Build Your Own Zero Trust Access Gateway with Octelium (Open Source & Self-Hosted)

What is Octelium?

Octelium is a free and open source, self-hosted platform that provides zero trust secure access to resources across any environment. It’s designed as a modern, unified alternative to traditional VPNs, ZTNA platforms, API gateways, PaaS hosting, Kubernetes ingress, reverse proxies, and even tools like ngrok.

Whether you’re managing a corporate infrastructure, hosting containerized apps, securing SaaS API access, or just running a homelab, Octelium offers a scalable, identity-based, application-layer (L7) access solution with both client-based (WireGuard/QUIC) and client-less (BeyondCorp-style) capabilities.


Key Use Cases

Octelium is extremely flexible and can be used in the following scenarios:

🔐 Unified Zero Trust Access (ZTNA/BeyondCorp)

Replace commercial ZTNA solutions (like Cloudflare Access, Teleport, or Zscaler) with a self-hosted alternative supporting both client-based and client-less access.

🌐 Modern Remote Access VPN

Octelium works like a zero-config, L7-aware VPN using WireGuard/QUIC tunnels—no complex routing or network configs needed.

🔄 Secure Tunnels & Reverse Proxy

Set up programmable, secure tunnels to expose private services behind NAT—similar to ngrok or Cloudflare Tunnel.

🚀 Self-Hosted PaaS

Deploy and scale containerized apps with secure access controls—an open source alternative to platforms like Vercel or Netlify.

🔁 API Gateway

Manage and secure your microservices, with L7-aware routing, context-aware policies, and built-in authentication support.

🤖 AI Gateway

Add access control and observability to LLM providers or self-hosted AI APIs, including usage tracking and per-request access.

🔑 Secret-less SaaS Access

Grant secure, token-free access to SaaS APIs and databases for teams or workloads—no more sharing API keys or tokens.

🔄 MCP/A2A Architectures

Secure identity-aware infrastructure for Agent-to-Agent or Model Context Protocol (MCP)-based systems.

☸️ Kubernetes Ingress Alternative

Route to any internal resource—not just Kubernetes services—based on identity, headers, request content, or time of day.

🏠 Homelab Gateway

Connect and access all your homelab resources securely—cloud VMs, Raspberry Pis, routers, apps, and more.


Main Features

✅ Unified Zero Trust Architecture

Octelium uses identity-aware proxies instead of IP-based segmentation. This enables:

  • Secure access to any private/public resource.
  • Support for both client-based (VPN-like) and client-less (browser-based) access.
  • Integration with any identity provider (OIDC, SAML, GitHub OAuth, etc.).
  • Fine-grained, per-request access control via policy-as-code.

🔐 Secret-less, Dynamic Access

Octelium supports dynamic access to:

  • HTTP/gRPC APIs
  • SSH (no keys needed)
  • Kubernetes clusters
  • Databases (PostgreSQL, MySQL)
  • Any mTLS-based resource

📜 Policy-as-Code with CEL & OPA

Write composable, dynamic access policies using Common Expression Language (CEL) and Open Policy Agent (OPA).

🔒 Continuous Authentication

Supports strong MFA (e.g. WebAuthn/Yubikey) and secret-less OIDC-based workload identity.

🔎 Full Visibility & Audit Logging

Octelium exports per-request logs to OpenTelemetry OTLP collectors for centralized monitoring, logging, and security analysis.

🖥️ Embedded SSH Mode

SSH into any device or container—even without an SSH server—using Octelium’s embedded SSH capabilities.

🧱 Managed Containers

Securely deploy, manage, and expose containerized applications with public or private access modes.

⚙️ Declarative & GitOps-Friendly

Use octeliumctl CLI to declaratively manage your cluster—like Kubernetes. All configurations can be stored in Git and applied programmatically.


Easy Setup

Install CLI Tools

Linux / macOS

curl -fsSL https://octelium.com/install.sh | sh

Windows (PowerShell)

iwr https://octelium.com/install.ps1 -useb | iex

Install a Single-Node Cluster

For personal or dev environments, you can install Octelium on a small VPS or local VM:

curl -o install-demo-cluster.sh https://octelium.com/install-demo-cluster.sh
chmod +x install-demo-cluster.sh
./install-demo-cluster.sh --domain yourdomain.com

More installation guides and setup details are available in the official docs.


Licensing

  • Client-side: Apache 2.0
  • Server-side (Cluster components): AGPLv3
    A commercial license is available for businesses needing AGPL alternatives.

Project Status & Contributors

Octelium entered public beta in May 2025, and is stable with thousands of commits since 2020. It’s built and maintained by George Badawi via Octelium Labs LLC.

External contributions are currently limited to issue reporting and feature requests, but this may change in the future.


Learn More


Octelium is a fully self-hosted, transparent, and extensible zero trust access platform for the modern age—built to eliminate complexity, improve security, and give you total control over your infrastructure.

Post Comment

You May Have Missed