Self-Hosted Network Access Control

Lucky is a connectivity and routing utility suite focused on SSL automation, dynamic DNS client services, NAT traversal, and port forwarding. It provides a network gateway management interface to coordinate public network access for internal services. The project distinguishes itself through a centralized web-based administration panel used to configure reverse proxy servers, manage ACME-based SSL certificate renewals via DNS provider APIs, and synchronize public IP addresses across multiple dynamic DNS providers. It also includes a NAT traversal tool using STUN to establish external connections to internal devices behind carrier-grade NAT. Additional capabilities cover traffic management via TCP and UDP port forwarding with access control lists, and HTTP reverse proxying with URL redirection and user-agent filtering. The suite also includes system-level utilities for mounting cloud storage, scheduling automated tasks, and managing remote device power via network signals.

Headscale is a self-hosted control plane for private mesh networking that enables the creation of secure, encrypted peer-to-peer networks. By acting as a centralized coordination server, it manages device authentication, cryptographic key exchange, and network topology, allowing distributed infrastructure to communicate without relying on third-party services. It implements a zero-trust security architecture, verifying device and user identity before granting access to internal resources. The project distinguishes itself by providing a fully independent, self-hosted alternative for managing network overlays. It integrates with external identity providers to automate user authentication and enforces granular, declarative access control policies across a fleet of devices. Administrators can manage the network through a web-based dashboard, a REST API, or a gRPC interface, providing flexibility for both manual oversight and programmatic automation. The system supports a wide range of networking capabilities, including remote subnet routing, exit node configuration, and automated DNS management. It ensures connectivity across diverse environments through relay-based NAT traversal, which facilitates communication even when direct peer-to-peer connections are blocked by firewalls. The platform also maintains state persistence using a relational database and automates security through integrated TLS certificate management. The software is available as a standalone binary or via containerized deployment, with support for cross-platform clients across various mobile and desktop operating systems.

Netmaker is a platform for automating and managing virtual mesh networks built on WireGuard. It functions as a centralized control plane that orchestrates encrypted, peer-to-peer tunnels across distributed infrastructure, including cloud environments, on-premise data centers, and containerized clusters. By automating the configuration of routing tables and access policies, the system enables secure, private connectivity between diverse devices and services without requiring manual network administration. The platform distinguishes itself through its focus on zero-trust network access and software-defined perimeters, which hide network resources from the public internet while enforcing granular, identity-based security policies. It supports complex network topologies by providing dynamic relay-based routing for firewall-traversal and gateway-based bridging for isolated subnets. These capabilities allow for the creation of scalable, high-performance overlays that maintain consistent connectivity even when direct peer-to-peer paths are unavailable. Beyond core connectivity, the project provides a comprehensive suite of management tools, including automated node provisioning, private service discovery via integrated DNS, and multi-tenant infrastructure support. It also offers robust observability features, such as administrative audit logging and network health monitoring, to ensure operational visibility. The entire networking stack can be self-hosted to maintain data sovereignty, and the platform integrates with external identity providers to streamline authentication and device onboarding.

Tailscale is a zero-trust networking overlay that connects distributed devices and services into a private, encrypted mesh network. By utilizing a high-performance, user-space implementation of the WireGuard protocol, it establishes secure peer-to-peer tunnels across diverse network topologies without requiring complex firewall configuration. The platform operates on a centralized control plane that manages global network state, authentication, and policy distribution, ensuring that connectivity is governed by identity rather than traditional IP-based rules. What distinguishes Tailscale is its deep integration with existing identity providers, which allows organizations to bind network access to verified user accounts and device posture. It enforces granular security through declarative access control lists and microsegmentation, enabling administrators to define precise permissions for users and services. Beyond standard connectivity, the platform includes a secure AI gateway that proxies and audits language model requests, providing centralized control over API usage, spending limits, and security guardrails. The project offers a comprehensive suite of administrative and developer tools, including infrastructure-as-code support, automated node registration, and identity-based SSH access that eliminates the need for manual key management. It also provides flexible traffic management capabilities, such as exit nodes for egress control, subnet routers for bridging isolated network segments, and public-facing service exposure through encrypted tunnels. The software is distributed as an open-source command-line daemon, supporting a wide range of operating systems and containerized environments to facilitate automated infrastructure deployment.

Opensnitch is a host-based application firewall for Linux that monitors and intercepts outbound network connections in real time. By hooking into kernel-level interfaces, it tracks system-wide network activity and maps connection attempts to specific local processes, allowing users to explicitly permit or deny traffic on a per-application basis. The project distinguishes itself through its ability to manage security policies across multiple distributed nodes from a single, unified dashboard. This centralized management is secured via encrypted socket communication, enabling consistent rule enforcement and monitoring across remote machines. It further supports granular control by validating executable integrity, filtering based on environment variables, and isolating process network access to prevent unauthorized data transmission. Beyond basic filtering, the system provides comprehensive observability tools, including real-time connection inspection, traffic logging, and the ability to export security events to external management systems. Users can define complex, prioritized rule sets that incorporate blocklists, temporary access durations, and path-based restrictions to secure their environment against unauthorized communication.

Pi-hole is a self-hosted network utility that functions as a DNS sinkhole server to provide network-wide ad blocking. By acting as a dedicated network gateway, it intercepts and discards requests for known advertising, tracking, and malicious domains across an entire local network, preventing unwanted content from loading on any connected device. The software operates through a lightweight background daemon that handles high volumes of concurrent DNS queries with minimal resource overhead. It utilizes a host-file injection mechanism to redirect traffic toward its local filtering engine and applies regex-based pattern matching to identify and block specific domain requests. Users manage these operations and monitor network traffic statistics through a centralized, web-based configuration interface. Beyond blocking, the project provides tools for comprehensive DNS traffic management and home network security. By resolving domain names locally, it offers increased visibility into outgoing internet traffic and helps optimize network performance by preventing the download of resource-heavy tracking scripts and advertisements.

Pangolin is a zero-trust remote access platform designed to provide secure, identity-aware connectivity to private network resources. It functions as a cloud-native network controller that orchestrates encrypted tunnels, traffic routing, and access policies across distributed environments. By leveraging WireGuard for secure data transport, the platform enables authenticated access to internal web applications, terminal sessions, and remote desktops without exposing services to the public internet. The platform distinguishes itself through a declarative infrastructure model that synchronizes network state using version-controlled manifests. It supports complex connectivity requirements through peer-to-peer NAT traversal, which facilitates direct encrypted connections between nodes, with automatic fallback to server-based relaying when necessary. Additionally, it provides browser-based access to remote resources, eliminating the need for local client software for many common administrative and service-access tasks. Beyond its core tunneling capabilities, the platform includes a comprehensive suite of tools for traffic management, security, and observability. It features granular access control policies based on user identity, geolocation, and network attributes, alongside automated certificate management and multi-factor authentication. The system also provides extensive monitoring, audit logging, and alerting capabilities to track infrastructure health and security events across multi-site deployments. Pangolin is designed for containerized and multi-site environments, offering flexible deployment options through standard packaging and automated reconciliation workflows.

Clash-rules provides a standardized, declarative system for managing network traffic routing across desktop and mobile proxy clients. It functions as a centralized configuration provider that uses structured rule sets to categorize outgoing requests, allowing users to define whether specific connections should be proxied, rejected, or routed directly. The project distinguishes itself through its comprehensive, curated rulesets that enable granular control over network behavior. By employing domain-pattern matching, CIDR-based network analysis, and application-specific signatures, it ensures consistent traffic management across diverse environments. It also supports automated synchronization, allowing proxy clients to fetch updated routing logic from external sources without manual intervention. The platform covers a broad range of traffic management capabilities, including regional content access, local network optimization, and malicious traffic filtering. These features allow for the systematic blocking of advertising and tracking domains while ensuring that private, local, and internal network resources bypass proxy tunnels to maintain direct connectivity.

The Gemini Cookbook is a comprehensive collection of implementation patterns, code samples, and development guides designed for building applications with Google Gemini models. It serves as a central resource for developers to integrate multimodal generative artificial intelligence into their software, providing the necessary frameworks to manage model interactions, stateful workflows, and structured data extraction. The repository distinguishes itself by offering specialized toolkits for autonomous agent orchestration, enabling the construction of agents that can execute code, browse the web, and perform multi-step tasks in sandboxed environments. It provides deep support for real-time conversational interfaces, including bidirectional streaming for audio, video, and text, as well as advanced capabilities for multimodal content generation and long-context data processing. Beyond core model integration, the project covers a broad capability surface including retrieval-augmented generation, batch processing for high-throughput workloads, and observability tools for monitoring token usage and debugging API interactions. It also provides guidance on security primitives, such as authentication and content safety, alongside operational strategies for cost optimization and infrastructure management. The documentation is structured as a series of Jupyter Notebooks, offering interactive examples that demonstrate how to implement these features within production-grade artificial intelligence systems.

This project is a community-curated database of network patterns designed to facilitate regional access bypass. It functions as a centralized, crowdsourced registry where distributed contributors submit and verify domain identifiers to maintain an accurate and up-to-date list of network rules. The registry provides a declarative syntax that allows diverse proxy clients to distinguish between local and restricted traffic. By standardizing these rules, the project enables automated configuration of routing tables, ensuring that only specific requests are directed through external proxy tunnels. The repository serves as a version-controlled distribution point for these network filters, allowing client applications to consume the data to maintain consistent filtering logic. The project is maintained as a collaborative, open-source database accessible for integration into various network routing tools.

Cosmos SDK is a modular blockchain application framework and software development kit used to build sovereign layer-one networks. It provides a foundation for creating customizable blockchains featuring native interoperability, sovereign governance, and Byzantine Fault Tolerant consensus engines. The framework is distinguished by its inter-blockchain communication protocol, which enables the transfer of byte-encoded data and digital assets between independent blockchain networks. It supports multiple consensus models, including Proof of Stake and Proof of Authority, and allows for the integration of diverse virtual machines to execute smart contracts. The SDK covers a broad range of capabilities, including typed state management, on-chain proposal governance, account and key management, and validator stake slashing. It also includes developer tooling for transaction simulation, binary compilation, and the orchestration of containerized test networks. Observability is integrated through structured logging and telemetry data export via OpenTelemetry.

Mihomo is a rule-based network proxy and traffic orchestrator designed to manage internet connections by intercepting and routing data packets. It functions as a background service that directs traffic through various proxy nodes based on user-defined policies, allowing for granular control over outbound network paths. The engine distinguishes itself through a sophisticated domain pattern matching system that utilizes wildcard and suffix-based algorithms to categorize web traffic. It supports complex configuration management by allowing users to define reusable data blocks and import external domain collections, ensuring that routing policies remain consistent and up-to-date across different geographic regions and operating systems. The project provides a comprehensive suite of tools for network security filtering and traffic management. It processes structured configuration files to define rules based on destination hostnames and port ranges, enabling the creation of detailed filtering policies. The system is configured using a standard serialization format that supports object nesting, array definitions, and inline documentation.

Beats is a collection of lightweight, modular agents designed to gather, process, and forward operational telemetry from distributed infrastructure to centralized storage and analysis platforms. These agents function as a distributed data transport layer, decoupling the collection of logs, metrics, and network events from their final delivery destination. By maintaining local state and managing data flow, the system ensures reliable transmission of information across heterogeneous environments. The project distinguishes itself through a modular pipeline architecture that allows for the assembly of specialized agents using shared library building blocks. Each agent is compiled as a statically linked binary, enabling deployment across diverse infrastructure without external runtime dependencies. During the ingestion process, the system automatically enriches raw telemetry with contextual metadata from host systems and cloud environments, while applying backpressure-aware flow control to manage data volume based on destination responsiveness. The platform covers a broad range of observability tasks, including system performance monitoring, network traffic analysis, and security auditing. It supports the collection of diverse data types such as application logs, Windows event logs, infrastructure metrics, and network packets. Users can filter and parse incoming data streams before forwarding them to centralized storage engines or message queues, ensuring that only relevant information is indexed for long-term analysis.

This project is an automated command-line tool designed to install and configure a secure network gateway on a host machine. By utilizing established open-source security protocols, it establishes a private tunnel endpoint that encrypts internet traffic and facilitates remote access connectivity for authorized users. The tool functions as an infrastructure lifecycle manager, streamlining the deployment of private network services through shell-script-based orchestration. It distinguishes itself by integrating directly with the Linux kernel to manage packet filtering rules and providing credential-based access control, which generates and stores unique security keys locally for identity verification. Beyond the initial setup, the software includes administrative utilities for managing user accounts and configuring network parameters such as custom domain name servers via environment variables. It also supports the complete removal of the gateway and its associated configuration files to manage system resources.

This project provides a shell-based automation utility for deploying and managing OpenVPN servers on Linux hosts. It functions as an orchestration tool that handles the installation of networking software, the configuration of system-level routing rules, and the generation of cryptographic credentials required to establish secure, encrypted tunnels for remote network access. The tool distinguishes itself by automating the entire lifecycle of a private network gateway, including the management of peer identities and the distribution of standardized configuration profiles. It simplifies the setup of complex network components such as kernel-level packet forwarding and network address translation, allowing administrators to route client traffic through a private host gateway without manual intervention. Beyond initial deployment, the utility facilitates ongoing administration by providing routines for adding or removing client devices and managing peer access. It enforces secure traffic flow by overriding local client gateway settings and configuring custom DNS resolution, ensuring that all connected device traffic is routed through the encrypted tunnel. The project is distributed as a set of command-line scripts designed for direct execution on Linux server environments.

This project provides a self-hosted, containerized WireGuard VPN server that simplifies network administration through a web-based management interface. It allows users to deploy and manage VPN tunnels, configure peer identities, and monitor connection status without the need for manual configuration file editing. By bundling the VPN stack into a portable container, it ensures consistent deployment and persistent state management across diverse host environments. A key differentiator is the built-in support for traffic obfuscation, which modifies packet headers and handshake patterns to help bypass restrictive network filtering and deep packet inspection. The platform also enhances security by offering two-factor authentication for the management interface and granular firewall orchestration, enabling administrators to define specific access policies and routing rules for individual clients. The system includes comprehensive tools for infrastructure observability, such as exporting performance metrics for integration with external monitoring platforms like Prometheus and Grafana. It supports advanced networking requirements, including custom DNS configuration, client address assignment, and service exposure via reverse proxies. The entire lifecycle of the service is managed through environment-variable-driven configuration, facilitating automated deployment and seamless updates.

Coturn is a network server that facilitates peer-to-peer media traffic for real-time communication applications. It functions as a relay platform for voice, video, and data transmission, enabling direct connections between clients located behind restrictive firewalls and network address translators. The server implements standard network traversal protocols to manage media packet exchange and client authentication. It utilizes a multi-threaded architecture and event-driven polling to handle high-throughput traffic, while employing hash-based message authentication codes to verify client identity and secure access to relay services. The platform includes a modular interface for persistent storage of credentials and server state across various database backends. It also provides integrated monitoring capabilities to track traffic volume, connection status, and operational health metrics, allowing for the identification of performance bottlenecks in distributed communication environments.

This project is a comprehensive network traffic orchestrator and server infrastructure manager designed to provide centralized control over secure tunneling, routing, and security policies. It functions as a web-based dashboard that enables administrators to deploy and maintain network services, enforce access restrictions, and manage traffic flow through a private server environment. The platform distinguishes itself by integrating advanced traffic anonymization and routing capabilities, including support for relay networks and secure tunnels to bypass regional restrictions. It provides granular control over network security through automated certificate lifecycle management, host-based firewall rule enforcement, and the ability to configure specialized transport protocols. Administrators can further manage server operations remotely via event-driven messaging bot integration, allowing for real-time monitoring and command execution. Beyond its core routing and security functions, the software supports flexible deployment models, including containerized orchestration and automated script-based installation. It includes a suite of maintenance tools for monitoring user traffic, managing geographical routing databases, and hardening system environments against unauthorized access. The project provides multiple installation paths, ranging from automated scripts to manual binary deployment, to accommodate various server configurations.

Spin is a WebAssembly serverless framework and development toolchain for building and running portable microservices. It functions as an event-driven orchestrator and runtime that executes WebAssembly components, allowing developers to map HTTP requests, Redis messages, and cron schedules to specific modules. The project distinguishes itself by implementing a Wasm-based AI inference gateway, enabling components to perform model inference and generate text embeddings. It utilizes the WebAssembly Component Model and WASI for language-agnostic composition and portable host interfacing, while employing a capability-based security system to restrict access to network hosts and storage backends. The framework provides a comprehensive set of capabilities including OCI-compliant distribution, in-memory service chaining for internal microservices, and integration with various SQL and NoSQL databases. It also includes tools for background task spawning, OpenTelemetry signal export for observability, and a CLI for project bootstrapping and hot reloading. The toolchain supports compiling multilingual components into WebAssembly and deploying them across local environments, Kubernetes clusters, or global edge distributions.

RustDesk is a cross-platform remote desktop client that enables users to initiate and receive remote sessions. It provides a complete infrastructure for self-hosted remote access, utilizing a signaling and relay server architecture to maintain connectivity when direct peer-to-peer links are unavailable. The software is designed to function across desktop and mobile environments, offering native remote control, screen sharing, and file management capabilities. What distinguishes the platform is its centralized administrative control plane, which allows for granular management of security policies, user identities, and device access permissions. Administrators can define scoped roles, implement hierarchical permission logic, and enforce security strategies across large deployments. The system supports integration with external identity providers, including OIDC and LDAP, alongside multi-factor authentication methods like TOTP to secure access to the infrastructure. The software provides extensive tools for managed environments, including automated deployment scripts, command-line configuration, and bulk policy management. It includes specialized mechanisms for handling system-level elevation, allowing remote operators to interact with administrative prompts on target machines. The server infrastructure is designed for flexibility, supporting containerized deployments and geolocation-based routing to optimize connection paths and minimize latency. Documentation and installation support cover a wide range of operating systems, providing native packages, portable formats, and guidance for running server components as persistent background services.