Octelium is a self-hosted, unified platform for zero trust resource access, designed as a modern alternative to VPNs, ZTNA solutions, and secure tunneling tools. It targets developers, IT administrators, and homelab enthusiasts seeking granular, identity-based access control for both human users and workloads to internal and public resources.

How It Works

Octelium implements a scalable zero trust architecture (ZTA) using identity-aware proxies (IAPs) at the application layer (L7). It supports both client-based access via WireGuard/QUIC tunnels and clientless, browser-based access. Access control is managed via policy-as-code, using CEL or OPA, enabling fine-grained, context-aware authorization based on identity, request attributes, and even time of day. This approach eliminates the need for traditional VPNs and secret management for accessing various services like HTTP APIs, databases, and SSH.

Quick Start & Requirements

• Install CLI: curl -fsSL https://octelium.com/install.sh | sh (Linux/macOS) or iwr https://octelium.com/install.ps1 -useb | iex (Windows PowerShell).
• Install Cluster: Requires a Linux VM/VPS (Ubuntu 24.04 LTS+, Debian 12+) with at least 2GB RAM and 20GB disk. Installation command: ./install-demo-cluster.sh --domain <your-domain> after downloading the script.
• Prerequisites: Kubernetes (single-node sufficient for initial setup), a domain name.
• Links: Try in Codespace, Install Guide, CLI Tools.

Highlighted Details

• Unified platform for humans and workloads.
• Secret-less access to HTTP APIs, SSH, Kubernetes, and databases.
• Policy-as-code access control using CEL/OPA.
• Supports OIDC/SAML for identity providers and OIDC assertions for workloads.
• OpenTelemetry-ready auditing and visibility.
• Dual-stack networking support (IPv4/IPv6) with automatic private DNS.

Maintenance & Community

The project is in public beta, developed by George Badawi of Octelium Labs LLC. External contributions are not currently accepted.

• Support: Octelium Docs, Discord Community, Slack Community, Reddit Community.

Licensing & Compatibility

• Client components: Apache 2.0 License.
• Cluster components: GNU Affero General Public License v3.0 (AGPLv3).
• A commercial license is available as an alternative to AGPLv3. AGPLv3 may have implications for linking with closed-source applications.

Limitations & Caveats

The project is in public beta with known bugs. While core architecture is stable, external contributions are not currently accepted, potentially impacting development velocity and bus factor.