←back to thread

Show HN: Octelium – FOSS Alternative to Teleport, Cloudflare, Tailscale, Ngrok

(github.com)
354 points geoctl | 6 comments | 29 Jun 25 11:24 UTC | HN request time: 1.01s | source | bottom

I have been working on Octelium for quite a few years now but it was open sourced only by late May 2025. Octelium, as described more in detail in the repo's README, is simply an open source, self-hosted, unified platform for zero trust resource access that is primarily meant to be a modern alternative to corporate VPNs and remote access tools. It can operate as a remote access/corporate VPN (i.e. alternative to Twingate, Tailscale, OpenVPN Access Server, etc...), a ZTNA/BeyondCorp platform (i.e. alterntive to Cloudflare Access, Teleport, Google BeyondCorp, etc...), and it can also operate as an API/AI gateway, an infrastructure for MCP and A2A architectures and meshes, an ngrok alternative, a homelab infrastructure or even as a more advanced Kubernetes ingress. It's basically designed to operate like a unified Kubernetes-like scalable architecture for zero trust secure/remote access that's suitable for different human-to-workload and workload-to-workload environments. You can read more in detail the full set of main features and links about how it works in the repo's README or directly in the docs https://octelium.com/docs
Show context
mzhaase ◴[29 Jun 25 13:29 UTC] No.44412985[source]
I have an immediate complete distrust to anything that throws around so many buzzwords. This is the github page and I still don't understand what it even does, specifically.
replies(2): >>44413008 #>>44422505 #
geoctl ◴[29 Jun 25 13:32 UTC] No.44413008[source]
I'd appreciate if you could provide me a list of those buzzwords so that I can improve the readme.
replies(2): >>44413082 #>>44419094 #
drexlspivey ◴[29 Jun 25 13:41 UTC] No.44413082[source]
“A next-gen FOSS self-hosted unified zero trust secure access platform that can operate as a remote access VPN, a ZTNA/BeyondCorp architecture, API/AI gateway, a PaaS, an infrastructure for MCP & A2A architectures or even as an ngrok-alternative and a homelab infrastructure.”

Literally every single word of it

replies(3): >>44413175 #>>44413672 #>>44414104 #
geoctl ◴[29 Jun 25 13:53 UTC] No.44413175[source]
I admit that the "next-gen" word might sound cheesy. As I said in the other reply, the more correct definition for Octelium is: a unified zero trust secure access platform. However, as I said this is a term that nobody would relate to. It's a ZTNA/BeyondCorp platform but not in the rigid sense. It's also a WireGuard/QUIC-based remote access VPN but it operates at layer-7 to provide L7 aware access control, secretless access, dynamic configuration and routing as well as OpenTelemtry-native visibility and auditing via identity-aware proxies and policy-decision-points instead of just controlling access at layer-3. As I said, it's designed to be more like a generic Kubernetes-like architecture for secure remote access that can be used for many different use cases.
replies(4): >>44413290 #>>44413299 #>>44413349 #>>44420916 #
sureglymop ◴[29 Jun 25 14:14 UTC] No.44413349[source]
I think the issue here is that while these terms may be very familiar to you (and to me personally also), they are not at all familiar to most people who will encounter your project.

Thus, those people coming across your project may quickly overlook it instead of giving it a chance which is disappointing.

By contrast, here is Tailscales tagline: "Fast, seamless device connectivity — no hardware, no firewall rules, no wasted time."

That kind of tells even a non-technical user what it is for even if it dumbs down all it can do. That user then doesn't need to know any technical jargon or how it works under the hood or even what wireguard is at all. The tagline is what prompts them to install and try it out and from there the UX is the deciding factor in whether they keep using it or not.

replies(1): >>44413428 #
geoctl ◴[29 Jun 25 14:25 UTC] No.44413428[source]
Thank you. I completely understand your point. But as mentioned in the other replies. Octelium is designed to be much more than just a VPN. It is not even tied to provide remote access to "devices" or resources behind NAT. It's zero trust architecture that's equally designed to provide access to internal resources and publicly protected resources such as SaaS APIs, databases, Kubernetes APIservers, SSH, etc... It provides both client-based (i.e. VPN-like) access as well as clientless access for both humans and workloads. For example, Humans can just use their browsers to access internal resources behind NAT like a typical protected SaaS resource. Workloads written in any programming language can access protected HTTP/gRPC APIs, Kubernetes, etc... via standard OAuth2 and bearer authentication without using any clients or special SDKs even such protected resources are protected by different API keys/access tokens.
replies(1): >>44413590 #
1. sureglymop ◴[29 Jun 25 14:47 UTC] No.44413590[source]
But that's what I'm getting at. Even if it is much more, is all of that immediately relevant to a curious/potential new user?

I understand it may not be easy to narrow down the explanation, especially if you invested a lot of time and don't want to do a disservice to yourself by underselling it. Looking at the Tailscale tagline I quoted, it is small and ambiguous enough that it works marketing wise, regardless of all the features and solutions they offer. But it was just an example, I should maybe have used a totally different example of a product that is not in the same realm as yours.

The explanation you gave to me here is good but only because I vaguely know what all this jargon means. Try to think of a short simple sentence that a non-expert could understand.

replies(1): >>44413803 #
2. geoctl ◴[29 Jun 25 15:18 UTC] No.44413803[source]
I am sorry that you find whatever I say as nothing but "jargon". I assume that those interested in Octelium are already interested in zero trust architectures as defined by NIST, simply products such as Cloudlfare Access, Teleport, StrongDM, Google BeyondCorp, Zscaler ZTNA, etc... I will do my best to simplify the README soon.
replies(3): >>44415353 #>>44417021 #>>44418467 #
3. mdavid626 ◴[29 Jun 25 18:47 UTC] No.44415353[source]
I’ve read “zero trust” more times today, than ever before in my life. Still don’t know what this project does.
4. swells34 ◴[29 Jun 25 22:15 UTC] No.44417021[source]
I wouldn't take this line of thinking too much to heart. At some point, a piece of technology is too complex for a person to parse what it means without sufficient background in this space. The "buzzwords" simply aren't buzzwords; you are using real words that accurately describe the project. People look at them, and either don't have sufficient knowledge to parse them in context, or are used to seeing them co-opted for use in low-effort marketing. I have some experience in this space (not a whole lot), and I was able to understand.

I like where you are going with the graphics in the readme; I'd spend some effort on creating "intended usecase" scenarios, scenarios that highlight situations where the project is the perfect fit. Using a few of these to highlight very different applications give people a good mental map of where this project would fit well for them.

"John is looking for a way to provide access to an internal tool to work-from-home colleagues. This isn't simple to do because [...]. Octelium is a good fit because [...]. Here is how John would set it up: [...]"

5. subscribed ◴[30 Jun 25 02:00 UTC] No.44418467[source]
I am the potential target audience and I assure you it's understandable and clear.

I share some (very little) from some of the criticism regarding the clarity, but I disagree you need a tagine like Tailscale while your solution does several times more things.

Great product, im chewing through the docs already :)

replies(1): >>44418630 #
6. geoctl ◴[30 Jun 25 02:26 UTC] No.44418630{3}[source]
Thank you. You're welcome to ask any questions regarding the internals of Octelium via the emails or Slack/Discord channels. You can find all the contact links in the repo's README or on the website.