Modern, Open Source, Self-Hosted Alternative to StrongDM

Everything you need, in one platform.

A Unified Zero Trust Access Platform

A Unified Access Platform that can Operate as a Comprehensive ZTNA/BeyondCorp Platform, a Scalable Remote Access VPN, an API/AI/MCP Gateway, a PaaS-like Platform for Secure as well as Anonymous Access

What is Octelium?

A Unified Architecture for Client-based and Clientless Access

A Unified Scalable Architecture on top of Kubernetes to Provide both Zero-Config Client-based Access over WireGuard/QUIC with Centralized Private DNS as well as Public Clientless BeyondCorp and even Anonymous Access

How Octelium Works

Secretless Access to APIs, SSH, Kubernetes and Databases

Provide Dynamic Secretless Access to HTTP-based Resources without sharing API Keys, PostgreSQL and MySQL Databases without sharing Passwords, SSH Servers without Managing Keys and Certificates, Kubernetes Clusters without sharing Kubeconfigs

Guide to Secretless Access

Secretless SSH Access at Scale

Effortless Passwordless Zero Trust SSH Access without any Changes in your SSH Servers or Clients. Seamless, Secretless SSH Access to Hosts without SSH Servers such as Containers and IoT Fleets via Embedded SSH Servers running within Octelium Clients.

SSH Access

A Platform for Deployment, not just Access

A PaaS-like Platform to Effortlessly Deploy, Scale and Secure Access to Containerized Applications of any Kind.

Managed Containers

Application-layer Aware Access Control

Access Control at the Application-layer (L7) (e.g. HTTP paths and methods, Kubernetes namespaces and verbs, PostgreSQL queries, etc...) using Identity-aware Proxies (IAPs) via Context-aware Policy-as-Code via CEL and OPA

Policies and Access Control

Built for Scalability and Availability

A Scalable Platform Built on top of Kubernetes for Automatic Horizontal Scalability and Availability. Eliminate the Need to Manually Deploy and Scale Gateways or Open Ports in Your Different Upstream Regions and Clouds.

Centralized, Declarative and Programmable Management

Designed to be Administered like Kubernetes via DevOps/GitOps-friendly Centralized and Declarative Way. The Cluster is furthermore fully Programmable over gRPC.

Guide to Octelium Management

Integrate your OIDC/SAML SSO Providers

Seamlessly integrate any OpenID Connect or SAML 2.0 SSO Provider as well as GitHub OAuth2. Force Strong MFA via FIDO2 Phishing Resistant Authenticators into Access Control to Sensitive Resources.

OpenTelemetry-native Real-time Visibility

OpenTelemetry-ready Layer-7 Aware, Real-Time Visibility and Auditing to Your Log Management and SIEM Providers

Visibility and Auditing

Identity-based, L7-aware Dynamic Routing

Dynamically Route to different Upstreams such as Multiple Databases/APIs or Same Database/API with Multiple Credentials Mapping to Different Permissions and Accounts based on Identity and Context.

Dynamic, Native MFA and Login with FIDO2 Passkey, TPM 2.0 and TOTP

Dynamically Apply Native FIDO2 Passkey/WebAuthn, Time-based one-time Password (TOTP) Authentication and TPM 2.0 Authentication. Enforce Using Attested Hardware-based FIDO2 Authenticators in your Access Control Decisions.

Authenticators

Eliminate VPN Problems

Eliminate Traditional VPN Problems: Use a Single Stable Route instead of Injecting Countless Routes into Your Users' Clients. Effortless Dual-Stack Networking Regardless of the Support at the Upstream. Seamless, Unified, Automatic Private DNS.

Get started

Deploy Octelium on your own infrastructure in minutes.

Free and open source. Self-hosted. No vendor lock-in.

Quick install Star on GitHub

Capability	OcteliumBaseUnified Access Platform	StrongDMInfrastructure Access / PAM
Architecture
Architecture	Kubernetes-native identity-aware proxy/gateway architecture with separated PEP/PDP planes, client-based WireGuard/QUIC access, clientless BeyondCorp access, declarative resources, and self-hosted control/data planes.	SaaS control plane with customer-deployed gateways/relays. Protocol-aware access broker for databases, servers, Kubernetes, and web apps.
Authentication
OpenID Connect	Yes	Yes
SAML 2.0	Yes	Yes
GitHub OAuth2	Yes	Yes
Native FIDO2 / Passkey Native means implemented by the platform itself, not merely delegated to an external IdP.	Native Includes passkey/WebAuthn-style flows and hardware-backed attestation patterns.	No Generally delegated to IdP.
Native TOTP	Yes	No
TPM / Device Trust	Native / hardware-backed	No
Workload Identity	OIDC assertions / workload identity	Partial
AI Agent Auth	OAuth2 / bearer / workload identity	Partial
Anonymous / Public Access	Yes	No
SCIM Provisioning Automated user/group lifecycle provisioning via SCIM, beyond just login-time IdP federation.	SCIM 2.0 compliant	SCIM / IdP provisioning
Authorization & Policy
Policy Model	ABAC with CEL and OPA-oriented policy patterns.	RBAC/ABAC, JIT access, privileged access workflows, and runtime authorization concepts.
Policy-as-Code	CEL + OPA	Terraform/API
Per-Request Authz For L7 products, this means each HTTP/gRPC/API/K8s request can be evaluated. For overlays, session/connection policy is not counted as per-request. This modeling choice structurally favors L7 gateways over network overlays.	Yes	Protocol/action dependent
L7-Aware Policies	HTTP, gRPC, K8s, DB, SSH, mTLS-related context	DB/SSH/K8s access and logging patterns
Zero Standing Privilege / JIT Indicates strong architectural support for minimizing standing privilege; not an absolute claim that privileged access cannot exist.	Strong Designed to minimize static privilege through identity/policy-scoped access.	JIT / Delinea ZSP positioning
Access Requests / Approvals First-class request-and-approve / break-glass workflows (reviewers, time-bound grants), as opposed to static policy alone.	Policy-scoped Access is policy/identity-scoped and can be time-bound; no first-class ticketed request-and-approve workflow in this dataset.	JIT access requests / approvals
Device Posture	TPM/FIDO2/device attributes	Yes
External Signal Integration	Yes	Partial
NIST ZTA Alignment
All data/services as resources	Yes	Yes
Secure communication regardless of network	WireGuard/QUIC and public HTTPS	Yes
Per-session / per-request access	Per-request for L7; per-session/connection for tunnels	Session/action-focused
Dynamic policy using multiple signals	Yes	Yes
Continuous monitoring / verification	OpenTelemetry-native visibility	Yes
No implicit trust zone	Identity/policy-mediated	Yes
Assume breach / least privilege	Yes	Yes
L7 Protocol Awareness & Secretless Access
HTTP / HTTPS	L7-aware + secretless credential injection	Web app access
gRPC	Native L7 mode	No
SSH	Secretless / embedded SSH patterns	Server access / recording
PostgreSQL	Secretless + query-aware policy/logging	Query logging / DB access
MySQL	Secretless + query-aware policy/logging	Query logging / DB access
Kubernetes	Secretless + verb/resource/namespace policy	Yes
RDP	TCP passthrough	Yes
DNS	Native private DNS mode	No
mTLS / cert injection	Secretless mTLS / cert injection	No
Raw TCP / UDP	TCP and UDP	TCP-oriented infra protocols
HTTP Manipulation	With native plugins including Lua, Envoy ExtProc, JSON schema validation, cache, rate limits	No
Transport & Networking
WireGuard Data Plane Whether the product's own client/data plane is built on WireGuard, versus a proprietary or TLS-based transport.	Kernel / userspace WireGuard via kernel module, TUN, or unprivileged userspace (wireguard-go) implementations.	No
QUIC Transport Product-native QUIC transport/tunneling. Experimental or internal-only QUIC is marked partial.	Full QUIC-based tunneling mode	No
IPv6 Support	Dual-stack Defaults to IPv6, with selectable IPv4-only or dual-stack cluster network ranges.	Unknown Not documented in this dataset; verify against current StrongDM/Delinea docs.
Embedded SSH Platform provides its own SSH server/CA or SSH implementation, rather than only tunneling an external sshd.	Secretless embedded SSH	Protocol-aware SSH proxy with recording rather than an embedded SSH CA
NAT Traversal	Via Gateways Reaches resources behind NAT through Cluster Gateways; client-to-Gateway path rather than a direct P2P mesh.	Partial Gateway/relay broker model, not P2P.
Visibility, Auditing & Observability
OpenTelemetry-Native	OTLP-native More precise than saying only product with OpenTelemetry.	No
L7-Aware Access Logs	HTTP/gRPC/K8s/DB/SSH identity-aware logs	Yes
SSH Session Recording	Yes	Yes
SIEM Integration	Via OTLP / OTel Collector	Yes
Real-Time Streaming	Yes	Yes
Identity in Logs	Yes	Yes
Access Methods
Client-Based VPN / Overlay	WireGuard / QUIC	No
Clientless Browser Access	Yes	Web UI/app access; client typically needed for many infra protocols
Workload OAuth2 / Bearer	Yes	No
CLI / SDK Access	CLI + gRPC API	sdm CLI / API
Private DNS	Yes	No
Dynamic Configuration
Dynamic Upstream Routing	Yes	No
Dynamic Credential Selection	Yes	Partial
Secrets Backend Integration Integration with external secret stores / KMS (e.g. Vault, cloud KMS) or native secretless credential handling.	Secretless injection Native secretless credential injection; credentials managed as Cluster resources.	Secret store / credential management integrations
GitOps / Declarative Config	Kubernetes-like resources / YAML	Terraform/API
Programmable API	gRPC	Yes
SaaS / Public Cloud API Access
Secretless SaaS API Access	Yes	No
AWS API Access	Via HTTP/API credential injection pattern	Partial
GCP / Azure API Access	Via same API gateway pattern	Partial
Generic SaaS API Access	Any HTTP API with supported auth injection	No
AI / MCP / Agent Compatibility
AI / LLM Gateway	Yes	No
MCP Gateway / MCP Access	MCP-oriented gateway/access patterns	No
A2A / Agent-to-Agent Architecture	Identity-aware service/agent access	No
Agent Identity	Workload OIDC / OAuth2 client credentials	Partial
Deploy Containers / PaaS	Yes	No
Gateway Capabilities
API Gateway	Rate limit, cache, schema validation, Lua, ExtProc	No
Kubernetes Ingress / Gateway	Yes	No
Reverse Proxy / Tunneling	Yes	Partial
Scalability & Cloud-Nativeness
Kubernetes-Native	Built on Kubernetes	No
Auto Horizontal Scaling	PEP/PDP can scale independently	SaaS + gateways
Separated PEP / PDP	Yes	No
High Availability	K8s-native HA model	Yes
Openness & Self-Hosting
Fully Self-Hosted	Yes	No
Server Code Open Source	Yes	No
No Mandatory Proprietary Cloud	Yes	No
Data Sovereignty	Yes	No