30 open-source projects similar to fosrl/pangolin, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Pangolin alternative.
Octelium is a zero-trust network access platform and identity-aware proxy designed to secure private HTTP, SSH, and SQL resources. It functions as a secure gateway that validates human and workload identities using OIDC, SAML, and FIDO2 passkeys before granting access to internal applications and SaaS APIs. The system is distinguished by its secretless access broker, which injects credentials—such as API keys, passwords, and AWS Sigv4 signatures—at the gateway level so users can access databases and cloud resources without managing secrets. It further specializes in AI gateway administration,
NetBird is a zero-trust networking platform that builds secure, encrypted peer-to-peer overlay networks using the WireGuard protocol. It functions as a software-defined perimeter, connecting distributed infrastructure across cloud environments and physical locations while hiding network resources from the public internet. By integrating with external identity providers, the platform enforces granular access control and identity-based segmentation for every user and device. The platform distinguishes itself through extensive automation and programmatic management capabilities. It provides a ce
Teleport is a zero-trust access platform designed to provide secure, identity-based connectivity to servers, databases, and Kubernetes clusters. It functions as a centralized gateway that replaces static credentials with short-lived, identity-bound cryptographic certificates, effectively eliminating the need for traditional VPNs and long-term secret exposure. The platform distinguishes itself by orchestrating access through a unified control plane that maps external identity provider claims to granular, role-based infrastructure permissions. It enforces security through mutual TLS gateways an
Tailscale is a zero-trust networking overlay that connects distributed devices and services into a private, encrypted mesh network. By utilizing a high-performance, user-space implementation of the WireGuard protocol, it establishes secure peer-to-peer tunnels across diverse network topologies without requiring complex firewall configuration. The platform operates on a centralized control plane that manages global network state, authentication, and policy distribution, ensuring that connectivity is governed by identity rather than traditional IP-based rules. What distinguishes Tailscale is it
The AWS Cloud Development Kit is an infrastructure-as-code framework that enables developers to define and provision cloud resources using familiar programming languages. By utilizing construct-based synthesis, it translates high-level, object-oriented code into declarative templates, allowing for the automated management of complex cloud environments through a centralized, code-driven control plane. The framework distinguishes itself through its ability to model infrastructure as a dependency-aware resource graph, ensuring that components are provisioned and updated in the correct order. It
ZenML is an extensible machine learning orchestration framework designed to manage the end-to-end lifecycle of data pipelines and AI agent workflows. It functions as a durable orchestrator that executes machine learning tasks as directed acyclic graphs, ensuring that every step is containerized for consistent performance across local, cloud, and hybrid infrastructure. By decoupling pipeline code from underlying compute and storage backends, the platform allows developers to define infrastructure-agnostic stacks that remain portable across diverse environments. The project distinguishes itself
Firezone is a zero trust network access platform that uses WireGuard to provide identity-based connectivity to internal network resources. It functions as a virtual private network that synchronizes authentication and user groups via OpenID Connect providers. The system implements a group-based access control engine to enforce least privilege by restricting network resources to specific user groups. It utilizes holepunching and relay protocols for NAT traversal to establish encrypted tunnels through firewalls without requiring inbound ports. The platform includes a control plane for managing
Ockam is an end-to-end encryption framework and distributed identity provider designed to establish secure communication between applications and devices. It provides a secure network overlay that utilizes cryptographic identities and attribute-based access control to implement zero trust network access. The project distinguishes itself through metadata-driven multi-hop routing and a pluggable transport layer, allowing encrypted traffic to move across diverse network topologies without requiring virtual IP overlays. It specifically enables secure tunneling for legacy applications by wrapping
Netmaker is a platform for automating and managing virtual mesh networks built on WireGuard. It functions as a centralized control plane that orchestrates encrypted, peer-to-peer tunnels across distributed infrastructure, including cloud environments, on-premise data centers, and containerized clusters. By automating the configuration of routing tables and access policies, the system enables secure, private connectivity between diverse devices and services without requiring manual network administration. The platform distinguishes itself through its focus on zero-trust network access and soft
This project is a community-curated directory of open-source software designed for deployment in private server environments and home labs. It serves as a comprehensive resource for discovering independent, self-hosted alternatives to mainstream cloud services, enabling users to maintain full data ownership and control over their digital infrastructure. The directory is structured through a hierarchical taxonomy that organizes a vast collection of applications into logical categories, ranging from media management and data analytics to private communication and team productivity tools. It dis
Quarkus is a Kubernetes-native Java framework designed for building high-performance, memory-efficient applications. It utilizes ahead-of-time native compilation to transform Java code into standalone, optimized binaries that eliminate the need for a virtual machine, enabling rapid startup and reduced memory consumption. By performing code augmentation during the build phase, it shifts heavy processing tasks away from runtime, ensuring that applications are optimized for cloud-native environments. The framework distinguishes itself through a unified approach to reactive and imperative program
Authentik is a centralized identity and access management platform designed to serve as a unified authentication authority. It enables enterprise single sign-on across diverse applications and services, providing a cloud-native identity provider that manages user sessions and security protocols from a single location. The platform distinguishes itself through a policy-driven flow engine and a visual orchestration interface. This allows administrators to design complex, custom authentication workflows by chaining modular verification stages and conditional logic. These workflows can be further
3proxy is a multi-protocol proxy server and network access control gateway. It functions as a network traffic forwarder capable of routing TCP and UDP traffic across HTTP, SOCKS, and various email and file protocols. The project provides specialized capabilities for secure traffic inspection, including the decryption and analysis of HTTPS and TLS streams through certificate spoofing and mutual authentication. It further supports client identity anonymization by routing outbound traffic through recursive upstream proxy chains. The software covers a broad range of network management functions,
Rathole is a high-performance reverse proxy and NAT traversal tool written in Rust. It functions as a secure tunneling server and client architecture designed to expose local services to the internet by forwarding traffic from a public IP to a private device behind a firewall. The system establishes encrypted tunnels between a public server and a private host to ensure private communication. It utilizes token-based authentication to validate identities between the server and client for each individual service. The project provides TCP and UDP port forwarding and manages private tunnels to fa
Kubero is a self-hosted Platform as a Service (PaaS) that simplifies the deployment, scaling, and management of containerized applications on Kubernetes. It functions as an application manager, CI/CD orchestrator, and multi-tenant manager, allowing users to run workloads without writing manual configuration files. The platform distinguishes itself through automated image synthesis, transforming source code from Git repositories into deployable containers via buildpacks, Dockerfiles, or nixpacks. It implements a GitOps delivery model with automated pipelines that trigger builds on push events
Flux is a Kubernetes GitOps delivery tool used to automate application deployments by synchronizing cluster state with configurations stored in Git, OCI, or Helm repositories. It functions as a set of controllers that monitor desired state in external sources and continuously reconcile the live cluster to match those definitions. The system distinguishes itself through a multi-cluster management plane that coordinates application delivery across fleets of remote clusters from a central hub. It provides a dedicated mechanism for automated image updates, which scans container registries for new
OpenVPN is a cross-platform networking solution that establishes secure virtual private network connections by wrapping data traffic within encrypted tunnels. It functions as a server-side application that authenticates remote endpoints and routes encrypted traffic to provide access to private network resources across untrusted public networks. The software utilizes standard cryptographic protocols to perform mutual authentication and key exchange over a dedicated control channel. It verifies the identity of remote systems through certificate-based authentication, ensuring that only trusted e
This project is a Kubernetes controller that automates the management of public-facing network resources and secure ingress connectivity. It functions by observing custom resource definitions to reconcile the desired state of network traffic with the actual configuration of internal services. The controller manages network connectivity by establishing secure outbound tunnels, which eliminates the requirement for traditional inbound firewall ports or port forwarding. It integrates directly with external cloud management interfaces to automate the lifecycle of these tunnels and synchronize doma
This project is an API gateway and ingress controller designed to manage traffic, security, and service connectivity within Kubernetes environments. It operates as a controller that monitors cluster state to reconcile gateway configurations with desired infrastructure definitions, ensuring that network policies and routing rules remain consistent across distributed deployments. The system distinguishes itself through a modular request pipeline that allows for the injection of custom logic to handle transformations, security checks, and logging. It supports declarative infrastructure managemen
Higress is an AI API gateway and cloud-native traffic manager that functions as a Kubernetes ingress controller. It provides a centralized system for routing, securing, and optimizing traffic directed toward large language models, AI agents, and microservice architectures. The project distinguishes itself through deep AI orchestration, including the ability to host and manage Model Context Protocol servers that transform REST APIs into tools for AI agents. It features specialized AI infrastructure for model request proxying, protocol translation across multiple providers, and semantic-based c
Gluetun is a containerized network utility designed to route traffic from multiple Docker containers through a secure virtual private network tunnel. It functions as a network gateway that encapsulates outgoing internet traffic to provide privacy and security for isolated application services. The project distinguishes itself by utilizing Linux network namespaces to isolate container traffic, ensuring that all outgoing packets are forced through a dedicated tunnel interface. It supports both OpenVPN and WireGuard protocols, managing the connection lifecycle and routing logic as a sidecar cont
Electerm is a multi-protocol terminal emulator and remote connection manager designed as a cross-platform remote client for Linux, macOS, and Windows. It serves as a unified workspace for remote server administration, supporting SSH, Telnet, Serial, and various remote desktop protocols such as RDP and VNC in a single interface. The project distinguishes itself by integrating AI assistants to suggest commands, write scripts, and explain console output. It also features a visual SFTP file manager for browsing and editing remote files, alongside the ability to broadcast a single input stream to
This project is a cloud-native identity and access management platform designed to centralize authentication, authorization, and identity lifecycle management. It functions as a standards-compliant OpenID Connect authorization server, providing secure session management and token issuance for web, mobile, and device-based applications. The platform is built to handle complex identity requirements through stateless token authentication and support for modern passwordless methods, including biometrics and hardware keys. What distinguishes this platform is its native support for multi-tenant env
Ockam is a zero-trust networking framework designed to secure data transit between distributed applications using an identity-based network overlay. It provides the primitives necessary to establish mutually authenticated and end-to-end encrypted connections, removing the reliance on traditional network-layer security. The project is distinguished by its use of attribute-based access control and verifiable credentials to manage trust at scale. It implements cryptographic identity rotation to maintain identity continuity and integrates with hardware-backed key management systems to secure priv
Tsuru is an open-source platform as a service for automating the build, deployment, and scaling of containerized applications. It functions as a container-based deployment engine and a management layer for Kubernetes, transforming source code into container images and coordinating their lifecycles. The platform is designed for multi-cloud infrastructure management, allowing applications to be distributed across different cloud providers and regions to increase resilience. It features a flexible deployment model that supports multi-process containers, enabling a single repository to run differ
This project is a Kubernetes ingress controller that manages external traffic routing by integrating directly with Google Cloud load balancing infrastructure. It functions as a controller that continuously reconciles the desired state of cluster ingress definitions with the actual configuration of cloud-native load balancers. The controller automates the provisioning of static or ephemeral IP addresses and configures load balancers to distribute network requests across multiple availability zones. It employs declarative mapping to translate abstract service definitions into concrete cloud inf
Godoxy is a Docker container orchestrator and reverse proxy manager. It provides a centralized system for managing the lifecycle, power states, and resource usage of virtualized containers, while routing HTTP, TCP, and UDP traffic to backend services with automatic route discovery. The project distinguishes itself through an OIDC access control gateway that authenticates users via external identity providers and a resource optimization system that puts idle containers to sleep and wakes them automatically when network requests arrive. It also includes an automatic SSL certificate manager that
Headscale is a self-hosted control plane for private mesh networking that enables the creation of secure, encrypted peer-to-peer networks. By acting as a centralized coordination server, it manages device authentication, cryptographic key exchange, and network topology, allowing distributed infrastructure to communicate without relying on third-party services. It implements a zero-trust security architecture, verifying device and user identity before granting access to internal resources. The project distinguishes itself by providing a fully independent, self-hosted alternative for managing n
Daytona is a cloud-native development environment platform designed to orchestrate ephemeral, containerized workspaces. It provides a centralized system for managing reproducible coding environments as code, ensuring consistency across distributed teams by abstracting the underlying infrastructure. By utilizing declarative configuration, the platform automates the entire lifecycle of development sandboxes, from initial provisioning to resource governance. The platform distinguishes itself through its infrastructure-agnostic runner layer, which allows development environments to be deployed ac
Nebula is a scalable, decentralized overlay networking tool designed to create secure, encrypted peer-to-peer connections between distributed hosts. By utilizing a certificate-based identity authority, it enables the construction of private communication fabrics across disparate physical infrastructures, such as multiple cloud providers or on-premises data centers, without requiring central authentication servers. The project distinguishes itself through a zero-trust architecture that enforces granular, policy-driven firewall filtering based on certificate-derived group memberships. It facili