Best Self-hosted Alternatives to Teleport

OpenVPN is an open-source VPN daemon that implements SSL/TLS-based secure tunneling for creating encrypted network connections. It supports both certificate-based and pre-shared-key modes, virtual TUN/TAP interfaces, and is portable across major operating systems.

Key Features

• TLS/SSL-based authentication and encryption using the OpenSSL ecosystem
• Supports multiple modes: SSL/TLS client-server, static key (pre-shared), routed (tun) and bridged (tap)
• Works with TUN/TAP virtual network interfaces for flexible routing and bridging
• Extensive configurability via command-line options and config files; sample configs and scripts included
• Cross-platform codebase with primary implementation in C and build support for Unix-like systems and Windows
• Multiple authentication and integration options for Access Server (local, PAM, RADIUS, LDAP, SAML) and extensible scripting hooks
• Build and packaging support via Autotools and CMake; project maintained on a public Git repository

Use Cases

• Secure remote-access VPN for employees connecting to corporate networks
• Site-to-site encrypted tunnels to link branch offices or cloud networks
• Enabling secure access to internal services and resources from untrusted networks

Limitations and Considerations

• PKI and certificate management can be complex for new administrators; external tooling or guides are typically required
• Users seeking minimal latency and very small codebase may prefer newer kernel-level protocols (e.g., WireGuard) for some use cases
• Reliance on external crypto libraries (OpenSSL and alternatives) increases the importance of timely dependency updates and security maintenance

OpenVPN remains a mature, feature-rich VPN implementation with a long history and broad platform support. It is suited to a wide range of secure tunneling needs but requires careful operational management for PKI and dependency security.

Warpgate is a transparent bastion host and privileged access management (PAM) service for securing access to internal SSH, HTTPS, MySQL, and PostgreSQL targets. It authenticates users, forwards connections directly to the target service without client wrappers, and provides auditing through an admin web UI.

Key Features

• Native listeners for SSH, HTTPS, MySQL, and PostgreSQL, with transparent forwarding to target services
• Role-based access control (RBAC) with precise user-to-service assignments
• Session recording with live view and replay for auditing
• Built-in admin web UI to manage users, targets, access, and session history
• SSO and 2FA support, including OpenID Connect and TOTP
• Single-binary deployment with minimal operational dependencies

Use Cases

• Secure controlled access to production servers and databases without VPNs or jump host configuration
• Audited contractor or third-party access with session replay and command-level visibility
• Acting as a proxy entrypoint for internal HTTPS services (including developer tooling endpoints)

Limitations and Considerations

• Default session history storage uses SQLite, which may not fit all scaling/HA requirements

Warpgate is suited for teams that need strong access controls, auditability, and SSO-backed authentication for infrastructure services while keeping client connections fully standard. It is particularly useful when you want bastion-like security without broad network access exposure.

Pomerium is an identity- and context-aware access proxy that sits in front of applications to enforce Zero Trust access. It enables clientless access to internal web apps and services, applying policy to every request rather than relying on network perimeter trust.

Key Features

• Identity-aware access proxy for internal web apps and services
• Per-request authorization with continuous policy enforcement (not just session-based)
• Context-aware policies using signals like identity, time, and device context
• Works across cloud, hybrid, and on-prem environments without re-architecting apps
• Supports multiple identity types, including humans and non-human/service identities
• Audit-focused logging of access decisions to support compliance and investigations

Use Cases

• Replace or reduce reliance on traditional VPN access for internal applications
• Secure legacy apps that lack built-in authentication/authorization
• Enforce consistent, centralized access policy across mixed environments

Limitations and Considerations

• Requires integration with an identity provider and careful policy design to avoid overly-broad access
• Introducing a proxy layer may require planning for routing, certificates, and high availability in production

Pomerium is well-suited for teams that want identity-first, policy-based access controls for internal services. It provides a consistent way to secure applications and improve auditability while avoiding blanket network access typical of VPN-based approaches.

Apache Guacamole is a clientless remote desktop gateway that lets you access remote desktops from a browser using VNC, RDP, and SSH. It requires no client installation on the target machines; connectivity is mediated by a server component called guacd, and the web UI runs in a Java servlet container.

Key Features

• Clientless HTML5 web application; no plugins or client software required
• Supports VNC, RDP, and SSH through the guacd proxy
• Web UI (Java) with a pluggable API and guacd as the translation proxy
• Extensible APIs for adding protocol support and authentication extensions
• Open source under the Apache License 2.0 with active community support
• Deployable behind firewalls; desktops can be accessed securely via the gateway

Use Cases

• Remote administration: access on-premises desktops/servers from any device with a browser
• Cloud or VM access: connect to cloud-hosted desktops without exposing target machines
• Integrations: embed Guacamole in custom portals or secure access workflows via its core APIs

Conclusion

Apache Guacamole provides browser-based remote desktop access without client software, backed by a modular, open-source stack. It is designed for flexible deployments across on-premises and cloud environments, with extensible APIs and active community support.

ShellHub is a centralized SSH gateway that lets teams remotely access and manage Linux servers, containers and embedded devices using a web UI, mobile app or standard SSH clients. It aggregates devices behind a single gateway and provides centralized access controls, logging and session playback.

Key Features

• Native SSH access (supports OpenSSH/standard SSH clients) for web and terminal connections.
• Web-based terminal and mobile access with session recording and built-in replay player.
• Public-key authentication and configurable SSH firewall rules for granular access control.
• SCP/SFTP support and container (Docker) access integration for remote container management.
• Microservices deployment using Docker Compose; production guidance includes HTTPS/NGINX and persistent MongoDB volumes.

Use Cases

• Centralized remote administration of distributed Linux servers and IoT/embedded fleets.
• Secure remote troubleshooting and maintenance of Docker containers and edge devices.
• Compliance and auditing through recorded SSH sessions and audit logs for forensic review.

Limitations and Considerations

• Certain advanced features (enterprise/cloud capabilities) vary by edition: HTTP/Web Endpoints, SAML improvements and some session-recording backend behaviors are highlighted as Enterprise/Cloud features in the project releases. Implementation and storage of large recordings can require S3-compatible storage (e.g., MinIO) for scale.

• The recommended self-hosted deployment expects Docker Engine / Docker Compose and a MongoDB service; production setups require additional configuration for volumes, HTTPS termination and proxy protocol handling.

ShellHub provides a focused, open-source platform to centralize SSH access for cloud, edge and IoT environments. It is available as a Community (open-source) edition plus paid Cloud and Enterprise editions that add managed and enterprise features.

Jauth is a compact SSL/TLS reverse proxy written in Go that protects self-hosted applications by requiring authorization before proxying traffic. It provides SSH- and Telegram-based login methods, optional single sign-on behavior, and can obtain certificates automatically or use self-signed/manual certificates.

Key Features

• Single static binary with minimal dependencies, designed for simple self-hosting
• TLS support via autogenerated self-signed certificates, manual certificates, or ACME/Let's Encrypt
• Authorization via an integrated SSH server (authorized_keys) and Telegram login widget validation
• Optional lightweight SSO: authenticated username is forwarded to backend via Remote-User header
• Per-domain configuration, domain-specific whitelists and optional per-domain Telegram users
• Whitelist-based access control and a NoAuth mode to act as a plain TLS proxy
• Stores authenticated sessions/tokens on disk for session persistence between restarts
• Defaults that let it run with minimal configuration while supporting custom TOML config

Use Cases

• Protect web interfaces and internal dashboards for self-hosted apps without adding app-level auth
• Provide a simple SSO/pass-through header for multiple services behind the same gateway
• Allow SSH key or Telegram-based access for teams that prefer key-based authentication or tokenless login flows

Limitations and Considerations

• Telegram-based login requires registering a bot and binding it to a domain (one bot per domain); Jauth validates tokens rather than using the Telegram bot API directly
• ACME certificate issuance is per-domain and may be delayed; logs may not always show issuance progress
• SSO is minimal (username is forwarded via header) and is not a full-featured identity provider or OIDC/SAML implementation
• Session tokens are stored in a local file; if running with dropped privileges or restricted filesystem access, token persistence or state saving may be affected

Jauth is focused on minimalism and pragmatic access control for self-hosted services. It is suitable when a lightweight, single-binary TLS proxy with SSH/Telegram authorization and simple SSO semantics is preferred over a full identity platform.

Bifröst is an advanced, SSH-protocol-compliant server designed as a modern bastion/jump host. It supports traditional public-key SSH authentication and OpenID Connect/OAuth2 identity providers, and can execute user sessions directly inside Docker containers or Kubernetes pods for isolated, ephemeral environments.

Key Features

• Full SSH protocol compatibility while supporting OpenID Connect/OAuth2 authentication alongside SSH keys
• Execute user sessions inside per-user Docker containers or directly inside Kubernetes pods
• Automatic user provisioning and cleanup based on configurable templates and idle timeouts
• "Remember me" behavior to temporarily cache provided public keys for faster reconnects during an active session
• Configurable execution environments with custom images, networks, and resource constraints
• Designed to replace OpenSSH as a bastion while integrating SSO identity providers for centralized access control

Use Cases

• Provide SSO-backed SSH access for developers, operators, or contractors without additional client tooling
• Offer ephemeral, isolated shells for diagnostics or support by launching users into containerized environments
• Grant direct access to a Kubernetes cluster by entering dedicated pods without port-forwarding or kubectl proxies

Limitations and Considerations

• Project is under active development; configuration model and CLI/API structure are reported as evolving and may change
• Not all enterprise features (advanced RBAC, extensive audit integrations) may be production-ready depending on deployment needs

Bifröst is suitable for teams that need SSO-integrated SSH access and ephemeral container/pod sessions. It combines SSH compatibility with modern identity and container orchestration workflows for streamlined, centrally-managed access.