Octelium combines multiple infrastructure roles—remote access VPN, zero trust network access (ZTNA), API gateway, AI/LLM gateway, PaaS, and Kubernetes ingress—into one self-hosted platform. Written in Go and designed to run on Kubernetes, it delivers a unified identity-aware layer-7 proxy that handles both client-based and clientless access with fine-grained policy enforcement.
What Octelium does and how it works
At its core, Octelium is a zero trust secure access platform that collapses several traditionally separate components into a single architecture. It acts as a layer-7 proxy that is fully identity-aware, meaning every request is evaluated against an identity and policy engine before being allowed.
The platform supports two main access modes. First, client-based access uses WireGuard/QUIC tunnels, providing secure remote connectivity akin to a VPN but with modern, performant transport protocols. Second, clientless access follows a BeyondCorp-style model where no VPN client is needed; access is granted per request via browser or other clientless means.
Policy enforcement is a standout feature: Octelium uses policy-as-code with Common Expression Language (CEL) and Open Policy Agent (OPA) to define fine-grained, per-request access control. This means you can write declarative policies that evaluate attributes of the user, device, request, and resource dynamically.
Authentication is “secretless”—both humans and workloads authenticate without long-lived credentials. Humans authenticate via any OIDC or SAML identity provider combined with FIDO2 or WebAuthn multi-factor authentication (MFA). Workloads use OIDC-based assertions, avoiding credential distribution risks.
Additional features include PaaS-like container deployment capabilities, OpenTelemetry-native audit logging for observability, and a declarative CLI tool (octeliumctl) for managing configurations and infrastructure.
The platform is designed to run without requiring upstream changes, meaning it can route to resources behind NAT or localhost and across clouds without exposing public gateways.
What distinguishes Octelium’s architecture and approach
Octelium’s main technical strength lies in its unified identity-aware layer-7 proxy that merges multiple infrastructure roles into a single platform. This convergence reduces operational complexity by eliminating the need to deploy and maintain separate VPNs, ZTNA proxies, API gateways, and Kubernetes ingress controllers.
Architecturally, leveraging Go ensures efficient networking and concurrency handling. Running on Kubernetes adds scalability and resilience benefits—although the platform can be installed on single-node clusters for development or small-scale use cases.
The use of policy-as-code with CEL and OPA is a significant plus. This approach provides flexibility and expressiveness in access control policies, supporting dynamic evaluation based on current context. It’s a modern alternative to static ACLs or role-based access control (RBAC) that often fall short in complex zero trust environments.
The secretless authentication model reduces attack surface by eliminating long-lived credentials. Relying on standard identity providers and MFA improves security and user experience.
Tradeoffs include the inherent complexity of managing a sophisticated proxy and policy engine. The platform is Kubernetes-centric, which might be a barrier for teams without Kubernetes expertise or infrastructure. Also, while the project is open source and self-hosted, deploying a zero trust platform is inherently non-trivial and requires careful operational planning.
Code quality appears solid from the repo’s structure and documentation. The platform uses a CLI for declarative management, which is a good practice for infrastructure-as-code workflows.
Install your first cluster
Read this quick guide here to install a single-node Octelium Cluster on top of any cheap cloud VM/VPS instance (e.g. DigitalOcean Droplet, Hetzner server, AWS EC2, Vultr, etc…) or a local Linux machine/Linux VM inside a MacOS/Windows machine with at least 2GB of RAM and 20GB of disk storage running a recent Linux distribution (Ubuntu 24.04 LTS or later, Debian 12+, etc…), which is good enough for most development, personal or undemanding production use cases that do not require highly available multi-node Clusters. Once you SSH into your VPS/VM as root, you can install the Cluster as follows:
curl -o install-cluster.sh https://octelium.com/install-cluster.sh
chmod +x install-cluster.sh
Install CLI Tools
You can see all available options here. You can quickly install the CLIs of the pre-built binaries as follows:
For Linux and MacOS
curl -fsSL https://octelium.com/install.sh | bash
For Windows in Powershell
iwr https://octelium.com/install.ps1 -useb | iex
You can also install the CLIs via Homebrew as follows:
brew install octelium/tap/octelium
Verdict
Octelium targets teams and organizations looking for a unified zero trust access platform that can replace multiple specialized tools with a single identity-aware proxy. It’s especially suitable for Kubernetes-centric environments that want to unify remote access VPNs, ZTNA, API gateways, and workload authentication under one roof.
The platform’s complexity and Kubernetes dependency mean it’s less suited for teams without container orchestration expertise or those expecting a plug-and-play VPN replacement.
That said, its policy-as-code model, secretless authentication, and support for both client-based and clientless access make it a noteworthy option in the zero trust landscape. The codebase and tooling show mature engineering, and the installation instructions support quick evaluation.
If you manage multi-cloud or hybrid environments requiring fine-grained, dynamic access controls without exposing public gateways, Octelium is worth a close look.
Related Articles
- Infisical: A comprehensive open-source secrets management platform with zero-code secret injection — Infisical is an open-source secrets management platform offering dynamic secrets, PKI management, RBAC, and a unique zer
- Inside Mysteriumnetwork Node: A decentralized VPN node implementation in Go — Mysteriumnetwork/node is a Go-based decentralized VPN node implementation enabling privacy and censorship resistance. He
- octogent: a local orchestration layer for multi-agent workflows with claude code — Octogent adds a local orchestration layer on Claude Code for multi-agent workflows using ’tentacles’ — scoped context di
- Blackbox Node: offline AI assistant over LoRa mesh with local llama.cpp and ecash payments — Blackbox Node runs a local llama.cpp LLM over a Meshtastic LoRa mesh, enabling offline AI queries and ecash payments via
- cc-gateway: optimizing Claude Code API usage with a reverse proxy for telemetry normalization and cost savings — CC Gateway is a TypeScript reverse proxy for Claude Code that normalizes telemetry and device identity, strips billing h
→ GitHub Repo: octelium/octelium ⭐ 3,798 · Go