Open Source Cloudflare Tunnel Alternative for Developers, Teams and Enterprises

A Complete, Scalable, Self-Hosted, Secure Remote Access Solution for to Access any Internal Resource of any Type Running behind NAT Anywhere including Your Laptop, Private Clouds, IoT and Containers

A Unified Architecture to Provide Identity-aware, Context-based, L7-aware Zero Trust Access for Humans via their Browsers and Workloads via OAuth2 and Bearer Authentication to your Resources as well as Public Anonymous Access that can be used for Hosting and Testing your Web Apps and APIs

A PaaS-like Platform to Seamlessly Deploy, Scale and Provide Secure as well as Public Anonymous Access your Dockerized Applications such as APIs and Web Applications Hosted on Public or Private Container Registries

Seamlessly integrate any OpenID Connect or SAML 2.0 SSO Provider (IdP) as well as GitHub OAuth2 and Provide Secure Access to all your Resources for your Teams at Scale. Force Strong MFA via FIDO2 Phishing Resistant Authenticators into Access Control to Sensitive Resources.

Application-layer Aware Access Control via Identity-based Context-aware ABAC and Policy-as-Code via CEL and Open Policy Agent (OPA)

A Unified Zero Trust Architecture that Supports both the Private VPN-like Client-based Mode over WireGuard/QUIC Tunnels as well as the Client-less Public BeyondCorp Mode via Browsers.

Provide Secretless Access to SSH Servers, HTTP-based APIs, Databases and mTLS-based Applications without the need for Sharing and Distributing L7 Credentials to Users

Unified, Stable Access for your Workloads written in any Programming Language to all your HTTP-based Resources via Standard OAuth2 Client-Credentials Flow and Bearer Authentication without having to use Special SDKs

OpenTelemetry-ready Layer-7 Aware, Real-Time Visibility and Auditing to Your Log Management and SIEM Providers

Dynamically Apply Native FIDO2 Passkey/WebAuthn, Time-based one-time Password (TOTP) Authentication and TPM 2.0 Authentication. Enforce Using Attested Hardware-based FIDO2 Authenticators in your Access Control Decisions.

Designed to be Administered like Kubernetes via DevOps/GitOps-friendly Centralized and Declarative Way. The Cluster is furthermore fully Programmable over gRPC.