Skip to content

octelium

Network Security

A free, open‑source self‑hosted platform providing zero‑trust secure access (VPN, ZTNA/BeyondCorp, tunnels, API/AI gateways, PaaS, K8s ingress) for any resource behind NAT or SaaS APIs.

Track releases GitHub Website
Go Latest v0.35.0 · 2d ago Security brief →

Features

  • Zero‑trust remote access VPN alternative (WireGuard/QUIC client and clientless access)
  • Comprehensive ZTNA/BeyondCorp platform with policy‑as‑code access control
  • Self‑hosted secure tunnel/reverse proxy service as an ngrok/Cloudflare Tunnel alternative
  • Scalable PaaS for deploying containerized applications (Vercel/Netlify style)
  • Self‑hosted API gateway with L7 routing and security
  • AI/LLM gateway with identity‑based access control

Recent releases

View all 12 releases →
Review required
v0.34.0 New feature
Auth

PKCE support

Open
v0.31.0 New feature
Notable features
  • Added `octelium ssh` command for interactive SSH sessions and remote command execution on enabled Sessions.
  • Added `octelium cp` command for copying files/directories between local filesystems and connected Session filesystems, including inter‑Session transfers.
Full changelog

You can upgrade an already running Cluster via the command octops upgrade as shown here. You can read the full changelog here.

Features

  • Introducing the octelium ssh command. With this command you can open an interactive SSH session or execute a remote command, via an embedded SSH client inside the octelium CLI, on a connected
    Octelium Session using its name, if the Session is enabling the --essh flag when connecting to the Cluster. Here are some examples:
# Open an interactive shell
octelium ssh john-abcdef

# Run a single remote command
octelium ssh john-abcdef -- uptime

# Run a shell pipeline
octelium ssh john-abcdef -- sh -c "ps aux | grep python"

# Local port forward: forward local :5432 to remote localhost:5432
octelium ssh john-abcdef -L 5432:localhost:5432

# Multiple port forwards, no interactive shell
octelium ssh john-abcdef -N -L 5432:localhost:5432 -L 6379:localhost:6379

# Dynamic SOCKS5 proxy on local port 1080
octelium ssh john-abcdef -D 1080 -N
  • Introducing the octelium cp command. This command can copy files or directories between the local filesystem and remote filesystems of connected Octelium Sessions or between two connected Sessions that are enabling the --essh flag when connecting to the Cluster via octelium connect. Here are some examples:
# Copy a local file to a session
octelium cp ./config.json john-123456:/home/user/config.json

# Copy a file from a session to local
octelium cp john-123456:/home/user/output.csv ./output.csv

# Copy a local directory to a session
octelium cp -r ./src/ john-123456:/home/user/src/

# Copy a directory from a session to local
octelium cp -r john-123456:/home/user/dist/ ./dist/

# Copy a file from one session to another
octelium cp john-123456:/home/user/data.json linus-abcdef:/home/user/data.json

# Copy a directory from one session to another
octelium cp -r john-123456:/home/user/data/ linus-abcdef:/home/user/data/

Improvements

  • Various fixes for the octelium CLI.
  • Various fixes and improvements for Vigil, GatewayAgent, Nocturne, Ingress, AuthServer, DNSServer.
  • SBOM sbom.json file has been added to the release artifacts.
View release on GitHub
v0.30.0 Mixed
Notable features
  • Linux capabilities (add/drop) support in managed container securityContext
  • CEL time functions: isWeekday, isWeekend, isWeekendInTZ, isWeekdayInTZ
  • CEL net functions: isIP, isIPv4, isIPv6, isPrivateIP, isIPInRange
Full changelog

You can upgrade an already running Cluster via the command octops upgrade as shown here. You can read the full changelog here.

Features

  • Support for adding and droping Linux capabilities in managed containers. Here is an example:
kind: Service
metadata:
  name: nginx
spec:
  mode: HTTP
  config:
    upstream:
      container:
        port: 80
        image: nginx:latest
        securityContext:
          capabilities:
            add: ["NET_ADMIN", "SYS_TIME"]
            drop: ["ALL"]
  • Introducing time functions for the CEL engine. Here are some examples for the added functions:
time.isWeekday(timestamp("2023-10-18T12:00:00Z"))

time.isWeekend(timestamp("2023-10-21T12:00:00Z"))

time.isWeekendInTZ(timestamp("2023-10-20T23:00:00Z"), "Asia/Tokyo")

time.isWeekdayInTZ(timestamp("2023-10-22T23:00:00Z"), "Asia/Tokyo")
  • Introducing net functions for the CEL engine. Here are some examples for the added functions:
net.isIP("192.168.1.1")

net.isIPv4("10.0.0.1")

net.isIPv6("2001:db8::1")

net.isPrivateIP("10.5.0.1")

net.isIPInRange("192.168.1.50", "192.168.1.0/24")

Improvements

  • Various reliability-related fixes for Vigil.
  • Various fixes and improvements for Nocturne, AuthServer, RscServer and DNSServer.
View release on GitHub
v0.29.0 New feature
Notable features
  • Authorization header pass/delete control per service
  • octops install-package for enterprise packages
  • @octelium/apis TypeScript npm package
View release on GitHub
v0.28.0 New feature
Notable features
  • Anonymous authorization as WAF for public services
  • Read-only filesystems for Nocturne, RscServer, Ingress
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
3,857
Forks
138
Languages
Go TypeScript Makefile
View on GitHub Homepage Documentation

Community & Support

Discord Slack

Similar tools

OpenZiti
Core
OctoBot
OmniRoute
minhoyoo-iotrust/WAIaaS

Alternative to

OpenVPN Access Server Twingate Tailscale Cloudflare Access Google BeyondCorp Teleport ngrok Cloudflare Tunnel Vercel Netlify Kong Gateway Apigee

Beta — feedback welcome: [email protected]