Native SAML/SSO for Linux and Android — including headless servers and CI/CD pipelines
Complete CRV1 challenge flow — Okta, Azure AD, Google Workspace, any AWS-supported IdP.
workingStatically linked binary. No Mono, no Java, no Electron. Pure Go — zero runtime dependencies.
workinglibadwaita app for GNOME. Profile importer, connection status, tray icon. Ships as an RPM.
workingPure Go VPN core via gomobile — no NDK, no JNI. SAML auth in-app via Chrome Custom Tab.
workingCI/CD runners and remote VMs can't open a browser. Relay lets a human approve VPN auth from their phone with one tap. Demo available — no account required.
v1.0.4Fully reproducible builds. No prebuilt blobs. Fedora COPR packages for FC43/44/rawhide on three architectures.
workingRelay backend passes full OWASP audit: token auth on every endpoint, per-user ownership checks, payload limits, and CloudWatch alerting on auth failures.
v1.0.4AWS Client VPN requires a browser for SAML authentication — fine on a developer laptop, impossible on a CI runner or a remote VM behind NAT. The Relay bridges the gap: the headless agent registers, a human approves from their phone, the tunnel comes up. Zero credentials stored in CI. Try it instantly with the public demo token.
A clean libadwaita app that lives in your GNOME tray. Import a profile, click Connect — SAML opens in your browser, the tunnel comes up, and the tray icon turns red. Includes a Relay screen to approve headless agent connections from the same app.
