Open Source, Self-Hosted, Scalable ngrok Alternative for Developers, Teams and Enterprises

Everything you need, in one platform.

A Modern, Unified Remote Access Solution

A Complete, Scalable, Self-Hosted, Secure Remote Access Solution for Developers and Teams to Access any Internal Resource of any Type Running behind NAT Anywhere

See a detailed Example

Zero Trust Secure Access, and Public Anonymous Access too

A Unified Architecture to Provide Identity-aware, Context-based, L7-aware Zero Trust Access for Humans and Workloads to your Resources as well as Public Anonymous Access that can be used for Hosting and Testing your Web Apps and APIs

What is Octelium?

Client-based as well as Clientless Secure Access

A Unified Zero Trust Architecture that Supports both the Private VPN-like Client-based Mode over WireGuard/QUIC Tunnels as well as the Client-less Public BeyondCorp Mode via Browsers.

How Octelium Works

A Platform for Deployment, not just Access

Seamlessly Deploy Containers via Octelium and Provide Secure as well as Public Anonymous Access for your Containerized Microservices such as APIs, Blogs and Development as well as Production Web Applications.

Next.js Deployment Example

Integrate with OpenID Connect and SAML SSO Providers

Seamlessly integrate any OpenID Connect or SAML 2.0 SSO Provider (IdP) as well as GitHub OAuth2 and Provide Secure Access to all your Resources for your Teams at Scale.

Identity Providers

Secretless Access to SSH, APIs and Databases

Provide Secretless Access to SSH Servers, HTTP-based APIs, Databases and mTLS-based Applications without the need for Sharing and Distributing L7 Credentials to Users

CockroachDB Access Example

Identity-based, L7 Aware Access Control

Application-layer Aware Access Control via Identity-based Context-aware ABAC and Policy-as-Code via CEL and Open Policy Agent (OPA)

Policies and Access Control

Scalable Identity Management and Access via OAuth2

Unified, Stable Access for your Workloads written in any Programming Language to all your HTTP-based Resources via Standard OAuth2 Client-Credentials Flow and Bearer Authentication without having to use Special SDKs

Guide to Octelium Management

OpenTelemetry-native Real-time Visibility

OpenTelemetry-ready Layer-7 Aware, Real-Time Visibility and Auditing to Your Log Management and SIEM Providers

Visibility and Auditing

Centralized, Declarative and Programmable Management

Designed to be Administered like Kubernetes via DevOps/GitOps-friendly Centralized and Declarative Way. The Cluster is furthermore fully Programmable over gRPC.

Guide to Octelium Management

Dynamic, Native MFA and Login with FIDO2 Passkey, TPM 2.0 and TOTP

Dynamically Apply Native FIDO2 Passkey/WebAuthn, Time-based one-time Password (TOTP) Authentication and TPM 2.0 Authentication. Enforce Using Attested Hardware-based FIDO2 Authenticators in your Access Control Decisions.

Authenticators

Get started

Deploy Octelium on your own infrastructure in minutes.

Free and open source. Self-hosted. No vendor lock-in.

Quick install Star on GitHub

Capability	OcteliumBaseUnified Access Platform	ngrokDeveloper Tunnel / Gateway
Architecture
Architecture	Kubernetes-native identity-aware proxy/gateway architecture with separated PEP/PDP planes, client-based WireGuard/QUIC access, clientless BeyondCorp access, declarative resources, and self-hosted control/data planes.	Cloud-hosted reverse proxy/gateway with agents connecting private services to ngrok's edge. Endpoint and Traffic Policy model for routing, inspection, and traffic actions.
Authentication
OpenID Connect	Yes	Yes
SAML 2.0	Yes	Yes
GitHub OAuth2	Yes	Yes
Native FIDO2 / Passkey Native means implemented by the platform itself, not merely delegated to an external IdP.	Native Includes passkey/WebAuthn-style flows and hardware-backed attestation patterns.	No
Native TOTP	Yes	No
TPM / Device Trust	Native / hardware-backed	No
Workload Identity	OIDC assertions / workload identity	No
AI Agent Auth	OAuth2 / bearer / workload identity	Partial
Anonymous / Public Access	Yes	Public endpoints supported
SCIM Provisioning Automated user/group lifecycle provisioning via SCIM, beyond just login-time IdP federation.	SCIM 2.0 compliant	SSO/SCIM on higher tiers; verify current plan availability
Authorization & Policy
Policy Model	ABAC with CEL and OPA-oriented policy patterns.	Traffic Policy language and endpoint access controls.
Policy-as-Code	CEL + OPA	Traffic Policy
Per-Request Authz For L7 products, this means each HTTP/gRPC/API/K8s request can be evaluated. For overlays, session/connection policy is not counted as per-request. This modeling choice structurally favors L7 gateways over network overlays.	Yes	HTTP/endpoint policy
L7-Aware Policies	HTTP, gRPC, K8s, DB, SSH, mTLS-related context	HTTP/API traffic policy
Zero Standing Privilege / JIT Indicates strong architectural support for minimizing standing privilege; not an absolute claim that privileged access cannot exist.	Strong Designed to minimize static privilege through identity/policy-scoped access.	No
Access Requests / Approvals First-class request-and-approve / break-glass workflows (reviewers, time-bound grants), as opposed to static policy alone.	Policy-scoped Access is policy/identity-scoped and can be time-bound; no first-class ticketed request-and-approve workflow in this dataset.	No
Device Posture	TPM/FIDO2/device attributes	No
External Signal Integration	Yes	No
NIST ZTA Alignment
All data/services as resources	Yes	Partial
Secure communication regardless of network	WireGuard/QUIC and public HTTPS	Yes
Per-session / per-request access	Per-request for L7; per-session/connection for tunnels	HTTP/API endpoints
Dynamic policy using multiple signals	Yes	Partial
Continuous monitoring / verification	OpenTelemetry-native visibility	Partial
No implicit trust zone	Identity/policy-mediated	Partial
Assume breach / least privilege	Yes	Partial
L7 Protocol Awareness & Secretless Access
HTTP / HTTPS	L7-aware + secretless credential injection	L7 gateway
gRPC	Native L7 mode	Partial
SSH	Secretless / embedded SSH patterns	No
PostgreSQL	Secretless + query-aware policy/logging	No
MySQL	Secretless + query-aware policy/logging	No
Kubernetes	Secretless + verb/resource/namespace policy	K8s operator/exposure; not K8s semantic authz gateway
RDP	TCP passthrough	No
DNS	Native private DNS mode	No
mTLS / cert injection	Secretless mTLS / cert injection	TLS/mTLS features; not broad secretless injection
Raw TCP / UDP	TCP and UDP	TCP endpoints; UDP not a core general VPN capability
HTTP Manipulation	With native plugins including Lua, Envoy ExtProc, JSON schema validation, cache, rate limits	Traffic Policy actions
Transport & Networking
WireGuard Data Plane Whether the product's own client/data plane is built on WireGuard, versus a proprietary or TLS-based transport.	Kernel / userspace WireGuard via kernel module, TUN, or unprivileged userspace (wireguard-go) implementations.	No
QUIC Transport Product-native QUIC transport/tunneling. Experimental or internal-only QUIC is marked partial.	Full QUIC-based tunneling mode	Unknown Agent transport is TLS/TCP-oriented; edge HTTP/3 behavior not confirmed in this dataset.
IPv6 Support	Dual-stack Defaults to IPv6, with selectable IPv4-only or dual-stack cluster network ranges.	Edge endpoint addressing
Embedded SSH Platform provides its own SSH server/CA or SSH implementation, rather than only tunneling an external sshd.	Secretless embedded SSH	No Can expose an SSH service over a TCP tunnel, but is not an embedded SSH gateway.
NAT Traversal	Via Gateways Reaches resources behind NAT through Cluster Gateways; client-to-Gateway path rather than a direct P2P mesh.	Partial Edge-relayed through ngrok's network, not P2P.
Visibility, Auditing & Observability
OpenTelemetry-Native	OTLP-native More precise than saying only product with OpenTelemetry.	No
L7-Aware Access Logs	HTTP/gRPC/K8s/DB/SSH identity-aware logs	Inspection/replay/logs
SSH Session Recording	Yes	No
SIEM Integration	Via OTLP / OTel Collector	Yes
Real-Time Streaming	Yes	Yes
Identity in Logs	Yes	Partial
Access Methods
Client-Based VPN / Overlay	WireGuard / QUIC	No
Clientless Browser Access	Yes	Public/protected web endpoints
Workload OAuth2 / Bearer	Yes	No
CLI / SDK Access	CLI + gRPC API	CLI, SDKs, API
Private DNS	Yes	No
Dynamic Configuration
Dynamic Upstream Routing	Yes	Endpoint pools / traffic policy
Dynamic Credential Selection	Yes	No
Secrets Backend Integration Integration with external secret stores / KMS (e.g. Vault, cloud KMS) or native secretless credential handling.	Secretless injection Native secretless credential injection; credentials managed as Cluster resources.	No
GitOps / Declarative Config	Kubernetes-like resources / YAML	YAML/Terraform/K8s
Programmable API	gRPC	Yes
SaaS / Public Cloud API Access
Secretless SaaS API Access	Yes	No
AWS API Access	Via HTTP/API credential injection pattern	No
GCP / Azure API Access	Via same API gateway pattern	No
Generic SaaS API Access	Any HTTP API with supported auth injection	No
AI / MCP / Agent Compatibility
AI / LLM Gateway	Yes	AI gateway positioning
MCP Gateway / MCP Access	MCP-oriented gateway/access patterns	Partial
A2A / Agent-to-Agent Architecture	Identity-aware service/agent access	No
Agent Identity	Workload OIDC / OAuth2 client credentials	Partial
Deploy Containers / PaaS	Yes	No
Gateway Capabilities
API Gateway	Rate limit, cache, schema validation, Lua, ExtProc	Native gateway / traffic policy
Kubernetes Ingress / Gateway	Yes	K8s operator / gateway patterns
Reverse Proxy / Tunneling	Yes	Yes
Scalability & Cloud-Nativeness
Kubernetes-Native	Built on Kubernetes	Partial
Auto Horizontal Scaling	PEP/PDP can scale independently	SaaS edge
Separated PEP / PDP	Yes	SaaS-managed
High Availability	K8s-native HA model	SaaS edge
Openness & Self-Hosting
Fully Self-Hosted	Yes	No
Server Code Open Source	Yes	No
No Mandatory Proprietary Cloud	Yes	No
Data Sovereignty	Yes	No