Best Self-hosted Security & Privacy tools in 2026

BunkerWeb is an open-source WAF and NGINX-based reverse proxy to protect web apps and APIs with HTTPS automation, security policies, and extensible plugins.

Alternative to:

Cloudflare Web Application Firewall (WAF)+10

MyIP (IPCheck.ing) is an open-source web IP toolbox that detects local/public IPs, runs DNS leak and WebRTC checks, speed/latency/MTR tests, availability and whois lookup...

Alternative to:

WhatIsMyIPAddress.com+10

Firezone is a zero-trust VPN replacement built on WireGuard, providing identity-aware access policies, peer-to-peer encrypted tunnels, and lightweight gateways.

Alternative to:

Tailscale+11

step-ca is a private CA and ACME server for issuing and automating X.509 TLS and SSH certificates, enabling short-lived credentials and secure enrollment for teams.

Alternative to:

HashiCorp Vault+7

Graylog is an open source platform for collecting, indexing, searching, and alerting on logs and machine data from many sources in one place.

Alternative to:

Graylog Cloud+11

iodine is a DNS tunneling tool that forwards IPv4 traffic through DNS queries and replies, providing a TUN interface to route IP traffic when only DNS is allowed.

Alternative to:

Cloudflare Tunnel+15

Tinyauth is a lightweight auth middleware that adds a login screen, OAuth, or LDAP authentication in front of your apps via common reverse proxies.

Alternative to:

Cloudflare Access+17

Self-hosted lightweight LAN IP/ARP scanner with web dashboard, new-host notifications, online/offline history, and metrics export to Prometheus or InfluxDB for Grafana.

Alternative to:

Fing+9

Pocket ID is a simple self-hosted OpenID Connect (OIDC) provider that lets users sign in to apps using passkeys instead of passwords.

Alternative to:

Auth0+19

Self-hosted transparent bastion host and PAM for SSH, HTTPS, MySQL and Postgres with RBAC, session recording, and SSO/2FA—no client-side software required.

Alternative to:

Teleport+7

Self-hostable observability platform for uptime monitoring, alerting, incident management, on-call, status pages, logs, and APM in one integrated suite.

Alternative to:

OneUptime+19

ClamAV is an open-source antivirus toolkit providing a multi-threaded daemon, command-line scanners, and automatic signature updates for mail gateways and file scanning.

Alternative to:

McAfee+8

Self-hosted Node.js server for remote monitoring, web-based remote desktop, terminal, file access and multi-DB device management.

Alternative to:

TeamViewer+14

LLDAP is a lightweight LDAP server for authentication and user management, providing a simplified LDAP interface, a web admin UI, and SQLite/MySQL/PostgreSQL backends.

Alternative to:

Microsoft Active Directory+2

Self-hosted network visibility and presence scanner that discovers connected devices and alerts on new, unknown, or changed hosts across your LAN/Wi‑Fi.

Alternative to:

Fing+8

Cosmos Cloud is a security-focused self-hosting platform that provides an app store, reverse proxy with automatic HTTPS, SSO/MFA, container management, backups, and monit...

Alternative to:

Cloudron+18

Passbolt is an open-source, security-first password and secret manager for teams, with end-to-end encryption, granular sharing permissions, and auditing.

Alternative to:

Passbolt Cloud+11

OpenBao is an open source secrets management platform to securely store, generate, lease, and revoke secrets, certificates, and encryption keys with auditing and access c...

Alternative to:

HashiCorp Vault+3

Lightweight, self-hostable CAPTCHA alternative using SHA-256 proof-of-work challenges to protect forms and APIs from bots without tracking or visual puzzles.

Alternative to:

Google reCAPTCHA+8

Pomerium is an identity-aware access proxy that provides zero trust, per-request authorization to internal web apps and services without a traditional VPN.

Alternative to:

Cloudflare Access+12

Kanidm is a secure identity management platform providing SSO, passkeys (WebAuthn), and integrations like OAuth2/OIDC, RADIUS, and LDAP gateway for legacy apps.

Alternative to:

Okta+19

OPNsense is an open source FreeBSD-based firewall and routing platform with a web GUI, API, VPN, traffic shaping, and security features for networks and homelabs.

Alternative to:

Fortinet FortiGate+12

Cerbos is a scalable, language-agnostic authorization layer for defining and evaluating context-aware access control policies via a dedicated Policy Decision Point (PDP)...

Alternative to:

OSO Cloud+17

OpenZiti is an open-source zero trust networking platform that builds an identity-based overlay mesh with SDKs, tunnelers, and policy-based access controls.

Alternative to:

Zscaler Private Access+14

Open-source web app to manage TOTP/HOTP 2FA accounts: scan QR codes, generate one-time codes, import/export tokens, and protect access with WebAuthn and optional encrypti...

Alternative to:

Google Authenticator+3

Self-hosted web dashboard for WireGuard and AmneziaWG to manage configs, peers, and access with a simple UI and optional 2FA.

Alternative to:

Tailscale+15

Open-source app that creates self-deleting secret links with audit logs.

Alternative to:

Onetime Secret+1

GLAuth is a lightweight LDAP/LDAPS authentication server for development, CI, and homelabs, supporting file, S3, SQL, or LDAP proxy backends and optional 2FA.

Alternative to:

Microsoft Active Directory+5

Canarytokens generates honeytokens (URLs, files, credentials, docs) that alert you when an attacker touches them, helping detect breaches early.

Alternative to:

Thinkst Canary+2

Wizarr automates user invitations and onboarding for Plex, Jellyfin, Emby and similar media servers, with SSO, time-limited access, Discord and request-system integration...