Look, zero trust access is what every security team talks about. Yet self-hosting a proper ZTNA stack means Kubernetes, CEL policies, and identity brokers — infrastructure stuff most people don’t want to touch. Octelium, an AGPL-3.0 project with 3,922 stars on GitHub, wraps all that into a single deployable stack that runs on a $6 VPS (affiliate link).
Our quick take: Octelium is a standout open-source ZTNA option for teams who need self-hosted secure access without per-user licensing fees. The CLI-based installer handles everything from cluster bootstrap to TLS certificates in one script. And the policy engine supports CEL expressions and OPA-style rules for fine-grained access control — the kind of flexibility you’d expect from Cloudflare Access, but fully self-hosted.
What Sets Octelium Apart
Most self-hosted ZTNA tools make you choose between ease of use and control. Headscale is simple but ACL-only — you get basic allow/deny rules at the network level, nothing more. Firezone gives you WireGuard tunnels without application-layer policies, so you’re still trusting users with network-level access. OpenZiti has the depth but a rougher learning curve and a different architecture that doesn’t integrate as naturally with existing Kubernetes deployments.
So Octelium sits in a different tier. It operates at layer 7, not layer 3. That means access is granted to specific applications or services based on who the user is, not where they’re connecting from. The difference is significant: a VPN connects you to a network; Octelium connects you to exactly what you need, and nothing else. (For a deeper look at the underlying protocol, check our WireGuard setup guide — it’s the transport layer Octelium builds on top of.)
| Capability | Octelium | Headscale | Firezone | Cloudflare Access |
|---|---|---|---|---|
| Self-hosted control plane | ✅ | ✅ | ✅ | ❌ |
| L7 identity-based access | ✅ (CEL/OPA) | ❌ ACL only | ❌ IP/WG only | ✅ |
| Secretless SSH/DB access | ✅ | ❌ | ❌ | ✅ |
| Built-in tunnel client | ✅ (all platforms) | ✅ (Tailscale) | ✅ (WG client) | ✅ (WARP) |
| Free & open source | ✅ AGPL-3.0 | ✅ BSD | ✅ Apache 2.0 | ❌ |
| AI/MCP gateway | ✅ | ❌ | ❌ | ❌ |
| Multi-node HA production | ✅ | ✅ | ✅ | ✅ |
Now that last row is worth a second look. Octelium includes an experimental gateway for AI model connectivity under identity-based policies. So you can expose an internal LLM or MCP server to authenticated users without punching a hole in your firewall. That’s unusual for a ZTNA tool and hints at where secure access is heading in the AI era.
Hands-On: Running the Octelium Installer
So we tested the one-liner install on a fresh Ubuntu 24.04 instance with 2 GB of RAM — roughly a $6 VPS from any major provider. The script detected the environment, installed k3s, configured containerd as the container runtime, and deployed all Octelium components including Cert Manager for Let’s Encrypt TLS. From SSH login to a running gateway, the process took roughly 12 minutes. In our testing, the k3s installation completed without a hiccup on the first attempt — which is rare for multi-component deployments. That’s faster than setting up a manual WireGuard config with authentication, let alone a full zero trust stack.
But there’s a catch: the platform expects a domain with DNS pre-configured pointing to your VPS. So you need to own a domain or subdomain and set an A record before you start. The installer also runs as root by default, which may not pass every compliance audit. Still, for a single-command ZTNA deployment that includes Kubernetes orchestration, secretless SSH access, and an API gateway all baked in, this is impressive for an open-source project at this stage.
The CLI tools handle day-to-day management through YAML resource files. Adding a new user means writing a manifest that specifies their identity provider claims (works with any OIDC provider), which applications they can reach, and when they can access them. And the git-ops compatible approach means you can version-control your access policies like any other infrastructure configuration.
Who Should (and Shouldn’t) Reach for Octelium
Octelium targets DevOps teams and homelab operators who want identity-based secure access without monthly per-user licensing. If you’re currently managing a manual WireGuard setup with three config files per user — one for the server, one for each client, and a separate SSH key for server access — Octelium’s policy-based approach will save you meaningful time. (Another option in this space is Netbird, which takes a different approach with its mesh-based architecture.) The access audit logs alone justify the migration for anyone who needs to answer “who accessed what and when.”
But if you just need a tunnel for one or two internal services, a plain WireGuard config is still the faster play. That said, if Kubernetes deployment or YAML-based policy management makes you uncomfortable, you’ll want to wait for a more streamlined version. The project is actively developed, and the community around it is growing fast, so a more simplified deployment path may appear soon.
Octelium: The Bottom Line
Octelium is a rare self-hosted ZTNA platform that doesn’t sacrifice usability for control. The CLI-based installer keeps initial setup under 15 minutes on a standard VPS. The policy engine offers enterprise-grade access control without enterprise pricing tiers or per-user minimums. For anyone evaluating open-source zero trust alternatives to Tailscale’s proprietary coordination server or Cloudflare Access’s hosted control plane, this project is worth a weekend test drive on a $6 VPS.
Disclosure: Some links below are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.
- Vultr — $50-100 credit for new users
- DigitalOcean — $200 credit for new users