Here is another (sort of), OpenZiti - https://openziti.github.io/. OpenZiti provides a mesh overlay network built on zero trust priinciples with outbound only connections so that we do not need inbound ports or link listeners. Similar to TS, you can host anything anywhere and has options to deploy on any popular host OS or as a virtual appliance.
What makes it realluy unique though is that it can actually be embedded inside the application via a suite of SDKs. Yes, private, zero trust connectivity inside an application! That provides the highest security and convenience as it can be completely transparent to the user!
Disclaimer, I work for the company who built and maintains OpenZiti so I am opinionated.
All the solutions I mentioned are outbound only (for the clients), though they do all have a central point which is open for inbound connections so they can find each other. Or in some cases their own cloud serves this purpose. They call them lighthouses, Moons, etc but the principle is the same.
The embedding inside an app sounds like a really cool discerning feature though. I'll have a look!
Yes, outbound only is great for client side and for me table stakes. OpenZiti allows you to make the server side outbound only too. Do you care about Log4Shell or Spring4Shell when your server is dark to the internet? Java Magazine recently did a piece on it as the OpenZiti team 'zitified Springboot' - https://blogs.oracle.com/javamagazine/post/java-zero-trust-o.... We also recently zitified Prometheus - https://openziti.github.io/articles/zitification/prometheus/...... private, outbound-only connectivity natively part of the code.
Oh that's interesting. But how do the server and clients manage to find one another then? Indeed an outbound-only server is a discerning feature and a huge security advantage.
I should really read up on it. I know... I will soon!
OpenZiti has an architecture of 'Edge' and 'fabric'. The Edge is at source and destinatation and outbound connects into the fabric. The fabric is SDN, edge connects and authenticates/authorises to controller based on embedded identity, then based on policy and rules, outbound connects to the data plane using smart routing over the mesh. The fabric only 'listens' for endpoints which have embedded, correct identity based on a process called 'bootstrapping trust' (there is a 5 part blog on this).
Hey! Netmaker author here. I think it’d be a cool option for this use case. We have some users already doing blockchain stuff. Benefits are it’s self hosted, so you don’t need to depend on a SaaS, no mandatory 3rd party auth, and a lot faster because of kernel WireGuard.
This is the kind of comment I love HN for!