Show HN: Octelium – L7-Aware ZeroTrust Remote Access ZTNA over WireGuard and K8s (github.com)

2 points by geoctl ↗ HN
Hello HN, I've been working solo on Octelium for years now and I'd love to get some honest opinions from you. Octelium is simply an open source, self-hosted, unified platform for zero trust resource access that is primarily meant to be a modern alternative to corporate VPNs and remote access tools. It is built to be generic enough to not only operate as a a zero-config remote access VPN (i.e. alternative to OpenVPN Access Server, Twingate, Tailscale, etc...), ZTNA/BeyondCorp platform (i.e. alternative to Cloudflare Zero Trust, Google BeyondCorp, Zscaler Private Access, Teleport, etc...), a scalable infrastructure for secure tunnels (i.e. alternative to ngrok, Cloudflare Tunnels, etc...), but also can operate as an API gateway, an AI gateway, a secure infrastructure for MCP gateways and A2A architectures, a PaaS-like platform for secure as well as anonymous hosting and deployment for containerized applications, a Kubernetes gateway/ingress/load balancer and even as an infrastructure for your own homelab.

Octelium provides a scalable zero trust architecture (ZTA) for identity-based, application-layer (L7) aware secret-less secure access (eliminating the distribution of L7 credentials such as API keys, SSH and postgres/mysqal-based databases' passwords as well as mTLS certs), via both private client-based access over WireGuard/QUIC tunnels as well as public clientless access, for users, both humans and workloads, to any private/internal resource behind NAT in any environment as well as to publicly protected resources such as SaaS APIs and databases via identity-based, context-aware, L7 aware ABAC on a per-request basis through centralized policy-as-code with CEL and OPA.

You can read more in detail about the features and how octelium works in the documentation https://octelium.com/docs

3 comments

[ 3.1 ms ] story [ 16.0 ms ] thread
This is very interesting.

I love the code being AGPLv3, this means i can actually trust you not to pull the rug from under my feet.

Thank you. The harsh reality is that I've been undecided on the license for years while working the project (the initial private repo had it all AGPLv3 as opposed to only the Cluster side in this public repo). The reason for choosing it AGPL for Cluster-side/Apache for client-side is that I am basically working on it solo and I have neither the funding nor the press to prove that that my work is the original work of any derivative proprietary work. Also the license issue is very weird to say the least, If I release it fully Apache, it might mean to some that I am probably pulling the rug at some point like many others who did even if I have no intention to do so. If I release it fully AGPL, some might see this as not really true FOSS regardless of the fact that it actually is. It's truly a bizarre situation releasing open source these days with all the bait-and-switch VC-backed "open source" software and all the licensing changes that happened since 2020 for many of the most popular open source projects. Also, I never intended for Octelium to become a SaaS product and the architecture itself proves that. This project is more akin to Kubernetes and cilium (without the funding part!) that the idea of any company self-hosting it in anyway has no conflicts with me since that's what I intended to build in the first place (as opposed to releasing a "demo" FOSS project while forcing you to move to a separate, fully functional SaaS product).
This is pretty cool work! Glad to see it under the AGPL. That definitely helps me trust it a bit more.