🩺 Vitals
- 🟢 Last active: 2026-07-16
- 📦 Latest release: v2.0.0 (2026-05-20)
- 🐞 Open issues: 251
- 🌟 Stars: 4.3k
What do these metrics mean?
- Last active: when code was last pushed, as of our last check. The dot is green when that was recent, grey otherwise. A long gap can mean a tool is finished and stable, not only unmaintained.
- Latest release: the most recent tagged, packaged version the maintainers published. Not every healthy project tags releases.
- Open issues: unresolved reports and requests. A high number is normal for a popular project and is not a warning on its own.
- Stars: how many people bookmarked the project on its forge. A rough popularity signal, not a measure of quality.
🏗️ Profile
- Official: openziti.io
- Source: github.com/openziti/ziti
- License: Apache-2.0
- Deployment: Docker | Kubernetes | Native
- Data Model: BoltDB (embedded)
- Jurisdiction: USA 🇺🇸 (NetFoundry Inc.)
- Compliance (SaaS): SOC 2 Type II (NetFoundry Cloud)
- Compliance (Self-Hosted): Self-Hosted (User Managed)
- Complexity: High (4/5) - Self-managed PKI (root and intermediate CAs), controller, and a distributed router fleet
- Maintenance: High (4/5) - Certificate lifecycle and rotation, controller availability, and overlay router upkeep
- Enterprise Ready: Moderate (3/5) - Full identity, mTLS, and least-privilege controls with no capability paywall; commercial support and FIPS builds available from NetFoundry, but operations demand real network expertise
1. The Executive Summary
What is it? OpenZiti is an open-source, identity-based zero-trust networking overlay. Where a WireGuard mesh such as NetBird secures connectivity at the device and network layer, OpenZiti operates one level up: every connection is authenticated and authorised by identity with mutual TLS, and services can be made "dark" — reachable only through the authenticated overlay, exposing zero inbound ports to the network. Its SDKs let teams embed that zero-trust access directly into an application, so the security travels with the app rather than depending on where it is deployed. The full stack — controller, routers, and edge tunnelers — is self-hostable from the Apache-2.0 repository, with no cloud callback required. NetFoundry, the commercial sponsor, offers a managed control plane, FIPS-validated builds, and support, but it gates no capability out of the open-source project.
The Strategic Verdict:
- 🔴 For Teams Wanting a Drop-In VPN: Caution. OpenZiti is a zero-trust networking platform, not a turnkey mesh. It requires you to stand up and operate your own PKI, controller, and router fleet — real network and operations expertise. If the goal is devices on a private mesh in minutes, a WireGuard-based tool like NetBird is the lighter path.
- 🟢 For Platform Teams Embedding Zero Trust: Strong Buy. OpenZiti lets you bake identity-based, mTLS access into the application itself, with dark services that present no attackable surface. It is fully Apache-2.0 and self-hostable end to end, controller included, with no capability held back for a paid tier — you own the entire zero-trust fabric outright.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Zscaler (SaaS) | OpenZiti (Self-Hosted) |
|---|---|---|
| License Fee | Per-user ZPA subscription | $0 (Apache-2.0) |
| Control Plane | Vendor-operated cloud | Self-hosted controller; you own it |
| Capability Gating | Tiered feature access | No capability paywall; full OSS |
| Support / FIPS | Bundled enterprise plan | Optional via NetFoundry |
3. The "Day 2" Reality Check
🚀 Deployment & Operations
- Installation: The controller and routers deploy via Docker, Kubernetes (Helm), or native Linux packages; edge tunnelers and SDKs connect clients and applications. A first deployment requires initialising the PKI and enrolling identities, which is more involved than a WireGuard mesh but produces a full identity-aware overlay.
- Scalability: Routers form a distributed mesh that carries traffic close to the edge, and the controller can be run in a highly available cluster (high-availability controllers landed in the v2.0 release). Scaling is a function of how many routers you place and where; there is no per-node licence ceiling.
🛡️ Security & Governance (Risk Assessment)
- Jurisdiction & Geopolitics (USA 🇺🇸): NetFoundry is a US corporation, which places its managed offering within reach of the US CLOUD Act. Self-hosting neutralises this for the open-source deployment: the controller and routers require no cloud callback or telemetry and can run fully air-gapped, so the sponsor's jurisdiction has no bearing on a self-operated overlay.
- The Compliance Shift (You Own the PKI): Self-hosting transfers the full operational burden, and OpenZiti concentrates it in the certificate authority. The overlay's trust derives from a PKI you generate and hold; safeguarding the root and intermediate CAs, rotating certificates, and maintaining controller availability are your responsibility. The software supplies strong controls — mutual TLS on every hop, identity-based least privilege, and dark services — but the compliant environment around them, including audit and monitoring, is yours to build. NetFoundry's managed cloud holds a SOC 2 Type II attestation, but a self-hosted deployment inherits no certification of its own; the mTLS and identity controls support an audit whose evidence you must produce yourself.
- License & Governance (Apache-2.0, Single Sponsor): The licence is permissive Apache-2.0 across the core project — no copyleft, no commercial trigger, no embedding risk, the cleanest posture among the self-hosted access tools. The governance nuance is sponsorship concentration: development is driven principally by NetFoundry. Because the entire product is open source rather than open-core, however, there is no gated capability to lose and the project remains forkable — a materially lower lock-in exposure than dual-licensed or open-core alternatives.
4. Market Landscape
🏢 Proprietary Incumbents
- Zscaler: The enterprise zero-trust network access standard (Zscaler Private Access), delivered as a US-operated cloud. Comprehensive and heavily certified, but proprietary end to end, per-user priced, and brokered entirely through Zscaler's infrastructure.
- Twingate: A modern, cloud-managed zero-trust access service that is quick to adopt but keeps the control plane and policy engine on the vendor's SaaS — the coordination layer is never yours to run.
🤝 Open Source Ecosystem
- NetBird: A self-hostable WireGuard mesh with integrated identity and policy. Secures connectivity at the network layer rather than embedding zero-trust into the application, and is considerably lighter to operate.
- Nebula: The permissively licensed overlay networking tool originally built at Slack. A self-hostable, certificate-based mesh, lower-level than OpenZiti's identity-aware, application-embeddable model.