Modern, Open Source, Self-Hosted Alternative to Fortinet

Everything you need, in one platform.

A Unified Zero Trust Access Platform

A Unified, Open Source, Self-Hosted Zero Trust Access Platform that can Operate as a a Comprehensive ZTNA/BeyondCorp Platform for Teams and Workloads to Access all your Infrastructure at any Scale

What is Octelium?

A Unified Architecture for Client-based and Clientless Access

A Unified Scalable Architecture Built on top of Kubernetes to Provide both Zero-Config Client-based Access over Modern WireGuard/QUIC Tunneling with Centralized Private DNS as well as Public Clientless BeyondCorp and even Anonymous Access

How Octelium Works

Secretless Access to APIs, SSH and Databases

Provide Dynamic Secretless Access to HTTP-based Resources without sharing API Keys and Access Tokens, PostgreSQL and MySQL Databases without sharing Passwords, SSH Servers without Managing Keys and Certificates, Kubernetes Clusters without sharing Kubeconfigs

Guide to Secretless Access

A Platform for Deployment, not just Access

A PaaS-like Platform to Effortlessly Deploy, Scale and Provide Secure Access to Containerized Applications of any Kind.

Application-layer Aware Access Control

Access Control at the Application-layer (L7) (e.g. HTTP paths and methods, Kubernetes namespaces and verbs, PostgreSQL queries, etc...) using Identity-aware Proxies (IAPs) via Context-aware Policy-as-Code via CEL and OPA

Policies and Access Control

Secretless Access your SaaS, not just Internal Resources

Seamlessly Provide Secure Secretless Access for Humans and Workloads to your SaaS APIs without sharing API keys, Access Tokens or OAuth2 Credentials, as well as to Public SaaS PostgreSQL and MysQL-based Databases without Sharing Passwords

See an Example

Built for Scalability and Availability

A Scalable Platform Built on top of Kubernetes for Automatic Horizontal Scalability and Availability

Centralized, Declarative and Programmable Management

Designed to be Administered like Kubernetes via DevOps/GitOps-friendly Centralized and Declarative Way. The Cluster is furthermore fully Programmable over gRPC.

Guide to Octelium Management

Integrate your OIDC/SAML SSO Providers

Seamlessly integrate any OpenID Connect or SAML 2.0 SSO Provider as well as GitHub OAuth2. Force Strong MFA via FIDO2 Phishing Resistant Authenticators into Access Control to Sensitive Resources.

OpenTelemetry-native Real-time Visibility

OpenTelemetry-ready Layer-7 Aware, Real-Time Visibility and Auditing to Your Log Management and SIEM Providers

Visibility and Auditing

Eliminate VPN Problems

Eliminate Traditional VPN Problems: Use a Single Stable Route instead of Injecting Countless Routes into Your Users' Clients. Effortless Dual-Stack Networking Regardless of the Support at the Upstream. Seamless, Unified, Automatic Private DNS.

Dynamic, Native MFA and Login with FIDO2 Passkey, TPM 2.0 and TOTP

Dynamically Apply Native FIDO2 Passkey/WebAuthn, Time-based one-time Password (TOTP) Authentication and TPM 2.0 Authentication. Enforce Using Attested Hardware-based FIDO2 Authenticators in your Access Control Decisions.

Authenticators

Get started

Deploy Octelium on your own infrastructure in minutes.

Free and open source. Self-hosted. No vendor lock-in.

Quick install Star on GitHub

Capability	OcteliumBaseUnified Access Platform	Fortinet FortiClient ZTNAEnterprise Security Fabric
Architecture
Architecture	Kubernetes-native identity-aware proxy/gateway architecture with separated PEP/PDP planes, client-based WireGuard/QUIC access, clientless BeyondCorp access, declarative resources, and self-hosted control/data planes.	FortiGate appliance/gateway plus FortiClient EMS posture management and FortiClient endpoint agent. Hardware/software security fabric architecture.
Authentication
OpenID Connect	Yes	Yes
SAML 2.0	Yes	Yes
GitHub OAuth2	Yes	No
Native FIDO2 / Passkey Native means implemented by the platform itself, not merely delegated to an external IdP.	Native Includes passkey/WebAuthn-style flows and hardware-backed attestation patterns.	No
Native TOTP	Yes	No
TPM / Device Trust	Native / hardware-backed	No
Workload Identity	OIDC assertions / workload identity	No
AI Agent Auth	OAuth2 / bearer / workload identity	No
Anonymous / Public Access	Yes	No
SCIM Provisioning Automated user/group lifecycle provisioning via SCIM, beyond just login-time IdP federation.	SCIM 2.0 compliant	FortiAuthenticator / EMS; SCIM support varies by component
Authorization & Policy
Policy Model	ABAC with CEL and OPA-oriented policy patterns.	Fortinet tags, groups, EMS posture, firewall/security fabric policy, and RBAC-style administration.
Policy-as-Code	CEL + OPA	No
Per-Request Authz For L7 products, this means each HTTP/gRPC/API/K8s request can be evaluated. For overlays, session/connection policy is not counted as per-request. This modeling choice structurally favors L7 gateways over network overlays.	Yes	No Primarily session/network/security-policy oriented.
L7-Aware Policies	HTTP, gRPC, K8s, DB, SSH, mTLS-related context	Partial
Zero Standing Privilege / JIT Indicates strong architectural support for minimizing standing privilege; not an absolute claim that privileged access cannot exist.	Strong Designed to minimize static privilege through identity/policy-scoped access.	No
Access Requests / Approvals First-class request-and-approve / break-glass workflows (reviewers, time-bound grants), as opposed to static policy alone.	Policy-scoped Access is policy/identity-scoped and can be time-bound; no first-class ticketed request-and-approve workflow in this dataset.	No
Device Posture	TPM/FIDO2/device attributes	FortiClient EMS
External Signal Integration	Yes	FortiGuard / Security Fabric
NIST ZTA Alignment
All data/services as resources	Yes	Partial
Secure communication regardless of network	WireGuard/QUIC and public HTTPS	Yes
Per-session / per-request access	Per-request for L7; per-session/connection for tunnels	Partial
Dynamic policy using multiple signals	Yes	Partial
Continuous monitoring / verification	OpenTelemetry-native visibility	Yes
No implicit trust zone	Identity/policy-mediated	Partial
Assume breach / least privilege	Yes	Partial
L7 Protocol Awareness & Secretless Access
HTTP / HTTPS	L7-aware + secretless credential injection	Partial
gRPC	Native L7 mode	No
SSH	Secretless / embedded SSH patterns	No
PostgreSQL	Secretless + query-aware policy/logging	No
MySQL	Secretless + query-aware policy/logging	No
Kubernetes	Secretless + verb/resource/namespace policy	No
RDP	TCP passthrough	Partial
DNS	Native private DNS mode	FortiGuard DNS/security features
mTLS / cert injection	Secretless mTLS / cert injection	No
Raw TCP / UDP	TCP and UDP	TCP-oriented; firewall/VPN policies
HTTP Manipulation	With native plugins including Lua, Envoy ExtProc, JSON schema validation, cache, rate limits	No
Transport & Networking
WireGuard Data Plane Whether the product's own client/data plane is built on WireGuard, versus a proprietary or TLS-based transport.	Kernel / userspace WireGuard via kernel module, TUN, or unprivileged userspace (wireguard-go) implementations.	No IPsec / SSL VPN and ZTNA agent transport, not WireGuard.
QUIC Transport Product-native QUIC transport/tunneling. Experimental or internal-only QUIC is marked partial.	Full QUIC-based tunneling mode	No
IPv6 Support	Dual-stack Defaults to IPv6, with selectable IPv4-only or dual-stack cluster network ranges.	Enterprise IPv6
Embedded SSH Platform provides its own SSH server/CA or SSH implementation, rather than only tunneling an external sshd.	Secretless embedded SSH	No
NAT Traversal	Via Gateways Reaches resources behind NAT through Cluster Gateways; client-to-Gateway path rather than a direct P2P mesh.	Partial
Visibility, Auditing & Observability
OpenTelemetry-Native	OTLP-native More precise than saying only product with OpenTelemetry.	No
L7-Aware Access Logs	HTTP/gRPC/K8s/DB/SSH identity-aware logs	Partial
SSH Session Recording	Yes	No
SIEM Integration	Via OTLP / OTel Collector	FortiAnalyzer/FortiSIEM
Real-Time Streaming	Yes	Yes
Identity in Logs	Yes	Partial
Access Methods
Client-Based VPN / Overlay	WireGuard / QUIC	FortiClient / SSL VPN / ZTNA agent
Clientless Browser Access	Yes	No
Workload OAuth2 / Bearer	Yes	No
CLI / SDK Access	CLI + gRPC API	APIs/management tooling; FortiClient for users
Private DNS	Yes	No
Dynamic Configuration
Dynamic Upstream Routing	Yes	No
Dynamic Credential Selection	Yes	No
Secrets Backend Integration Integration with external secret stores / KMS (e.g. Vault, cloud KMS) or native secretless credential handling.	Secretless injection Native secretless credential injection; credentials managed as Cluster resources.	Security Fabric integrations; not a developer secret-store model
GitOps / Declarative Config	Kubernetes-like resources / YAML	No
Programmable API	gRPC	Yes
SaaS / Public Cloud API Access
Secretless SaaS API Access	Yes	No
AWS API Access	Via HTTP/API credential injection pattern	No
GCP / Azure API Access	Via same API gateway pattern	No
Generic SaaS API Access	Any HTTP API with supported auth injection	No
AI / MCP / Agent Compatibility
AI / LLM Gateway	Yes	No
MCP Gateway / MCP Access	MCP-oriented gateway/access patterns	No
A2A / Agent-to-Agent Architecture	Identity-aware service/agent access	No
Agent Identity	Workload OIDC / OAuth2 client credentials	No
Deploy Containers / PaaS	Yes	No
Gateway Capabilities
API Gateway	Rate limit, cache, schema validation, Lua, ExtProc	FortiGate/WAF composition, not developer API gateway
Kubernetes Ingress / Gateway	Yes	No
Reverse Proxy / Tunneling	Yes	No
Scalability & Cloud-Nativeness
Kubernetes-Native	Built on Kubernetes	No
Auto Horizontal Scaling	PEP/PDP can scale independently	No Appliance/cluster oriented.
Separated PEP / PDP	Yes	No
High Availability	K8s-native HA model	HA clustering
Openness & Self-Hosting
Fully Self-Hosted	Yes	On-prem appliance, but proprietary ecosystem
Server Code Open Source	Yes	No
No Mandatory Proprietary Cloud	Yes	On-prem possible, but proprietary Fortinet stack
Data Sovereignty	Yes	On-prem deployments