Most active commenters
  • geoctl(14)
  • dudeinjapan(4)

←back to thread

Show HN: Octelium – FOSS Alternative to Teleport, Cloudflare, Tailscale, Ngrok

(github.com)
354 points geoctl | 32 comments | 29 Jun 25 11:24 UTC | HN request time: 0.349s | source | bottom

I have been working on Octelium for quite a few years now but it was open sourced only by late May 2025. Octelium, as described more in detail in the repo's README, is simply an open source, self-hosted, unified platform for zero trust resource access that is primarily meant to be a modern alternative to corporate VPNs and remote access tools. It can operate as a remote access/corporate VPN (i.e. alternative to Twingate, Tailscale, OpenVPN Access Server, etc...), a ZTNA/BeyondCorp platform (i.e. alterntive to Cloudflare Access, Teleport, Google BeyondCorp, etc...), and it can also operate as an API/AI gateway, an infrastructure for MCP and A2A architectures and meshes, an ngrok alternative, a homelab infrastructure or even as a more advanced Kubernetes ingress. It's basically designed to operate like a unified Kubernetes-like scalable architecture for zero trust secure/remote access that's suitable for different human-to-workload and workload-to-workload environments. You can read more in detail the full set of main features and links about how it works in the repo's README or directly in the docs https://octelium.com/docs
Show context
mzhaase ◴[29 Jun 25 13:29 UTC] No.44412985[source]
I have an immediate complete distrust to anything that throws around so many buzzwords. This is the github page and I still don't understand what it even does, specifically.
replies(2): >>44413008 #>>44422505 #
1. geoctl ◴[29 Jun 25 13:32 UTC] No.44413008[source]
I'd appreciate if you could provide me a list of those buzzwords so that I can improve the readme.
replies(2): >>44413082 #>>44419094 #
2. drexlspivey ◴[29 Jun 25 13:41 UTC] No.44413082[source]
“A next-gen FOSS self-hosted unified zero trust secure access platform that can operate as a remote access VPN, a ZTNA/BeyondCorp architecture, API/AI gateway, a PaaS, an infrastructure for MCP & A2A architectures or even as an ngrok-alternative and a homelab infrastructure.”

Literally every single word of it

replies(3): >>44413175 #>>44413672 #>>44414104 #
3. geoctl ◴[29 Jun 25 13:53 UTC] No.44413175[source]
I admit that the "next-gen" word might sound cheesy. As I said in the other reply, the more correct definition for Octelium is: a unified zero trust secure access platform. However, as I said this is a term that nobody would relate to. It's a ZTNA/BeyondCorp platform but not in the rigid sense. It's also a WireGuard/QUIC-based remote access VPN but it operates at layer-7 to provide L7 aware access control, secretless access, dynamic configuration and routing as well as OpenTelemtry-native visibility and auditing via identity-aware proxies and policy-decision-points instead of just controlling access at layer-3. As I said, it's designed to be more like a generic Kubernetes-like architecture for secure remote access that can be used for many different use cases.
replies(4): >>44413290 #>>44413299 #>>44413349 #>>44420916 #
4. therealpygon ◴[29 Jun 25 14:07 UTC] No.44413290{3}[source]
What you took away from that was that “next-gen” was the problem?

Buzzwords can still be technically accurate and you seem to be ignoring that when it keeps being confronted. “But it is” doesn’t matter when it comes to “but it sounds like”.

Let me give you an example; if I was walk into a store, do you think I want to talk to the person who talks about the “bidirectional optoelectromechanical document transcription and reproduction apparatus implementing discrete photonic acquisition and microdeposition techniques for bidimensional substrate encoding”, or do I want to talk to the person who will sell me a “photocopier”?

5. maxmcd ◴[29 Jun 25 14:09 UTC] No.44413299{3}[source]
I think "no buzzwords" would be further in the direction of:

"This software let's you set up peer to peer networking between your devices, expose them to the internet, run applications on them, view useful runtime information, and integrate easily with cloud providers and infrastructure you're familiar with."

replies(1): >>44413500 #
6. sureglymop ◴[29 Jun 25 14:14 UTC] No.44413349{3}[source]
I think the issue here is that while these terms may be very familiar to you (and to me personally also), they are not at all familiar to most people who will encounter your project.

Thus, those people coming across your project may quickly overlook it instead of giving it a chance which is disappointing.

By contrast, here is Tailscales tagline: "Fast, seamless device connectivity — no hardware, no firewall rules, no wasted time."

That kind of tells even a non-technical user what it is for even if it dumbs down all it can do. That user then doesn't need to know any technical jargon or how it works under the hood or even what wireguard is at all. The tagline is what prompts them to install and try it out and from there the UX is the deciding factor in whether they keep using it or not.

replies(1): >>44413428 #
7. geoctl ◴[29 Jun 25 14:25 UTC] No.44413428{4}[source]
Thank you. I completely understand your point. But as mentioned in the other replies. Octelium is designed to be much more than just a VPN. It is not even tied to provide remote access to "devices" or resources behind NAT. It's zero trust architecture that's equally designed to provide access to internal resources and publicly protected resources such as SaaS APIs, databases, Kubernetes APIservers, SSH, etc... It provides both client-based (i.e. VPN-like) access as well as clientless access for both humans and workloads. For example, Humans can just use their browsers to access internal resources behind NAT like a typical protected SaaS resource. Workloads written in any programming language can access protected HTTP/gRPC APIs, Kubernetes, etc... via standard OAuth2 and bearer authentication without using any clients or special SDKs even such protected resources are protected by different API keys/access tokens.
replies(1): >>44413590 #
8. geoctl ◴[29 Jun 25 14:35 UTC] No.44413500{4}[source]
Thank you. Octelium, however, does not operate as p2p and does not directly connect devices since that by itself contradicts the whole point of zero trust. It provides remote access to resources, or even sub-resources via L7 access control (e.g. allow access to some HTTP paths to some users based on identity/context/request content, etc...), not completely to "devices" or to complete subnets.
replies(1): >>44414382 #
9. sureglymop ◴[29 Jun 25 14:47 UTC] No.44413590{5}[source]
But that's what I'm getting at. Even if it is much more, is all of that immediately relevant to a curious/potential new user?

I understand it may not be easy to narrow down the explanation, especially if you invested a lot of time and don't want to do a disservice to yourself by underselling it. Looking at the Tailscale tagline I quoted, it is small and ambiguous enough that it works marketing wise, regardless of all the features and solutions they offer. But it was just an example, I should maybe have used a totally different example of a product that is not in the same realm as yours.

The explanation you gave to me here is good but only because I vaguely know what all this jargon means. Try to think of a short simple sentence that a non-expert could understand.

replies(1): >>44413803 #
10. pelagicAustral ◴[29 Jun 25 14:58 UTC] No.44413672[source]
"...to make the world a better place." was missing from this paragraph.
11. geoctl ◴[29 Jun 25 15:18 UTC] No.44413803{6}[source]
I am sorry that you find whatever I say as nothing but "jargon". I assume that those interested in Octelium are already interested in zero trust architectures as defined by NIST, simply products such as Cloudlfare Access, Teleport, StrongDM, Google BeyondCorp, Zscaler ZTNA, etc... I will do my best to simplify the README soon.
replies(3): >>44415353 #>>44417021 #>>44418467 #
12. mystraline ◴[29 Jun 25 15:58 UTC] No.44414104[source]
It is zero-trust.

I don't trust this.

13. dudeinjapan ◴[29 Jun 25 16:38 UTC] No.44414382{5}[source]
How about: “Octelium is a secure, policy-based access gateway to your HTTP services, with both VPN tunnel-based and OAuth/zero-trust modes available. (And it can do a lot more!)”
replies(1): >>44414596 #
14. geoctl ◴[29 Jun 25 17:03 UTC] No.44414596{6}[source]
Thank you. I think your description is great but I, as a user myself, might see it as an identity-aware proxy (i.e. something like Pomerium and Ory Oathkeeper IaPs which are great projects) as opposed to a complete Kubernetes-tier platform that does the entire process of remote access, access control, visibility and auditing, user and identtiy management, centralized policy management, etc... from a data-plane and control-plane perspective for an arbitrary number of resources that need to be protected.
replies(2): >>44414880 #>>44415470 #
15. dudeinjapan ◴[29 Jun 25 17:42 UTC] No.44414880{7}[source]
Much of this writing is about finding the right level of detail to communicate the core ideas.

“Octelium is a full-featured access control platform, which provides API gateways and/or VPN tunnels to your HTTP services, paired with an intuitive user, policy, and auditing backplane and policy-as-code.”

Something like the above would be much more enticing to potential users including myself. I can get a rough idea of what I can actually use it for and how it can be integrated into my existing stack—and if there are more features I’ll be pleasantly surprised when I read the docs!

replies(1): >>44415184 #
16. geoctl ◴[29 Jun 25 18:23 UTC] No.44415184{8}[source]
I completely agree with you. And tbqh since almost everybody in the thread is complaining about the README then I must be really doing something wrong explaining Octelium and what it does. I will certainly put more effort to make the README and especially the main description section more useful and easier to understand without transforming it into more of a marketing pitch. As I mentioned in other replies, it's actually really hard to concisely describe fairly complex projects (e.g. Kubernetes, Istio, etc...), especially to newcomers. But I will definitely do my best to improve the docs and README. Thank you really for your insightful comments.
replies(1): >>44415607 #
17. mdavid626 ◴[29 Jun 25 18:47 UTC] No.44415353{7}[source]
I’ve read “zero trust” more times today, than ever before in my life. Still don’t know what this project does.
18. bdesimone ◴[29 Jun 25 19:05 UTC] No.44415470{7}[source]
Quick note since it was mentioned. Pomerium does support Kubernetes at pretty much every level you mentioned (although I'm not entirely sure what a "a complete Kubernetes-tier platform" means) including:

- "remote access" : https://www.pomerium.com/docs/capabilities/kubernetes-access

- "access control" https://www.pomerium.com/docs/capabilities/authorization

- "visibility and auditing" : https://www.pomerium.com/docs/capabilities/audit-logs

- "user and identtiy management" https://www.pomerium.com/docs/capabilities/authentication to which I'd add device identity as well.

- "centralized policy management": https://www.pomerium.com/docs/capabilities/authorization & https://www.pomerium.com/docs/internals/ppl

- deployments using Ingress Controller or GatewayAPI https://www.pomerium.com/docs/deploy/k8s/ingress, https://www.pomerium.com/docs/deploy/k8s/gateway-api

- "for an arbitrary number of resources" not sure what to link to but there's no limit here

Congrats on the release. I saw your thread on MCP and completely agree with the approach. Happy to trade notes :)

replies(1): >>44415668 #
19. dudeinjapan ◴[29 Jun 25 19:25 UTC] No.44415607{9}[source]
One more pointer would be to be very explicit on the homepage about the problems the product solves.

For example, many organizations use a mix of gated HTTP over public internet AND VPN, each one will have its own vendor auth product(s), user whitelisting, it's difficult to control or regularly audit. Octelium centralizes this management and gives admins the flexibility to control how services are exposed and to whom, presumably via simple policy change git commits. SOC2, etc. then becomes a breeze to export the state of the world, onboard/offboard employees, etc.

Defining the product in terms of use cases/problems/solutions rather that competing alternatives (Tailscale, Okta, ORY Hydra, etc.) will go a long way to increase clarity.

replies(1): >>44417039 #
20. geoctl ◴[29 Jun 25 19:31 UTC] No.44415668{8}[source]
I apologize if my reply was seen as critical in any way. I only wanted to make a difference between Octelium as a complete platform compared to Pomerium (I meant the open source project not the entire Enterprise offering which is obviously a complete BeyondCorp solution) and Ory Oathkeeper as identity-aware proxies. A more technical description for Octelium is that it is for IaPs similar to what Kubernetes is for containers. It simply provides a complete control plane to manage and deploy IaPs on top of Kubernetes itself. In fact, I am a fan of Pomerium and their work (I still remember your great work related to Golang's Webauthn and its attestation-related stuff ~3 years ago) if you're part of the team. Funnily enough, Octelium started as a sidecar ext_authz svc for Envoy instances to operate as an IaP but I ended up creating my own Golang-based IaP, Vigil, from scratch because Envoy was just nothing but pain outside HTTP-based resources.
replies(1): >>44415788 #
21. bdesimone ◴[29 Jun 25 19:46 UTC] No.44415788{9}[source]
Genuinely, didn't take it that way at all! I don't expect you to be an expert on Pomerium.

> Funnily enough, Octelium started as a sidecar ext_authz svc for Envoy instances to operate as an IaP but I ended up creating my own Golang-based IaP, Vigil, from scratch because Envoy was just nothing but pain outside HTTP-based resources.

That's really funny... we went the opposite direction as the original versions were based on a custom Go proxy. Of course there are tradeoffs either way. Envoy is blazing fast, and does great with HTTP naturally, but has a giant configuration surface area (both pro and con), but we are now having to write some pretty low level filters /protocol capabilities in envoy for the other protocols we support (SSH, MCP, and so on) in C++ which does not spark joy. So I totally feel what you are saying.

Thanks for the kind words, though I am one of the contributors my colleague did the heavy lifting on the WebAuthN side.

Genuinely happy to see the release and where you are headed on the AI/MCP side. If you (or others) are interested, I am trying to bring more light to this model in the spec if you (or others) would like to weigh in: https://github.com/modelcontextprotocol/modelcontextprotocol...

replies(1): >>44416074 #
22. geoctl ◴[29 Jun 25 20:18 UTC] No.44416074{10}[source]
Thank you. Honestly if I had the right to give you my opinion, I'd just advise you to go back to full custom Go-based proxies regardless of how overwhelming that might sound. Octelium itself still does use Envoy as an ingress for the BeyondCorp mode to route to the intended Service based on the FQDN, however, Envoy as great as it is for ingress and HTTP-based service mesh purposes especially when it comes to memory/CPU usage under huge load conditions, it really shows weakness when it comes to building generic multi L7-protocol aware (e.g. HTTP, SSH, Postgres, MySQL, RDP, etc...) IaPs where you need to understand L7 for each of these protocols to provide access control, modifications to the protocol specific messages and providing L7 aware visibility. The amount of work you need to do in ext_proc, ext_authz, proxy-wasm, etc... is just ridiculous and error prone due to the extra round trips yet it is equivalent to what you could have done if you owned the entire data plane yourself.
23. swells34 ◴[29 Jun 25 22:15 UTC] No.44417021{7}[source]
I wouldn't take this line of thinking too much to heart. At some point, a piece of technology is too complex for a person to parse what it means without sufficient background in this space. The "buzzwords" simply aren't buzzwords; you are using real words that accurately describe the project. People look at them, and either don't have sufficient knowledge to parse them in context, or are used to seeing them co-opted for use in low-effort marketing. I have some experience in this space (not a whole lot), and I was able to understand.

I like where you are going with the graphics in the readme; I'd spend some effort on creating "intended usecase" scenarios, scenarios that highlight situations where the project is the perfect fit. Using a few of these to highlight very different applications give people a good mental map of where this project would fit well for them.

"John is looking for a way to provide access to an internal tool to work-from-home colleagues. This isn't simple to do because [...]. Octelium is a good fit because [...]. Here is how John would set it up: [...]"

24. geoctl ◴[29 Jun 25 22:16 UTC] No.44417039{10}[source]
Thank you, I will definitely add more kind of less-technical information on the homepage to make it easier to understand for business people. As for comparisons, I have been actually reluctant to do it because I don't think I can ever do a truly neutral comparison myself and I believe it should come from neutral parties such as blogs as well as users trying to discover the best solution that works for their own use case. But since I have been asked multiple times already I will probably add some comparisons soon.
replies(1): >>44417403 #
25. noname120 ◴[29 Jun 25 23:00 UTC] No.44417403{11}[source]
I'm not entirely sure if you realize that people here are highly technical yet don't get the point.

The problem isn't that you need to “make it easier to understand for business people” (which many here would take as an offense), the problem is that you're name dropping technologies and concepts without articulating exactly what problem your product solves, and what your exact value proposition is.

Something that does everything usually does nothing well, or at least doesn't provide a coherent dev experience with a sane mental model.

replies(1): >>44417907 #
26. geoctl ◴[30 Jun 25 00:21 UTC] No.44417907{12}[source]
Believe me I am the one who's actually still struggling to find where the jargon/buzzwords/naming dropping exactly is in my own README. Is it terms such as ZTNA/BeyondCorp, MCP, A2A, AI/API gateway? Is it secretless access, zero trust? I will do my best to simplify the README and docs. It's not like I am happy that even technical people are struggling to quickly understand the README. I admit that there must be something wrong with the README/docs and I am going to improve it. All those people hinting the same thing cannot just be wrong.
replies(1): >>44420241 #
27. subscribed ◴[30 Jun 25 02:00 UTC] No.44418467{7}[source]
I am the potential target audience and I assure you it's understandable and clear.

I share some (very little) from some of the criticism regarding the clarity, but I disagree you need a tagine like Tailscale while your solution does several times more things.

Great product, im chewing through the docs already :)

replies(1): >>44418630 #
28. geoctl ◴[30 Jun 25 02:26 UTC] No.44418630{8}[source]
Thank you. You're welcome to ask any questions regarding the internals of Octelium via the emails or Slack/Discord channels. You can find all the contact links in the repo's README or on the website.
29. et1337 ◴[30 Jun 25 03:37 UTC] No.44419094[source]
You’re getting a lot of negative feedback but I think it’s mostly just people who don’t speak (or actively hate) enterprise jargon. Hacker News is not super enterprisey. Just don’t respond. I work for a company called StrongDM and we basically do exactly what Octelium does. I was able to determine that pretty quickly from your website which is not common. Enterprise security is just inherently a buzzwordy, vague cloud of companies all competing to own the magic quadrant.

That said, you are also including some buzzwords on your homepage that appeal to Hacker News folks, like “self-hosted”. That will get a blank stare from enterprise folks.

So I think you should pick one audience or the other. Tailscale took the strategy of appealing to Hacker News types and then shifting up market from there. My company appeals directly to the biggest enterprises we can find and the difference is stark.

I think you’ll get less negative feedback if you choose one of these target audiences and focus on them exclusively.

edit: by the way, Octelium looks awesome, well done!

replies(1): >>44419172 #
30. geoctl ◴[30 Jun 25 03:50 UTC] No.44419172[source]
Thank you really for your kind comment. I am not really against negative comments because they might actually lead to improvements. And btw I am personally a fan of what StrongDM has been doing lately especially when it comes with ABAC and Cedar. This is what I've been trying to achieve in Octelium with CEL and OPA.
31. dudeinjapan ◴[30 Jun 25 06:49 UTC] No.44420241{13}[source]
Zero-Trust, secretless, ZTNA, BeyondCorp, A2A, AI gateway, next gen --> buzzwords

API gateway, MCP, Oauth, VPN --> not buzzwords

The defining characteristics of buzzword are that is very broad, promises "pie-in-the-sky", and almost universally under-delivered by every vendor while incurring very steep costs. In other words, the reason "zero-trust" scares people is because they have probably been burned N times but Oracle, Okta, etc. etc. incurring large costs to achieve underwhelming/non-functioning results, often times paying $$$ to solve imagined infinity-scale problems that don't even apply to the current org size, or even 10x the size.

API gateways, MCP, VPNs are tangible things that fill fairly mundane roles, it is not hard to envision how they can be used to solve real-world properties. I can easily envision dropping an "API gateway" in front of "MCP" in my stack. ZTNA however I cannot just sprinkle on my stack as if it were magic pixie dust...

It doesn't mean that ZTNA should be outright banned everywhere, but when you do use it, you need very careful to define an exact meaning expressed in terms of non-buzzword components.

32. jcul ◴[30 Jun 25 08:43 UTC] No.44420916{3}[source]
To be fair, I wouldn't call these buzz works, maybe just "next-gen".

Rather one could argue they are technical jargon? But then if the technical jargon is over someone's head, maybe they are not the target audience.

I understood most of it, but it is quite dense for the first paragraph.