Best Self-hosted Security & Privacy tools in 2026

Open-source web and API service to create encrypted, single-view links for sharing secrets with configurable expiry and optional passphrase protection.

Alternative to:

Onetime Secret+6

Enterprise-grade zero-trust access management platform providing WireGuard VPN with true protocol-level 2FA/MFA, plus integrated OpenID Connect SSO and user/device contro...

Alternative to:

Defguard Cloud+19

Open-source tool for sharing secrets and files via client-side OpenPGP encryption and one-time expiring links.

Alternative to:

Onetime Secret+3

Privacy-first, end-to-end encrypted password and email alias manager with passkeys, TOTP, apps and extensions, plus a built-in email server for self-hosting.

Alternative to:

SimpleLogin+12

Centralized SSH gateway to remotely manage Linux servers, containers and IoT devices via web or native SSH; offers key auth, firewall rules, audit logging and session rec...

Alternative to:

Teleport+14

Simple local ad blocker that updates your system hosts or dnsmasq rules to block ad and tracking domains across any browser or application.

Alternative to:

AdGuard+5

Secure low-code honeypot framework that uses LLMs to simulate high-interaction systems across SSH/HTTP/TCP and MCP, with metrics and cloud-native deployment options.

Alternative to:

Thinkst Canary+1

VoidAuth is a self-hosted SSO provider with OpenID Connect, ForwardAuth proxy auth, and built-in user and group management plus MFA and passkeys.

Alternative to:

Auth0+19

On-prem password manager enabling secure sharing and fine-grained access control over credentials.

Alternative to:

Bitwarden+9

High-performance web application firewall and API security gateway with semantic detection, rule management, and reverse-proxy deployment for protecting websites and APIs...

Alternative to:

Cloudflare Web Application Firewall (WAF)+9

Self-hosted ingress platform that exposes internal HTTP/TCP services to the internet through reverse WireGuard tunnels, with NGINX routing and automatic TLS certificates.

Alternative to:

ngrok+13

Open-source platform for secure, anonymous whistleblowing and case handling, designed for privacy by default and adaptable to many reporting use cases.

Open-source Auth0/Clerk/Firebase Auth alternative with passkeys, MFA, SSO (OIDC/SAML), user management portal, and extensible auth flows for web and mobile apps.

Alternative to:

Auth0+19

Databunker is a self-hosted vault that tokenizes and encrypts PII/PHI/KYC/PCI data, providing a secure API, consent management, and audit trails for compliance.

Alternative to:

Skyflow

Open-source security analytics framework for event tracking, in-app threat detection, and risk management to protect applications from abuse, bots, and account takeover.

Alternative to:

Splunk+4

Share sensitive text or files securely using client-side encryption, expiring links, view limits, and optional password protection.

Alternative to:

Onetime Secret+3

ZTNET is a self-hosted web UI for administering private ZeroTier controllers, with multi-user access, organization support, and streamlined network and member management.

Alternative to:

ZeroTier

NetGoat is a self-hostable reverse proxy and traffic management platform offering Cloudflare-like features such as TLS termination, rate limiting, WAF-style filtering, an...

Alternative to:

Cloudflare+11

Self-hosted DNS sinkhole written in Go that blocks ads, trackers and malicious domains; provides a modern web dashboard, Docker support, DoT/DoH options and realtime stat...

Alternative to:

AdGuard+5

Mozilla Accounts (FxA) is an account and authentication service used by Mozilla clients, providing login, session management, and account-related APIs for Mozilla product...

Alternative to:

Auth0+15

Turnkey OAuth 2.0/OIDC authentication system with admin panel, REST APIs, RBAC, MFA, social login, and flexible deployment on Cloudflare Workers or Node.js.

Alternative to:

Auth0+19

Self-hosted one-time, self-destructing message service that stores secrets in HashiCorp Vault, with a lightweight web UI and optional TLS automation.

Alternative to:

Onetime Secret+1

Simple PHP app for one-time encrypted secret sharing. Stores encrypted secrets in SQLite, deletes on retrieval, and provides a curl API and Docker images.

Alternative to:

Onetime Secret+1

Open-source centralized ACME client to manage TLS certificates with automated renewals, API-key retrieval for clients, http-01/dns-01 challenge support, Go backend and Re...

Alternative to:

Caddy Cloud+5

Tiny Flask app to create encrypted, expiring secrets shareable via private links. Secrets are encrypted and deleted after viewing, expiration, or max attempts.

Alternative to:

Onetime Secret+1

Self-hosted web app to generate, manage and distribute mTLS client and server certificates with OIDC auth, email alerts and a REST API.

Alternative to:

Venafi TLS Protect+5

Self-hosted encrypted file sharing and vault. Client-side encryption, shareable expiring links, CLI and web UI, and storage backends (local, S3, Backblaze B2).

Alternative to:

WeTransfer+17

Cupdate auto-detects container images in Kubernetes, Docker or Podman, finds newer versions and exposes results via a UI, API and RSS feed with vulnerability metadata.

Alternative to:

JFrog Xray+10

Lightweight PHP dashboard that converts Fail2Ban logs into searchable JSON reports and centralizes UFW-based blocklist control with HTTPS-based multi-server sync.

Alternative to:

Fail2Ban

Web app to create, print, email, and manage UniFi guest vouchers with OIDC support, kiosk mode, PDF/thermal printing, and a REST API. Deployable via Docker.

Alternative to:

Proxyclick+1