unsubbed.co

Octelium

Octelium lets you run unified zero-trust secure access platform entirely on your own server.

AGPL-3.0 Free octelium/octelium · 3.5K octelium.com Go 3 deploy options SSO 2FA REST API

Zero trust access, honestly reviewed. What you actually get when you run it yourself.

TL;DR

  • What it is: Free, open-source (AGPL-3.0) unified zero trust secure access platform that can simultaneously act as a VPN replacement, ZTNA layer, API gateway, AI/LLM gateway, MCP gateway, ngrok alternative, and homelab infrastructure [README][2].
  • Who it’s for: Engineering teams and security-conscious self-hosters who want to replace a combination of Tailscale, Cloudflare Access, and ngrok with a single self-hosted platform they fully control. Not for non-technical founders who want a point-and-click solution [2].
  • Cost savings: Tailscale Business runs ~$6/user/month; Cloudflare Zero Trust scales from free to hundreds per month for teams; Twingate Teams is ~$5/user/month. Self-hosting Octelium costs the price of a Kubernetes-capable VPS or cluster you already run, plus the AGPL license obligations.
  • Key strength: Genuinely unified architecture — one platform replacing four or five commercial products, built L7-aware from the ground up using identity-aware proxies, not bolted-on network segmentation [README][2].
  • Key weakness: Kubernetes is a hard dependency. The learning curve is steep even by self-hosting standards. The XDA Developers review calls it “slightly buried in technical jargon” [2], which understates how much operational knowledge it assumes.

What is Octelium

Octelium is an open-source zero trust secure access platform built on Kubernetes. The GitHub description calls it “a next-gen FOSS self-hosted unified zero trust secure access platform that can operate as a remote access VPN, a ZTNA/BeyondCorp platform, API/AI/MCP gateway, a PaaS, an ngrok-alternative and a homelab infrastructure” [README]. That sentence is doing a lot of work, and the platform genuinely means it — Octelium is designed to replace several commercial products with a single self-hosted system.

The core architecture is built around identity-aware proxies (IAPs) rather than network-level segmentation. This is a meaningful technical distinction: traditional VPNs grant access to a network and then trust the authenticated user within it. Octelium applies access control at the application layer, per request, based on identity and context — the model Google calls BeyondCorp [2][README].

Access comes in two flavors. Private access uses WireGuard/QUIC tunnels with automatic private DNS — zero-config for clients once enrolled. Public clientless access handles browsers and machine-to-machine workloads via standard OAuth2 client credentials and bearer authentication, without a VPN client on the endpoint [README]. Both paths enforce the same policy engine.

The secretless access capability is one of the more practically useful features: Octelium can proxy requests to SaaS APIs, AWS services, or internal resources without distributing credentials to end users or workloads. The platform injects credentials at the proxy layer, so a developer never sees the AWS key that gives them access to S3 [README].

As of this review, the project sits at 3,492 GitHub stars [merged profile] — modest by the standards of something positioned against Tailscale or Cloudflare, but the project is genuinely newer and less marketed.

Why people choose it

The XDA Developers review [2] — the most substantive third-party write-up available — frames the appeal around a problem every self-hoster eventually hits: remote access to self-hosted services is either insecure (port-forwarded), painful (traditional VPN), or dependent on a third-party tunnel (Cloudflare, ngrok) that can pull the service at any time.

Octelium addresses the threat model of a compromised client on an already-trusted network — the scenario where traditional VPNs fall apart. Once you’re past the perimeter, a standard VPN trusts you everywhere. Zero trust architecture doesn’t. Every request is evaluated against policy, regardless of where it originates [2][README].

The German cloud newsletter allesnurgecloud.com listed Octelium as a notable open-source discovery in their November 2025 issue [3], and weeklyfoo #92 [4] picked it up in the same month — both in the context of self-hosted infrastructure tooling, not security product comparisons. The timing matches the XDA piece and suggests a small but real discovery moment for the project in late 2025.

What pulls people toward Octelium specifically versus the alternatives:

Versus Tailscale. Tailscale is elegant and the easiest zero-config mesh VPN that exists. But it’s a closed-source coordination layer sitting on top of WireGuard — your mesh depends on Tailscale’s coordination servers unless you run Headscale (an unofficial, incomplete reimplementation). Octelium is fully self-hosted with no external coordination dependency, AGPL-licensed, and operates at L7 rather than L3/L4. The trade-off: Tailscale is a 30-minute setup; Octelium is a multi-hour Kubernetes deployment [2][README].

Versus Cloudflare Access / Zero Trust. Cloudflare’s zero trust product is genuinely good and the free tier is generous. The reason to leave it: you’re adding a dependency on Cloudflare’s infrastructure for every access decision your internal services make, and Cloudflare has had notable outages [3]. The November 2025 Cloudflare outage — where a Rust .unwrap() crash on a ClickHouse permission change took down services including ChatGPT, X, and Uber for three to six hours — is the exact risk profile that pushes operators toward self-hosted alternatives [3]. Octelium’s architecture doesn’t have that single point of external failure.

Versus ngrok / Cloudflare Tunnel. For secure reverse proxies and public-facing tunnels, ngrok charges per endpoint and Cloudflare Tunnel requires handing routing to Cloudflare. Octelium is a programmable infrastructure for the same use case, self-hosted, with identity-based access control layered on [2][README].

Versus Teleport. Teleport is the most direct competitor for the ZTNA/BeyondCorp use case. It’s mature, well-documented, and has a strong enterprise track record. Octelium’s pitch is broader scope (API gateway, AI gateway, PaaS use cases) and full AGPL licensing on the core.

Features

Based on the README, website documentation, and enterprise page:

Core access:

  • WireGuard/QUIC tunnels for zero-config private client access with automatic private DNS [README]
  • Clientless BeyondCorp access for browsers and workloads via OAuth2 and bearer authentication [README]
  • Policy-as-code for context-aware, per-request access control [README][2]
  • Secretless access — credential injection at the proxy layer, no keys distributed to clients [README][2]
  • Access to resources behind NAT across any environment: on-prem, cloud, IoT, Raspberry Pi [README]

Gateway use cases:

  • API gateway for microservices routing (alternative to Kong, Apigee) [README]
  • AI/LLM gateway with identity-based access control and routing for any AI provider [README]
  • MCP (Model Context Protocol) gateway with OAuth2 and A2A architecture support [README]
  • ngrok / Cloudflare Tunnel alternative for programmable reverse proxies [README][2]

Platform use cases:

  • Container deployment platform (Vercel/Netlify alternative) with support for Next.js/Vite apps [README]
  • Kubernetes ingress alternative with L7-aware policy routing [README]
  • Homelab infrastructure for connecting devices and hosting services [README]

Authentication and identity:

  • SSO support [merged profile features]
  • Two-factor authentication [merged profile features]
  • REST API [merged profile features]
  • ClickHouse, Elasticsearch, MySQL, PostgreSQL integrations [merged profile features]

Enterprise tier (commercial license required):

  • Premium support with dedicated Slack channel [1]
  • Encrypted secret management with AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault [1]
  • Centralized web-based management dashboard [1]
  • SCIM 2.0 user and group provisioning from Entra ID, Okta [1]
  • Multi-region clusters across Kubernetes installations [1]
  • OpenTelemetry with SIEM export to Datadog, Splunk, Grafana, Elastic [1]
  • Automatic public DNS via Cloudflare, AWS Route 53 [1]
  • Automatic TLS certificate management [1]
  • Authentication and audit logs [1]
  • Device posture with EDR providers (coming soon) [1]
  • Just-in-time access with self-service approvals (coming soon) [1]
  • Octospace: zero trust cloud development environment (early access) [1]

The community edition covers the full access platform, all gateway types, and the PaaS use cases. What’s gated behind enterprise: management at scale (SCIM, dashboard, multi-region), deep audit trails, and integrations with existing security tooling (SIEM, EDR).

Pricing: SaaS vs self-hosted math

Octelium doesn’t publish pricing for its enterprise tier — it’s contact-sales only [1]. The community/self-hosted edition is free under AGPL-3.0, with a commercial license alternative for businesses that can’t ship under AGPL obligations [1].

The relevant comparison is what Octelium replaces:

Tailscale:

  • Free: 3 users, 100 devices (personal/homelab use)
  • Starter: $5/user/month
  • Business: $6/user/month (SSO, access controls, logging)
  • For a 10-person team: $60–720/year depending on tier

Cloudflare Zero Trust:

  • Free: up to 50 users
  • Pay-as-you-go above 50 users: pricing not publicly listed, contact sales
  • The free tier is genuinely useful for small teams but creates vendor lock-in

Twingate:

  • Teams: $5/user/month
  • Business: $10/user/month
  • For a 10-person team: $600–$1,200/year

ngrok:

  • Free: 1 static domain, 1 agent
  • Personal: $8/month
  • Pro: $20/month, 3 custom domains
  • Business: custom

Self-hosted Octelium:

  • License: $0 (AGPL community edition)
  • Infrastructure: a Kubernetes cluster — single-node k3s on a $10–20/month VPS for small teams, or use existing Kubernetes infra
  • Your time

The honest math: if your team is already running Kubernetes, the incremental cost of adding Octelium is near-zero and it replaces four billing relationships. If you’re not running Kubernetes, you need to stand one up first, which adds significant operational overhead before you get to the actual zero trust platform.

Pricing comparison data for Octelium’s commercial/enterprise tier is not available — the company doesn’t publish it [1].

Deployment reality check

This is where the Octelium pitch gets harder. Every other tool in the zero trust category can be installed in 15–30 minutes. Octelium is built on Kubernetes and that’s non-negotiable.

What you actually need:

  • A Kubernetes cluster (k3s on a single VPS works; the docs mention this explicitly) [README]
  • kubectl and Helm familiarity
  • The Octelium CLI tools
  • A domain name for public-facing services
  • Enough VPS to run the Kubernetes control plane plus Octelium components

What the XDA reviewer found: Joe Rice-Jones at XDA [2] describes Octelium as “incredibly powerful” but flags that it’s “slightly buried in technical jargon.” The documentation assumes you understand zero trust architecture before you start — there’s no “I just want to access my Plex server from outside” quickstart that abstracts the underlying model. The use case breadth is a feature and a documentation liability simultaneously: you need to understand which of the eight possible use cases applies to you before you can follow the right setup path.

What can go wrong:

  • The Kubernetes dependency is the biggest filter. If you’ve never run a Kubernetes cluster, plan for a significant learning investment before Octelium is even in scope.
  • The AGPL license requires that if you distribute software built on Octelium, you must open-source your modifications. For internal tooling and self-hosting, this doesn’t matter. For building a product on top of Octelium that you ship to customers, it might. The commercial license alternative exists for this case [1].
  • Enterprise features (the management dashboard, SCIM, audit logs) are behind the enterprise tier. The community edition is CLI and YAML-driven. For teams that need a web UI for ongoing administration, that’s a meaningful gap [1].
  • Multi-region clusters are enterprise-only [1] — relevant for distributed teams that need low-latency access across geographies.

Realistic time estimate: a Kubernetes-fluent engineer can have a working Octelium cluster in 2–4 hours on a VPS running k3s, following the docs. For someone new to Kubernetes: budget a weekend minimum, plus debugging time. For a non-technical founder: this is not a DIY project.

Pros and cons

Pros

  • Genuinely self-hosted with no external dependencies. Unlike Tailscale (coordination server) or Cloudflare Tunnel (Cloudflare’s network), Octelium runs entirely on your infrastructure. The Cloudflare November 2025 outage [3] is the argument for this in concrete form.
  • L7-aware architecture from the ground up. Access control at the application layer, per request, based on identity and context — not network segmentation that can be traversed once a device is compromised [2][README].
  • Secretless access eliminates credential distribution. No API keys handed to developers or workloads. Credentials injected at the proxy layer [README][2].
  • Replaces multiple products. VPN replacement, ZTNA, API gateway, AI gateway, MCP gateway, ngrok alternative, PaaS, Kubernetes ingress — one platform, one operational dependency [README].
  • MCP and A2A native. Infrastructure-level support for Model Context Protocol gateways and Agent2Agent architectures is genuinely ahead of what most access platforms offer in 2025–2026 [README].
  • AGPL core with commercial alternative. The core is open source and auditable. For businesses with AGPL concerns, a commercial license exists [1].
  • Built on Kubernetes for horizontal scalability. Runs on a single-node k3s cluster or scales to multi-node managed Kubernetes [README].

Cons

  • Kubernetes is a hard dependency. Not optional, not abstracted away. This is a significant operational barrier for teams not already running Kubernetes [2][README].
  • Documentation assumes prior zero trust knowledge. The XDA review flags “technical jargon” as a barrier [2]. The breadth of use cases makes it harder to find the right starting point, not easier.
  • Enterprise features include basics that competitors include free. The web management dashboard, SCIM provisioning, and audit logs are enterprise-tier [1]. Tailscale includes audit logging on its Business plan at $6/user/month.
  • 3,492 GitHub stars is modest for this positioning. Compared to Tailscale’s mainstream adoption or Teleport’s enterprise traction, Octelium is a smaller, newer project. Community support, third-party guides, and battle-tested deployments are proportionally thinner [merged profile].
  • Pricing opacity. No public pricing for enterprise features makes cost planning impossible without a sales conversation [1].
  • The “eight tools in one” pitch is also a complexity warning. A platform that can be a VPN, a PaaS, an AI gateway, and a Kubernetes ingress is one that requires careful thought about which pieces you’re actually deploying and why. Scope creep in your own infrastructure.
  • No independent third-party benchmarks or long-term deployment reports found. The available reviews are brief mentions and one solid walkthrough. For a platform you’re betting production access on, that’s a thin evidence base.

Who should use this / who shouldn’t

Use Octelium if:

  • You already run Kubernetes (or k3s) and want to consolidate Tailscale, a reverse proxy, and an API gateway into one self-managed platform.
  • You’re building AI/ML infrastructure and need an MCP gateway or A2A architecture with proper identity management and access control.
  • Your threat model requires zero external infrastructure dependencies — you genuinely can’t route access decisions through Cloudflare, Tailscale’s coordination layer, or any third-party service.
  • You have a team comfortable operating Kubernetes and YAML-based policy management.
  • AGPL is acceptable for your use case, or you need the commercial license alternative.

Skip it (use Tailscale instead) if:

  • You want zero trust remote access to your homelab or small team infrastructure and you want it working in under an hour.
  • You’re a non-technical founder or solo operator who needs something you can hand to a non-engineer.
  • You don’t run Kubernetes and aren’t planning to.

Skip it (use Cloudflare Access instead) if:

  • You accept the Cloudflare infrastructure dependency and want a polished, well-documented zero trust product with a generous free tier.
  • You need a web UI out of the box and don’t want to operate the underlying infrastructure.

Skip it (use Teleport instead) if:

  • You’re an enterprise team that needs a mature, widely-deployed BeyondCorp-style platform with years of production deployments behind it, extensive third-party documentation, and established enterprise support.

Skip it (use ngrok instead) if:

  • You need quick, temporary public tunnels for development and demo purposes. ngrok’s operational simplicity wins here by a large margin.

Alternatives worth considering

  • Tailscale — the practical standard for self-hosted-adjacent zero config mesh VPN. Easier to deploy by an order of magnitude; coordination server is a dependency but the product quality is excellent. Free tier covers personal/homelab use. Headscale is the fully self-hosted coordination layer alternative.
  • Cloudflare Zero Trust / Access — mature ZTNA product with a generous free tier. Requires Cloudflare dependency. Suitable for most small teams.
  • Teleport — the most direct competitor for enterprise ZTNA and BeyondCorp-style access. More mature, better documented, enterprise-hardened. Community edition is free and self-hosted.
  • Twingate — simpler ZTNA with no Kubernetes dependency. Less powerful but much faster to deploy. Teams pricing at $5/user/month.
  • WireGuard + Headscale — for teams who want raw WireGuard mesh without any additional abstraction. Maximum control, no policy engine, no L7 awareness.
  • ngrok / Cloudflare Tunnel — for the tunnel use case specifically, these are simpler and faster than Octelium for development or low-volume public exposure.
  • Kong Gateway / Traefik — for the API gateway use case in isolation, these are more mature and better documented than Octelium’s gateway capabilities.

Bottom line

Octelium is a serious piece of infrastructure engineering with a genuinely differentiated architecture. The L7-aware, identity-based, secretless access model is the right approach to zero trust — not a network perimeter wearing zero trust branding. The breadth of use cases (VPN, ZTNA, API gateway, AI gateway, MCP gateway, PaaS, Kubernetes ingress) is real, not vaporware. For a Kubernetes-native team that’s currently paying four separate bills for Tailscale, a reverse proxy, an API gateway, and a tunnel service, the consolidation argument is solid.

The honest limiting factor is operational complexity. Octelium requires Kubernetes, requires understanding zero trust architecture before you can configure it, and requires your team to own the entire stack when something goes wrong. The XDA reviewer [2] called it “incredibly powerful” and “packed with promise” in the same sentence they described it as “slightly buried in technical jargon.” That’s an accurate summary. If you’re a non-technical founder looking to escape SaaS bills, this is not the right tool — the operational overhead is higher than the SaaS cost you’d be replacing. If you’re an infrastructure-minded engineering team that already runs Kubernetes and has the operational capability to support it, Octelium is worth serious evaluation.

Sources

  1. Enterprise Support and Features — Octelium (octelium.com). https://octelium.com/enterprise
  2. Joe Rice-Jones, XDA Developers“You haven’t heard of this self-hosted Cloudflare Tunnel alternative” (Nov 18, 2025). https://www.xda-developers.com/you-havent-heard-of-this-self-hosted-cloudflare-tunnel-alternative/
  3. allesnurgecloud.com Newsletter #213“Cloudflare Ausfall, GDPR in EU, Vertrauen, 11 Milliarden RZ, Datadog SRE, Nextcloud in Österreich und mehr” (Nov 23, 2025). https://allesnurgecloud.com/newsletter/cloudflare-ausfall-gdpr-in-eu-vertrauen-11-milliarden-rz-datadog-sre-nextcloud-in-oesterreich-und-mehr-213/
  4. weeklyfoo #92“Octelium: A next-gen FOSS self-hosted unified zero trust secure access platform” (Jul 7, 2025). https://weeklyfoo.com/foos/foo-092/

Primary sources:

Features

Authentication & Access

  • Single Sign-On (SSO)
  • Two-Factor Authentication

Integrations & APIs

  • REST API

Category

Security & Authentication (159) Remote Access & Desktop (27) Authentication & SSO (40) VPN Solutions (15)

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0

Vault

35K

Manage secrets and protect sensitive data. Securely store and control access to tokens, passwords, certificates, and encryption keys.

security

KeyCloak

33K

Open source identity and access management. Add authentication to applications and secure services with minimum effort.

security Apache-2.0