7-aware and context-aware per-request access control via policy-as-code and ABAC, centralized identity and policy management, integrating context information from external tools such as SIEM, SSO and threat intelligence tools into per-request access control decisions, etc...) and there are many commercial products that are "true" ZTAs (e.g. Cloudflare Access, Teleport, Google BeyondCorp, StrongDM, Zscaler, etc...). The term is being however abused by the companies, some of which are extremely well funded, to distort reality and the fact that their products were not even built for zero trust. What these fake "zero trust" vendors are trying to achieve is something like: "either we all are zero trust, or zero trust doesn't really exist or mean anything at all and it's merely a buzzword, it's your choice".

    • jvink9h

      Look into sanctum [1] it's cathedral mode. You can self-host those entirely and they're only discovery nodes. Once the tunnel is up the cathedral isn't involved unless for black key distribution or if your peers are behind restrictive NAT.

      There's reliquary [2] which I host and run for me and my hacker friends based on sanctum.

      [1] https://github.com/jorisvink/sanctum

      [2] https://reliquary.se

    • apitman10h

      And many more: https://github.com/anderspitman/awesome-tunneling

  • baobun6h

    Looked into Octelium recently and it looks like it depends on or at least assumes a kubernetes kluster for setup. Is this true? If so it makes it a bit of a non-starter for many - we want our nodes on the overlay network, not the other way around. It's a complex dependency for something low-level where we want mininal or no dependencies on other infrastructure or internal services. (Of course there are valid use-cases for SDN on top of the cluster and I guess that's what you're targeting initially but curious if that's also the end of it)

    Or put another way, I hope that Kubernetes integration is an option, not a prerequisite and the only supported deployment.

    In case there's already material on Octelium sans k8s that I missed, pointers would be appreciated!

    • geoctl6h

      As as I mentioned in some other reply, Octelium is built as a distributed system on that can operate on top of 1 or more nodes. While Octelium currently must work on top of Kubernetes, Octelium itself is not really that intertwined with k8s, it can actually easily be ported to other orchstrators such as Nomad for example. However, the rationale behind operating as a platform on top of k8s that uses a k8s cluster as an infrastrcuture for itself is to relieve the system administrators from all the manual work that comes with managing zero trust architectures such as manually deploying/scaling/cleaning up the identity-aware proxies. Octelium simply provides both the control plane and data plane where you can just `octeliumctl apply` and all the Octelium Services are deployed/managed/scaled up or down and eventually cleaned up without having to manually run them, open firewall ports, etc... It's very similar to what Kubernetes itself does with containers where a single `kubectl apply` deploys/scales/cleans up all the container changes without having to manually deal with every container in every single node like you would do with docker or containerd. You don't even need to know how many nodes you have or deal with CRI/networking details on every node since a single Cluster spans over all the nodes and does all the work for you whenever you want to apply a new change in the Cluster. This architecture is meant to make the Cluster seamlessly scalable by adding more nodes whenever you want and at the same time can be manageable at any scale decoratively via octeliumctl or programmatically like you would have with a normal k8s cluster. I believe you can understand more by reading how Octelium works in detail in the docs https://octelium.com/docs/octelium/latest/overview/how-octel...

      It's also noteworthy to understand that managing an Octelium Cluster doesn't really require any understanding of Kubernetes or how it works, unless for very specific tasks, such as scaling up/down the k8s cluster itself and setting the Cluster TLS cert fed via a specific k8s cert. Apart from that, you're just dealing with Octelium.

  • rollcat15h

    I understand adding the "AI" keyword is just SEO, like adding "Reddit" to article headlines... It still leaves a bad taste, even if the main course is excellent.

    Even the diagrams for API vs AI gateways are almost identical.

    <https://tailscale.com/blog/ai-normal>

  • cedws15h

    Definitely interested in an open source alternative to Tailscale.

    The README is way too verbose though. It should explain the project at a glance and have links to docs for the details.

    • homarp14h

      headscale is an open source alternative to tailscale:

      https://github.com/juanfont/headscale

      • uneekname12h

        Headscale is great (I use it) but it is an alternative to the Tailscale control server, not the client applications. Some of those are closed source, and their compatibility with Headscale is not guaranteed.

        • CharlesW12h

          Tailscale's client is already open source.

          https://tailscale.com/opensource: "The core client code for the Tailscale daemon used across all platforms is open source, and the full client code is open source for platforms that are also open source."

          • aspenmayer8h

            So if you are running a closed source OS, Tailscale doesn’t have an open source client? Wouldn’t closed source OS users of Tailscale benefit the most from having an open source Tailscale client available?

            • CharlesW8h

              > So if you are running a closed source OS, Tailscale doesn’t have an open source client?

              As the content at the link makes crystal clear, the client is open source. Additionally, Tailscale's GUI for that client is open source on open source platforms.

              99.999% of users of closed source OSs aren't going to care that the GUI isn't open source. The remaining 0.001% just use the open source client without the GUI.

              • aspenmayer7h

                > 99.999% of users of closed source OSs aren't going to care that the GUI isn't open source.

                They may or may not care, but just so we’re all on the same page, there isn’t an open source version of the end user application software for closed source operating systems that I can find on that page or any other Tailscale page. If one exists, I am happy to be corrected by you, and I am giving you the opportunity to do so now.

                • CharlesW7h

                  In the spirit of inclusiveness to non-technical folks who are flummoxed by CLIs but also have a religious objection to running closed software on their closed source OS, I'd recommend that they ask a more technically-inclined friend to set up the open source Tailscale client software with Cattail if they're on Windows, or an Automation that drives the CLI if they're on macOS.

                  • aspenmayer7h

                    > This is HN, ain't nobody here afraid of a CLI.

                    Gatekeeping much?

                    > If (1) you personally need a GUI and (2) have a religious objection to running closed software on your closed source OS, ask a more technical friend to set up Cattail if you're on Windows, or an Automation that drives the CLI if you're on macOS.

                    I’m just asking if Tailscale has an open source application. Users who know what a GUI is and why it’s also important that it is open source will care that the GUI isn’t open source. The ones who don’t, won’t. Who benefits from obscurantist-posting like you are doing? Probably not the folks who don’t know that Tailscale doesn’t have an open source app, because the GUI is part and parcel to what the app even is conceptually to the sorts of users who don’t know what GUIs are.

                  • 7h
                    [deleted]
  • guigg7h

    I don't understanding why you're embedding a full k3s cluster install in your app, it would be much clearer to everybody if this was something that you could add to existing infrastructure, with simpler CRDs to expose services. The pitch for the project looks awesome (opensource Cloudflare access / Teleport), but most of the features are customizations on top of k8s anyway, I'd be more interested in testing this if it was focused on the access part.

    • geoctl6h

      Simply an Octelium Cluster is a distributed system that operates on top of k8s. It can work on top of a single-node k8s cluster/k3s which can fit in a small VM/VPS and it can also operate on top of a multi-node "production" k8s cluster. Octelium isn't just some simple abstraction over k8s, Octelium is a complete platform on its own that uses k8s as an infrastructure for itself. It uses its nodes as gateways and hosts for Octelium Services, each Service, represented by an identity-aware proxy that's deployed as a k8s service on the underlying k8s cluster, has a stable private dual-stack IP address(es) depending on the scaling and is basically acting as the endpoint of the other side of the WireGuard/QUIC tunnel. You can now see that Octelium does with identity-aware proxies similarly to what Kubernetes itself does with containers, building a control plane around a scalable data-plane to automatically manage and deploy identity-aware proxies instead of just offloading the work manually to the Cluster administrators which is, I believe the case, in many ZTAs (e.g. Teleport, Pomerium, etc...) which makes the entire system very hard to manage since there is a lot of manual work to do by the administrators of the system. With Octelium, you can simply create and delete Services declaratively via `octeliumctl apply` or directly via the gRPC APIs and forget about managing, deploying and cleaning them up yourself. Actually Octelium resources started as CRDs many years ago, but the amount of resources in the Cluster (e.g. Users, Sessions, Services, Namespaces which are not related to k8s namespaces, Policies, Devices, Credentials, etc...) made it impossible to rely on a the etcd backend, it was simply unreliable for frequently updated resources and resources with large info. So a separate Postgres backend was introduced later.

    • geoctl4h

      One more thing regarding the CRDs. Octelium resources and k8s resources look similar from a YAML perspective. However, Octelium actually use protobuf, all the resources are defined in proto3 and compiled to Go, then the Golang resources are serialized to JSON and stored as JSONB in the Postgres data store of the Cluster. I guess that's another reason you thought that Octelium resources might be CRDs but they actually are not.

  • yjftsjthsd-h16h

    The big thing to me about Tailscale is easy p2p connectivity. I think it looks like this doesn't do that and uses centralized router(s)?

    • ethan_smith2h

      Looking at the docs, Octelium uses a hub-and-spoke model with Gateways acting as central routing points, unlike Tailscale's direct peer-to-peer mesh - this architectural difference impacts performance, privacy, and deployment complexity.

      • geoctl2h

        No, Octelium does not use a hub-and-spoke model. It's a distributed system that's a horizontally salable architecture on top of Kubernetes. This design is meant to provide seamless horizontal scalability and availability, among other things.

    • geoctl15h

      Octelium is a zero trust architecture not a p2p VPN even though it can seamlessy operate as a WireGuard/QUIC-based remote access VPN among other things. Its architecture is closer to Cloudflare Access, Teleport, etc... as it provides dynamic L7-aware access control, secret-less access (i.e. injecting API keys and access tokens, database passwords, SSH private keys, mTLS private keys etc... without distributing them to Users), dynamic configuration and routing to upstreams, etc... via identity-aware proxies as opposed to just merely operating as a VPN at layer-3 as well as to providing OpenTelemetry-native visibility and auditing in real-time. True zero trust architectures such as ZTNA/BeyondCorp, apart from service meshes (e.g. Kubernetes service meshes), are problematic to be implemented as p2p VPNs to say the least. You simply need L7-aware identity-proxies to do the process of access control and visibility at the application-layer on a per-request basis.

    • gen6acd60af14h

      >easy p2p connectivity

      >centralized router(s)

      When using Tailscale, your packets may be sent through centralized routers, FYI.

      https://tailscale.com/kb/1257/connection-types

  • thealistra8h

    Is this a replacement for a huge corpo botnet like access control?

    If I am a huge corpo, don’t I want to have another huge corpo provide me the software with a support package to have some asssurance and not go with the open source option?

    Not sure if your project solves any issue of a singular dev.

    • geoctl7h

      Octelium itself is designed to be a generic secure access platform that can operate in many environments (from a simple ngrok-tier remote access tool, remote access/corporate VPN up to a full-fledged scalable ZTNA/BeyondCorp platform among many other specific use cases such as API/AI/MCP gateways) at many levels (i.e. dev, startup, enterprise). Think of Kubernetes, you can use it to host a single website running on a single container, you can use it as an API gateway for a few microservices and you can use it as a fully-featured service mesh of hundreds if not thousands of microservices running on tens if not hundreds of nodes with enterprise-level tools such as SPIFFE, Istio, etc...

  • fariszr14h

    This looks very impressive, but the Readme has way to many details, I think i got the idea but I'm not sure, and that's a problem.

  • kosolam16h

    It looks very interesting, but I’m getting lost in the pages of features and different use cases. It would have been nice to have a succinct list of features/capabilities (technical, not buzzword) and why this solution solves better than alternatives.

    • geoctl16h

      Thank you. I understand it's hard to concisely define what Octelium is because it is designed as a unified/generic secure/zero trust access platform, a term that almost nobody would relate to. It's more of a generic Kubernetes-like architecture/infrastructure for zero trust secure access that can fit many different use cases (i.e. human to workload and workload to workload environments). Well, it can be used as a typical WireGuard/QUIC-based remote access/corporate VPN. It can be used as a ZTNA/BeyondCorp platform with identity-based, L7 aware, context-aware ABAC via policy-as-code with CEL and OPA where you can control access at layer-7 (e.g. HTTP request headers, serialized JSON body content, etc...). It can also be used as an ngrok alternative (both secure access via OIDC/SAML/GitHub IdP as well as anonymously which can fit for hosting, testing APIs, etc...). It can also deploy your containerized resources and automatically provide client-based/clientless secure access to them (kinda like a PaaS) and it does provide dynamic configuration and routing to upstreams via policy-as-code (e.g. route to different API versions, use different SSH credentials, different API keys, different postgres user/password based on identity/context, etc....). It can also fit as an API/AI gateway and a scalable infrastructure for MCP architectures/meshes. Therefore, it's not really a ZTNA/VPN in the rigid sense, it's a more generic platform where what it does to secure/remote access is similar to what Kuberentes does for containers.

      • alienbaby15h

        Perhaps it would be easier to go through a few typical use cases and implementations, and describe how they work with less brand naming and technical fancywords.

        I scanned the github, and your reply above, and I still don't really get it.

        I imagine I would understand it better if I was more fluent in the vocabulary you use and understood what some of the platforms and interesting names did from the get go.

        So yea, my 2p - break it down into some use cases from simple - intermediate - advanced, use more straight forward language and less platform / product names. Technical terms are fine, but try not to string a zillion of them together all in one go... it reads a bit too much like a sales pitch trying to cram in as many acronyms and cool sounding things as possible.

        • reachableceo15h

          I do agree with that. As a potential customer , reading over the page, it was incredibly redundant / dense.

          I recommend using an LLM to rewrite it far more succinctly.

        • geoctl15h

          I honestly don't understand where the "sales pitch" part is. This project has been so far a solo effort and I am the one who basically wrote all the code. It's not like this is some VC-backed product where I am a marketing guy replying to you. I would appreciate it if you could provide me direct questions about what you don't understand so that I can answer you.

          • homarp14h

            define all the terms.

            explain simple use cases.

            explain why you built it, how you use it.

            explain the 'size' of it (it requires k8s so might not be for my small homelab)

            compare to 'similar' offerings.

      • reachableceo15h

        Please update your HN profile with contact information.

        This product? Framework? Solution? seems to be exactly what I’ve been looking for / attempting to put together for my company. We are entirely self hosted and use only FLO software.

        We use Cloudron as our core PAAS and have been looking for a FLO zero trust / identity aware proxy for DB/RDP/SSH .

        Happy to be your flagship customer.

        We have a brand new k8s (self hosted) cluster deployed . We use wazuh as our SEIM, librenms for monitoring / alerting.

        Currently we use tailscale (with magicdns disabled and we hand out our internal pi hole IP as our recursive DNS server ) (and we have an authoritative DNS for our internal corporate domain).

        [email protected] reaches me pretty quickly most days. Would love to deploy this immediately and write a testimonial etc

        • geoctl15h

          Thank you so much. I will definitely contact you very soon.

      • catlifeonmars15h

        Gentle feedback: if it’s hard to concisely define what Octelium is, it will be hard to convince people to use it.

        To me this sounds like an L7 identity & access management layer for wireguard, but again I had trouble parsing the readme.

        • geoctl13h

          Thank you. I completely understand your point of view. I did put a lot of effort actually trying to come up with a simple concise description that can fit in an HN 80-char wide title but I simply could not do it. If you think about it, other fairly complex projects such as Kubernetes or Istio are also very hard to concisely describe for newcomers. There is always some assumption that potential users of the project are already acquainted with the terms used in modern zero trust architectures and familiar with similar commercial products such as Cloudflare Access, Teleport, StrongDM and many other related products.

  • Arch-TK11h

    I just use some tools to automate configuration of a wireguard mesh overlay network. It doesn't seem like it should need to be harder than that.

  • b0a04gl13h

    what if this wasnt something you add after infra but the checkpoint you start with. right now you spin up a vm or db then wrap vpn or firewall around it. but imagine writing access rules first in way : 'team ml can hit service x' or 'web app can hit this backend' and the system wires infra from that.. infra becomes a side effect of access intent. access isnt something you cant guard always( as things move fast, breaks fast), it's may become seed where you can design with.

  • udev40962h

    Ah yes, use a no-name do-all program for securing my network instead of headscale, a proven and battle tested wireguard mesh

  • shrubble14h

    One takeaway is that this can replace ZLayer, and it does offer much more functionality than that. Is that correct?

  • sneak15h

    As the other commenters have pointed out, your README is offputting.

    Last year I wrote an article about how to write a good README:

    https://sneak.berlin/20241224/readme-howto/

    • geoctl15h

      Thank you. I will definitely work on making the README more concise and hopefully more useful and easy to understand.

      • sevg15h

        Your readme isn’t great, but I wouldn’t pay much attention to this guide that this person keeps posting.

        It’s way too long and excessively prescriptive, and the author goes too far with inserting their opinions (ie, don’t use github, don’t use discord etc.). I couldn’t possibly recommend this howto.

        • sneak14h

          Oh, look, we both have opinions that we each believe are important. Imagine that. :)

          I think this is the part where I’m supposed to tell third parties to disregard yours, but I’m not going to.

  • ghoshbishakh13h

    So this is something like pinggy.io - self hosted?

  • kevmo31414h

    I’m impressed with how helpful HN commenters are being despite the unilateral opinion about the pitch and readme.

    For what it’s worth, the title of the post is a pretty good pitch. Leaving it at “FOSS Alternative to …” would be a step in the right direction.