Modern, Open Source, Self-Hosted Alternative to Fortinet

Everything you need, in one platform.

A Unified Zero Trust Access Platform

A Unified, Open Source, Self-Hosted Zero Trust Access Platform that can Operate as a a Comprehensive ZTNA/BeyondCorp Platform for Teams and Workloads to Access all your Infrastructure at any Scale

What is Octelium?

A Unified Architecture for Client-based and Clientless Access

A Unified Scalable Architecture Built on top of Kubernetes to Provide both Zero-Config Client-based Access over Modern WireGuard/QUIC Tunneling with Centralized Private DNS as well as Public Clientless BeyondCorp and even Anonymous Access

How Octelium Works

Secretless Access to APIs, SSH and Databases

Provide Dynamic Secretless Access to HTTP-based Resources without sharing API Keys and Access Tokens, PostgreSQL and MySQL Databases without sharing Passwords, SSH Servers without Managing Keys and Certificates, Kubernetes Clusters without sharing Kubeconfigs

Guide to Secretless Access

A Platform for Deployment, not just Access

A PaaS-like Platform to Effortlessly Deploy, Scale and Provide Secure Access to Containerized Applications of any Kind.

Application-layer Aware Access Control

Access Control at the Application-layer (L7) (e.g. HTTP paths and methods, Kubernetes namespaces and verbs, PostgreSQL queries, etc...) using Identity-aware Proxies (IAPs) via Context-aware Policy-as-Code via CEL and OPA

Policies and Access Control

Secretless Access your SaaS, not just Internal Resources

Seamlessly Provide Secure Secretless Access for Humans and Workloads to your SaaS APIs without sharing API keys, Access Tokens or OAuth2 Credentials, as well as to Public SaaS PostgreSQL and MysQL-based Databases without Sharing Passwords

See an Example

Built for Scalability and Availability

A Scalable Platform Built on top of Kubernetes for Automatic Horizontal Scalability and Availability

Centralized, Declarative and Programmable Management

Designed to be Administered like Kubernetes via DevOps/GitOps-friendly Centralized and Declarative Way. The Cluster is furthermore fully Programmable over gRPC.

Guide to Octelium Management

Integrate your OIDC/SAML SSO Providers

Seamlessly integrate any OpenID Connect or SAML 2.0 SSO Provider as well as GitHub OAuth2. Force Strong MFA via FIDO2 Phishing Resistant Authenticators into Access Control to Sensitive Resources.

OpenTelemetry-native Real-time Visibility

OpenTelemetry-ready Layer-7 Aware, Real-Time Visibility and Auditing to Your Log Management and SIEM Providers

Visibility and Auditing

Eliminate VPN Problems

Eliminate Traditional VPN Problems: Use a Single Stable Route instead of Injecting Countless Routes into Your Users' Clients. Effortless Dual-Stack Networking Regardless of the Support at the Upstream. Seamless, Unified, Automatic Private DNS.

Dynamic, Native MFA and Login with FIDO2 Passkey, TPM 2.0 and TOTP

Dynamically Apply Native FIDO2 Passkey/WebAuthn, Time-based one-time Password (TOTP) Authentication and TPM 2.0 Authentication. Enforce Using Attested Hardware-based FIDO2 Authenticators in your Access Control Decisions.

Authenticators

Get started

Deploy Octelium on your own infrastructure in minutes.

Free and open source. Self-hosted. No vendor lock-in.

Quick install Star on GitHub

Capability	OcteliumBaseUnified Access Platform	Cloudflare Access / TunnelEdge SASE / ZTNA
Architecture
Architecture	Kubernetes-native identity-aware proxy/gateway architecture with separated PEP/PDP planes, client-based WireGuard/QUIC access, clientless BeyondCorp access, declarative resources, and self-hosted control/data planes.	SaaS edge proxy/SASE architecture. cloudflared connectors and/or WARP clients connect private resources and users to Cloudflare's global network. Access policies apply at Cloudflare-controlled edge/control plane.
Authentication
OpenID Connect	Yes	Yes
SAML 2.0	Yes	Yes
GitHub OAuth2	Yes	Via IdP / Access IdP integrations
Native FIDO2 / Passkey Native means implemented by the platform itself, not merely delegated to an external IdP.	Native Includes passkey/WebAuthn-style flows and hardware-backed attestation patterns.	No Generally delegated to IdP.
Native TOTP	Yes	No
TPM / Device Trust	Native / hardware-backed	No
Workload Identity	OIDC assertions / workload identity	Service tokens / mTLS / Access apps
AI Agent Auth	OAuth2 / bearer / workload identity	Service tokens and MCP protection patterns
Anonymous / Public Access	Yes	No
SCIM Provisioning Automated user/group lifecycle provisioning via SCIM, beyond just login-time IdP federation.	SCIM 2.0 compliant	SCIM via Access / IdP
Authorization & Policy
Policy Model	ABAC with CEL and OPA-oriented policy patterns.	Access rules, Gateway policies, device posture, IdP groups, service tokens, mTLS, geo/IP, and external evaluation patterns.
Policy-as-Code	CEL + OPA	Terraform/API; not a CEL/OPA product-native policy runtime
Per-Request Authz For L7 products, this means each HTTP/gRPC/API/K8s request can be evaluated. For overlays, session/connection policy is not counted as per-request. This modeling choice structurally favors L7 gateways over network overlays.	Yes	For Access-protected HTTP/MCP/web flows; not equivalent for all private network flows
L7-Aware Policies	HTTP, gRPC, K8s, DB, SSH, mTLS-related context	Strong HTTP/web policy; not DB/K8s query/verb semantics
Zero Standing Privilege / JIT Indicates strong architectural support for minimizing standing privilege; not an absolute claim that privileged access cannot exist.	Strong Designed to minimize static privilege through identity/policy-scoped access.	Partial
Access Requests / Approvals First-class request-and-approve / break-glass workflows (reviewers, time-bound grants), as opposed to static policy alone.	Policy-scoped Access is policy/identity-scoped and can be time-bound; no first-class ticketed request-and-approve workflow in this dataset.	Policy + approvals via integrations; not a native PAM request workflow
Device Posture	TPM/FIDO2/device attributes	Yes
External Signal Integration	Yes	Yes
NIST ZTA Alignment
All data/services as resources	Yes	Yes
Secure communication regardless of network	WireGuard/QUIC and public HTTPS	Yes
Per-session / per-request access	Per-request for L7; per-session/connection for tunnels	Per-request for web/Access; network policies for private networking
Dynamic policy using multiple signals	Yes	Yes
Continuous monitoring / verification	OpenTelemetry-native visibility	Yes
No implicit trust zone	Identity/policy-mediated	Yes
Assume breach / least privilege	Yes	Yes
L7 Protocol Awareness & Secretless Access
HTTP / HTTPS	L7-aware + secretless credential injection	Access / reverse proxy
gRPC	Native L7 mode	Transport/web proxy patterns; not general gRPC semantic authz
SSH	Secretless / embedded SSH patterns	Browser/CLI access patterns
PostgreSQL	Secretless + query-aware policy/logging	Private network/proxy connectivity; not query-aware secretless DB gateway
MySQL	Secretless + query-aware policy/logging	Private network/proxy connectivity; not query-aware secretless DB gateway
Kubernetes	Secretless + verb/resource/namespace policy	Can protect access paths; not native K8s verb/resource authz gateway
RDP	TCP passthrough	Browser-based RDP and client modes
DNS	Native private DNS mode	Gateway DNS filtering / private networking DNS patterns
mTLS / cert injection	Secretless mTLS / cert injection	mTLS/service auth; not generic upstream secretless cert injection
Raw TCP / UDP	TCP and UDP	Private network access through WARP/Tunnel
HTTP Manipulation	With native plugins including Lua, Envoy ExtProc, JSON schema validation, cache, rate limits	Transform Rules/WAF/Workers depending on product composition
Transport & Networking
WireGuard Data Plane Whether the product's own client/data plane is built on WireGuard, versus a proprietary or TLS-based transport.	Kernel / userspace WireGuard via kernel module, TUN, or unprivileged userspace (wireguard-go) implementations.	WARP WARP uses a WireGuard-derived transport (BoringTun) alongside MASQUE/HTTP3; not a standard WireGuard mesh.
QUIC Transport Product-native QUIC transport/tunneling. Experimental or internal-only QUIC is marked partial.	Full QUIC-based tunneling mode	QUIC / HTTP3 / MASQUE QUIC and HTTP/3 are first-class across Cloudflare's edge and WARP transport.
IPv6 Support	Dual-stack Defaults to IPv6, with selectable IPv4-only or dual-stack cluster network ranges.	Yes
Embedded SSH Platform provides its own SSH server/CA or SSH implementation, rather than only tunneling an external sshd.	Secretless embedded SSH	Browser / short-lived cert SSH rather than an embedded SSH CA product
NAT Traversal	Via Gateways Reaches resources behind NAT through Cluster Gateways; client-to-Gateway path rather than a direct P2P mesh.	Partial Edge-terminated through Cloudflare's network, not a P2P data path.
Visibility, Auditing & Observability
OpenTelemetry-Native	OTLP-native More precise than saying only product with OpenTelemetry.	No
L7-Aware Access Logs	HTTP/gRPC/K8s/DB/SSH identity-aware logs	HTTP/access/gateway logs; not DB query logs
SSH Session Recording	Yes	No
SIEM Integration	Via OTLP / OTel Collector	Logpush / SIEM integrations
Real-Time Streaming	Yes	Yes
Identity in Logs	Yes	Yes
Access Methods
Client-Based VPN / Overlay	WireGuard / QUIC	WARP client
Clientless Browser Access	Yes	Yes
Workload OAuth2 / Bearer	Yes	Service tokens / Access service auth
CLI / SDK Access	CLI + gRPC API	cloudflared / APIs
Private DNS	Yes	Private DNS/Gateway patterns, not MagicDNS-style product focus
Dynamic Configuration
Dynamic Upstream Routing	Yes	Partial
Dynamic Credential Selection	Yes	No
Secrets Backend Integration Integration with external secret stores / KMS (e.g. Vault, cloud KMS) or native secretless credential handling.	Secretless injection Native secretless credential injection; credentials managed as Cluster resources.	No
GitOps / Declarative Config	Kubernetes-like resources / YAML	Terraform/API
Programmable API	gRPC	Yes
SaaS / Public Cloud API Access
Secretless SaaS API Access	Yes	No
AWS API Access	Via HTTP/API credential injection pattern	No
GCP / Azure API Access	Via same API gateway pattern	No
Generic SaaS API Access	Any HTTP API with supported auth injection	No
AI / MCP / Agent Compatibility
AI / LLM Gateway	Yes	Workers/AI products exist; Access/Tunnel is not primarily an LLM gateway
MCP Gateway / MCP Access	MCP-oriented gateway/access patterns	Cloudflare Access can protect MCP servers
A2A / Agent-to-Agent Architecture	Identity-aware service/agent access	No
Agent Identity	Workload OIDC / OAuth2 client credentials	Partial
Deploy Containers / PaaS	Yes	No
Gateway Capabilities
API Gateway	Rate limit, cache, schema validation, Lua, ExtProc	WAF/Rules/Workers/API Shield composition
Kubernetes Ingress / Gateway	Yes	No
Reverse Proxy / Tunneling	Yes	Yes
Scalability & Cloud-Nativeness
Kubernetes-Native	Built on Kubernetes	SaaS edge; deploys connectors/operators but not K8s-native product
Auto Horizontal Scaling	PEP/PDP can scale independently	SaaS edge
Separated PEP / PDP	Yes	SaaS-managed
High Availability	K8s-native HA model	Global edge
Openness & Self-Hosting
Fully Self-Hosted	Yes	No
Server Code Open Source	Yes	No
No Mandatory Proprietary Cloud	Yes	No
Data Sovereignty	Yes	No Traffic/control plane depend on Cloudflare's network for core workflows.