←back to thread

Show HN: Octelium – FOSS Alternative to Teleport, Cloudflare, Tailscale, Ngrok

(github.com)
354 points geoctl | 4 comments | 29 Jun 25 11:24 UTC | HN request time: 0.654s | source

I have been working on Octelium for quite a few years now but it was open sourced only by late May 2025. Octelium, as described more in detail in the repo's README, is simply an open source, self-hosted, unified platform for zero trust resource access that is primarily meant to be a modern alternative to corporate VPNs and remote access tools. It can operate as a remote access/corporate VPN (i.e. alternative to Twingate, Tailscale, OpenVPN Access Server, etc...), a ZTNA/BeyondCorp platform (i.e. alterntive to Cloudflare Access, Teleport, Google BeyondCorp, etc...), and it can also operate as an API/AI gateway, an infrastructure for MCP and A2A architectures and meshes, an ngrok alternative, a homelab infrastructure or even as a more advanced Kubernetes ingress. It's basically designed to operate like a unified Kubernetes-like scalable architecture for zero trust secure/remote access that's suitable for different human-to-workload and workload-to-workload environments. You can read more in detail the full set of main features and links about how it works in the repo's README or directly in the docs https://octelium.com/docs
Show context
wkat4242 ◴[29 Jun 25 18:20 UTC] No.44415156[source]
There are so so many of these already...

- Tinc (the OG of P2P VPN)

- Hamachi (not open though)

- ZeroTier

- Nebula (from Slack)

- Tailscale

- Netbird

I wonder why people keep building more. I know each has its own quirks and things they're better at, but the difference is really quite minimal.

One of the things I really would like is zero-trust 'lighthouses'. With current Zerotier and Tailscale, you really have to trust them because they can add nodes on your account whenever they want. I don't want that, I want fully self-hosted and for the lighthouses to just coordinate but not to be part of the network. I have to do some research to see what would be best.

replies(5): >>44415207 #>>44415277 #>>44415706 #>>44416114 #>>44422509 #
metmac ◴[29 Jun 25 19:36 UTC] No.44415706[source]
Reading through the docs. I feel like a lot of people are missing the value here. This could be a diamond in the rough if it actually delivers on its docs.

What enterprises want is to move away from perimeter based security models towards the promise that Google überProxy/BeyondCorp popularized many years ago. Which has been lost in the buzzword soup. It’s very simple.

1. A clean separation between Prod, Corp, and the public internet. And the UX to hop between them as an employee is as transparent as possible. (Often times network segmentation comes with additional painful friction for engineerings.)

2. One pipe to observe, and clearly attenuate permissions as traffic/messages flows between these boundaries.

3. Strong proofing of identity for every client, as an inherit requirement.

The problem is everyone outside Google has incredibly diverse protocol ecosystems. It makes those three promises incredibly difficult to deliver on as a vendor. (I’ve evaluated many)

To build a proxy that is protocol aware, only solves half the problem. It gets you some coarse grain decision making and a good logging story.

To build a proxy that is also able to perform type-inference at the request layer, allows for a much richer authZ story. One where businesses can build an authorization layer at the proxy better than their in-house apps could even do natively. (As it turns out, having all the predicates of the request available to a policy engine is super useful).

The docs are a little verbose, the marketing maybe isn’t amazing. But this is inherently a complex problem. No one has fully solved.

Teleport was first to the market to OSS and commercialize a lot of these ideas. StrongDM also is doing really interesting work in this space. I wish Hashicorp had invested more in this space.

Disclaimer: my opinions are my own.

replies(2): >>44416388 #>>44417565 #
1. wkat4242 ◴[29 Jun 25 23:25 UTC] No.44417565[source]
I work for an enterprise and they don't want this. They still rely on traditional centralised VPNs. How they deal with this is enforcing then everywhere, even in the office. Though there they usually are only on in name.

I think the reason is that they want to inspect the traffic in central locations, if each endpoint is doing its own you need to log there which means you can't always access it immediately.

I do use Mesh VPNs privately and love them. I love the way I have this overlay, a personal network that works everywhere. My devices all keep the same address no matter where they are.

replies(1): >>44418075 #
2. metmac ◴[30 Jun 25 00:54 UTC] No.44418075[source]
Depends on the industry. But many large enterprises in the Fortune 500 are actively trying to move away from your traditional VPN. (F5, Pulse, Cisco, etc).

Even with VPNs the question should be, what are we gating behind that VPN anyway. Does it actually give us the granularity of controls we want or is this all security theater. (Also what about hybrid infra, between the datacenter and cloud)

FWIW, my ideal architecture is Wireguard into Corp. (Ala CloudFlare Warp, Tailscale, etc) Corp doesn’t hold a ton of sensitive assets. Or put another way, it’s a lower trust tier.

And then using something like Teleport, Octelium, etc to reach production assets.

Admittedly no vendor product I’ve come across yet has bridged this gap nicely. The überProxy tend to focus on the application protocols they support. While the wireguard clients cares more about session control of the tunnel.

replies(2): >>44430545 #>>44431621 #
3. atyvr ◴[01 Jul 25 04:16 UTC] No.44430545[source]
Really thoughtful take. That exact gap: bridging identity-aware tunneling (like WireGuard) with protocol-aware proxy decisions is exactly what we set out to solve with Border0.

We pair WireGuard-style tunnels with real-time identity (sso, device, group context) and protocol aware proxies for SSH, RDP, HTTP, psql, Mysql, mssql, ES, and Kubernetes. Our policy engine lets you write rules like “only the DBA group can run DELETEs in Prod” or “Support can exec into this pod,” and we log every query, command, or request, all tied back to the user and device.

Think of it as combining the modern VPN experience of Tailscale with the deep authZ and observability of Teleport. I call it VPN plus PAM. Would love your thoughts if you give it a look.

Quick 2-minute overview: https://www.youtube.com/watch?v=hU7QixSqnSM&t=3s

https://www.border0.com/

4. wkat4242 ◴[01 Jul 25 07:53 UTC] No.44431621[source]
Oh yes I agree it's all theater. But we are a very big enterprise (though not big tech) but we're a very traditional company unfortunately.

We're also still working to go "on cloud" as our CIO wants. Because they want to be hip too.

Which in our case means lifting up an image of every server in our datacenter and moving it to a compute box on AWS that runs 24/7. This is not "cloud". It's just paying much more for someone else's server. There is no dynamic scaling or consumption-based billing. It's just setting money on fire so we can tick a box.

Of course we're also "on modern management" yet rely extremely heavily on SCCM policies. Always the same story here.