Open-source alternatives to Firezone

Pangolin is a zero-trust remote access platform designed to provide secure, identity-aware connectivity to private network resources. It functions as a cloud-native network controller that orchestrates encrypted tunnels, traffic routing, and access policies across distributed environments. By leveraging WireGuard for secure data transport, the platform enables authenticated access to internal web applications, terminal sessions, and remote desktops without exposing services to the public internet. The platform distinguishes itself through a declarative infrastructure model that synchronizes n

Tailscale is a zero-trust networking overlay that connects distributed devices and services into a private, encrypted mesh network. By utilizing a high-performance, user-space implementation of the WireGuard protocol, it establishes secure peer-to-peer tunnels across diverse network topologies without requiring complex firewall configuration. The platform operates on a centralized control plane that manages global network state, authentication, and policy distribution, ensuring that connectivity is governed by identity rather than traditional IP-based rules. What distinguishes Tailscale is it

Netmaker is a platform for automating and managing virtual mesh networks built on WireGuard. It functions as a centralized control plane that orchestrates encrypted, peer-to-peer tunnels across distributed infrastructure, including cloud environments, on-premise data centers, and containerized clusters. By automating the configuration of routing tables and access policies, the system enables secure, private connectivity between diverse devices and services without requiring manual network administration. The platform distinguishes itself through its focus on zero-trust network access and soft

Ziti is a zero-trust network overlay and identity-based mesh network. It provides a software-defined perimeter that replaces traditional IP-based routing and VPNs by mapping network services to cryptographically verified identities, effectively cloaking applications from the public internet. The project distinguishes itself through an outbound-only connection model that eliminates open listening ports and a Zero Trust SDK that allows developers to embed encryption and identity-based access control directly into application source code. It also provides transparent tunneling proxies to extend

rustdesk-server is a self-hosted remote desktop server infrastructure designed to manage ID signaling and relay traffic for remote connections between peers. It provides the necessary backend environment to coordinate remote access sessions through rendezvous-based signaling and relay-based traffic forwarding. The system distinguishes itself with a remote access management console for organizing devices and enforcing security policies, as well as an identity integrator for OIDC-based federation and LDAP directory synchronization. It utilizes geolocation-aware routing to distribute traffic acr

OpenVPN is a cross-platform networking solution that establishes secure virtual private network connections by wrapping data traffic within encrypted tunnels. It functions as a server-side application that authenticates remote endpoints and routes encrypted traffic to provide access to private network resources across untrusted public networks. The software utilizes standard cryptographic protocols to perform mutual authentication and key exchange over a dedicated control channel. It verifies the identity of remote systems through certificate-based authentication, ensuring that only trusted e

Teleport is a zero-trust access platform designed to provide secure, identity-based connectivity to servers, databases, and Kubernetes clusters. It functions as a centralized gateway that replaces static credentials with short-lived, identity-bound cryptographic certificates, effectively eliminating the need for traditional VPNs and long-term secret exposure. The platform distinguishes itself by orchestrating access through a unified control plane that maps external identity provider claims to granular, role-based infrastructure permissions. It enforces security through mutual TLS gateways an

Algo is a cloud VPN deployment tool and WireGuard orchestrator designed to automate the provisioning and configuration of personal VPN servers across multiple cloud infrastructure providers. It functions as a multi-cloud infrastructure provisioner and a VPN client configuration generator, creating the necessary tunnels and connection profiles for secure device connectivity. The project distinguishes itself by integrating a network ad-blocking DNS server directly into the deployment, filtering advertisements and malicious domains for all connected clients. It further simplifies the onboarding

ZeroTierOne is a software-defined networking engine that creates virtual local area networks by emulating Ethernet switches across distributed devices. It functions as a peer-to-peer platform, establishing encrypted tunnels directly between endpoints to bypass the need for centralized gateways or hub-and-spoke architectures. The system distinguishes itself through a decentralized approach to network discovery and identity management. By utilizing a distributed hash table and public key infrastructure, it authenticates devices and maps virtual addresses to physical endpoints without relying on

Kanidm is a centralized identity management server designed to handle authentication, authorization, and directory services across distributed infrastructure. It provides a comprehensive framework for managing human and service accounts, utilizing a schema-driven database to store identity records, group memberships, and system attributes. The platform supports a wide range of authentication methods, including passkeys, passwords, and standard protocols like OAuth2, OIDC, LDAP, and RADIUS. The system distinguishes itself through a granular access control engine that enforces security policies

Security-101 is a vendor-agnostic, foundational cybersecurity learning curriculum organized into modular, framework-aligned modules. It is designed to build core knowledge across multiple security domains without tying content to specific products or platforms, making it suitable for both beginners and professionals seeking a structured introduction to the field. The curriculum is built around established security frameworks, including the MITRE ATT&CK framework for standardized threat analysis and the NIST Cybersecurity Framework for incident response workflows. It covers a broad range of do

The AWS Cloud Development Kit is an infrastructure-as-code framework that enables developers to define and provision cloud resources using familiar programming languages. By utilizing construct-based synthesis, it translates high-level, object-oriented code into declarative templates, allowing for the automated management of complex cloud environments through a centralized, code-driven control plane. The framework distinguishes itself through its ability to model infrastructure as a dependency-aware resource graph, ensuring that components are provisioned and updated in the correct order. It

wireguard-ui is a web-based management interface and configuration generator for WireGuard VPN servers. It provides an authenticated administrative dashboard that allows users to manage VPN tunnels and peer connections through a graphical interface instead of manually editing configuration files. The project automates the creation of cryptographic key pairs and produces connection files and QR codes for distributing network settings to clients. It includes tools for tracking client metadata, such as names and email addresses, to identify individual users associated with specific connection se

This project is a comprehensive technical documentation site and reference manual for configuring and deploying WireGuard VPN tunnels and interfaces. It serves as a guide for establishing encrypted network connections between peers using public key authentication to secure data traffic across untrusted networks. The documentation provides specific technical manuals for implementing NAT traversal solutions, including UDP hole punching and the use of bounce servers to connect peers behind restrictive firewalls. It also includes detailed guides on tunnel implementation and protocol references fo

all-in-one is a containerized deployment system designed to install and manage a complete suite of productivity and collaboration services. It functions as a cloud suite deployer that orchestrates the installation of a self-hosted content platform, incorporating necessary dependencies via Docker or Kubernetes. The project distinguishes itself by providing a web-based dashboard for orchestrating, updating, and monitoring the lifecycle of service containers. It also serves as a local AI inference server, enabling the execution of generative text models, image diffusion, and speech processing on

Pritunl is an enterprise VPN gateway and server manager used to deploy and configure OpenVPN and WireGuard servers through a centralized web interface. It functions as a VPN access control system and an SSH certificate authority, issuing short-lived signed certificates to manage secure shell access and network entry without manual public key distribution. The platform acts as an SSO integrated VPN controller, synchronizing user access and organization mapping with third-party identity providers via OAuth, OIDC, and SAML. It supports high-availability deployments by using database-backed clust

EasyTier is a decentralized peer-to-peer virtual private network and mesh networking tool. It functions as a layer 3 network overlay that establishes secure tunnels between devices without requiring a centralized server or coordinator. It also serves as a WireGuard-compatible VPN, capable of acting as a server for standard WireGuard clients. The project distinguishes itself through multipath latency-based routing and the use of KCP or QUIC proxies to mitigate packet loss and stabilize connections in high-loss environments. It provides a virtual networking manager featuring a web management co

Innernet is a WireGuard VPN mesh orchestrator and control plane that automates the deployment of encrypted tunnels between distributed peers. It functions as a virtual private network that coordinates endpoint discovery and distributes network configurations from a centralized server to establish a private overlay network. The system differentiates itself through a structured peer management lifecycle, using single-use invitation files for secure onboarding and cryptographic key exchange. It provides granular network segmentation by organizing peers into named CIDR blocks, allowing administra

n2n is a peer-to-peer VPN that creates an encrypted mesh network by establishing layer 2 overlay networks. It uses UDP tunneling to connect remote computers into a shared virtual local area network, allowing devices to communicate as if they were on the same physical Ethernet switch. The system utilizes a centralized signaling registry and federated coordination nodes to facilitate peer discovery and node registration. It implements NAT traversal through UDP hole punching and UPnP port mapping, while using supernode relay routing to ensure connectivity when symmetric NATs prevent direct peer-

This project is a service mesh platform designed to manage, secure, and observe service-to-service communication within Kubernetes clusters. It functions as a control plane that orchestrates transparent sidecar proxies, which intercept and manage network traffic to provide reliable connectivity for microservices. By automating the injection of these proxies, the platform ensures that infrastructure-level policies are applied consistently across all workloads without requiring manual configuration changes. The platform distinguishes itself through its focus on zero-trust security and cross-clu

Cilium is a networking, security, and observability platform for containerized environments that leverages kernel-level data paths to process traffic. By executing programs directly within the Linux kernel, it provides high-performance packet filtering, routing, and load balancing without the need for traditional user-space proxies or context switching. The platform distinguishes itself through identity-based security enforcement, which filters traffic based on service labels rather than volatile IP addresses. It integrates containerized workloads with external physical or virtual infrastruct

Consul is a distributed coordination service and service mesh tool used for service discovery, health monitoring, and cluster state management across dynamic networks. It provides a platform for locating network addresses of services and managing traffic across distributed infrastructure using DNS and HTTP interfaces. The project distinguishes itself through multi-datacenter network orchestration, enabling the federation of services across different regions using mesh gateways. It secures communication via a service mesh architecture that employs identity-based authorization and mutual TLS en

Headscale is a self-hosted control plane for private mesh networking that enables the creation of secure, encrypted peer-to-peer networks. By acting as a centralized coordination server, it manages device authentication, cryptographic key exchange, and network topology, allowing distributed infrastructure to communicate without relying on third-party services. It implements a zero-trust security architecture, verifying device and user identity before granting access to internal resources. The project distinguishes itself by providing a fully independent, self-hosted alternative for managing n

This project is an Android password manager application that provides an end-to-end encrypted vault for storing and synchronizing login credentials, secure notes, and identities. It functions as a secure storage system using zero-knowledge encryption to ensure that only the user can decrypt their stored data. The application integrates directly with the Android system to provide an autofill service that populates usernames and passwords into mobile apps and browser login fields. It also serves as a passkey management wallet for FIDO2 cryptographic passkeys and a time-based one-time password a

Komodo is a remote server orchestrator and container deployment platform. It provides a centralized interface for managing multiple remote hosts through lightweight agents, coordinating Docker Swarm and Kubernetes clusters, and automating software delivery via integrated CI/CD pipelines. The system distinguishes itself with a TypeScript-based automation engine that executes typed scripts against the system API for complex operational workflows. It supports infrastructure-as-code through TOML-based declarative configuration synchronization and provides ephemeral build infrastructure that provi

Boto3 is the AWS SDK for Python, providing a programmatic interface for managing and automating AWS cloud infrastructure and services. It serves as a cloud management API client and resource manager for provisioning, configuring, and scaling virtual servers, databases, and storage. The library enables the implementation of infrastructure-as-code through declarative templates and scripts, allowing for the deployment of identical resource stacks across multiple accounts and geographic regions. It also provides a framework for coordinating distributed workflows, serverless functions, and contain

This project is a community-curated directory of open-source software designed for deployment in private server environments and home labs. It serves as a comprehensive resource for discovering independent, self-hosted alternatives to mainstream cloud services, enabling users to maintain full data ownership and control over their digital infrastructure. The directory is structured through a hierarchical taxonomy that organizes a vast collection of applications into logical categories, ranging from media management and data analytics to private communication and team productivity tools. It dis