Pomerium VS S.S.Octopus

Option 3: Pomerium might be an alternative as well.

That is not how you do Zero Trust. You want to use an Identity Aware Proxy. There are lots of ways you can implement this with Google as your core auth. For example Pomerium or oauth2-proxy.

I’m really surprised this sub has no love for Pomerium. I feel like it’s as simple as Caddy with all the security benefits of Traefik.

I am not sure if I understand how Pomerium works (or any identity-aware proxy).

Pomerium sidecar.

Just want to drop https://www.pomerium.com/ here. We use it at our company with ~1500 people with many apps behind the proxy. It also supports JWT for the backend, so you can integrate your apps easily without having to worry about the OAuth flow and also your apps are protected from random internet attacks.

You’ve got to protect. Anonymity is not going to work. Pomerium is another option in addition to those already suggested. https://github.com/pomerium/pomerium

I am currently looking at Wireguard/Tailscale (Wireguard based) options - early days for me so far. Also planning to look at something like Pomerium for a zero trust approach. https://www.pomerium.com/

2. An identity aware SSO proxy by Buzzfeed[0]

I really like Buzzfeed's SSO implementation, but it hasn't received updates in a while and doesn't seem to be maintained to me. I could absolutely see OpenZiti replacing this for me.

I really like Wireguard and have absolutely no complaints with it -- but if OpenZiti could replace this as well and match the performance I get on Wireguard I would consider implementing it at home (and would probably be a happy enough customer to push for it at work).

One non-typical use-case I use Wireguard for is being able to do remote game streaming to my Windows hosts via Moonlight+Nvidia Gamestream. Would anyone be able to (anecdotally or scientifically), share how well a use-case like this would work with OpenZiti?

[0] https://github.com/buzzfeed/sso

In addition to this suggestion, another viable route is to self-host those applications you rely on and don't expose them to the world (so as to reduce load/attack surface). Using a VPN can allow you to access the applications privately/remotely.

e.g. I self-host the applications I rely on such as Teddit, Nitter, Bibliogram and Cloudtube and then use Wireguard to always remain connected to the network they are accessible on. I have also implemented identity-aware SSO[1] so I can expose those applications remotely to specific individuals.

[1] https://github.com/buzzfeed/sso

If oauth2-proxy doesn't suit your needs, there are some projects that have spun-off from oauth2-proxy like pomerium and BuzzFeed's sso. In addition to the open source library, Pomerium offers a paid service with a GUI to help IT staff more easily manage user permissions. BuzzFeed's sso builds upon oauth2-proxy by separating the domain used for auth from the domain used for the proxy (among several other changes).

SSO to the rescue!

https://github.com/buzzfeed/sso - Google only