Amnezia VPN
Amnezia VPN is a self-hosted client that allows you to set up a VPN on your own server using various protocols: OpenVPN, WireGuard, OpenVPN over Cloak, AmneziaWG, XRay, and others. The service does not log your requests. In addition to the self-hosted option, Amnezia VPN offers AmneziaFree, a free VPN available in Russia, Turkey, Iran, Kyrgyzstan, and Myanmar, which allows bypassing restrictions on socially significant and popular resources for free. Amnezia VPN also provides Amnezia Premium, a VPN service for unrestricted access to any websites with five different locations and unlimited connection speed.
Based on WireGuard, the AmneziaWG protocol enables bypassing restrictions even in countries where other VPN protocols are blocked.
The client’s source code, as well as the source code for the AmneziaWG protocol, is available on GitHub.
Learn more
Headscale
Headscale is an open-source, self-hosted implementation of the control server used by the Tailscale network, enabling users to keep full ownership of their private tailnets while using Tailscale clients. It supports registering users and nodes, issuing pre-authentication keys, advertising subnet-routes and exit-node capabilities, enforcing access-control lists, and integrating with OIDC/SAML identity providers for user authentication. The server is deployable via Debian/Ubuntu packages or standalone binaries, configurable through a YAML file, and managed via its CLI or REST API. Headscale tracks each node, route, and user in its database, supports route approval workflows, and enables features such as subnet routing, exit node designation, and node-to-node mesh within the tailnet. Being self-hosted, it gives organizations and hobbyists full control over their private network endpoints, encryption keys, and traffic flows, rather than depending on a commercial control plane.
Learn more
Cloudflare Tunnel
From the moment an application is deployed, developers and IT spend time locking it down — configuring ACLs, rotating IP addresses, and using clunky solutions like GRE tunnels. There’s a simpler and more secure way to protect your applications and web servers from direct attacks: Cloudflare Tunnel. Ensure your server is safe, no matter where it’s running: public cloud, private cloud, Kubernetes cluster, or even a Mac mini under your TV. Cloudflare Tunnel is tunneling software that lets you quickly secure and encrypt application traffic to any type of infrastructure, so you can hide your web server IP addresses, block direct attacks, and get back to delivering great applications. The Tunnel daemon creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center, all without opening any public inbound ports.
Learn more
Pangolin
Pangolin is an open source, identity-aware tunneled reverse-proxy platform that lets you securely expose applications from any location without opening inbound ports or requiring a traditional VPN. It uses a distributed architecture of globally available nodes to route traffic through encrypted WireGuard tunnels, enabling devices behind NATs or firewalls to serve applications publicly via a central dashboard. Through the unified dashboard, you can manage sites and resources across your infrastructure, define granular access-control rules (such as SSO, OIDC, PINs, geolocation, and IP restrictions), and monitor real-time health and usage metrics. The system supports self-hosting (Community or Enterprise editions) or a managed cloud option, and works by installing a lightweight agent on each site while using the central control server to handle ingress, routing, authentication, and failover.
Learn more
