It took me too long to understand the difference between the two so I'll leave it here for others. Octelium operates on OSI Layer 7 and Tailscale operates on OSI Layer 3 and 4.
Well, yes, Octelium is technically a VPN from a layer-3 perspective since it uses WireGuard/QUIC tunneling, but the tunnel doesn't directly terminate to the destination like in VPNs but instead to an identity-aware proxy that does authentication and L7-aware authorization on a per-request basis with policy-as-code via CEL/OPA. From an architecture perspective, I assume it's closer to ZTNAs such as Cloudflare Access and Teleport than to traditional VPNs, even though it operates as one for the clien-based access mode. However, unlike VPNs, it does provide clientless/BeyondCorp access too as it's intended to operate as a more generic/unified access platform (e.g. API/AI/MCP gateway, ngrok-alternative, PaaS-like platform, etc.) rather than just a VPN.
Yes, every resource that needs to be protected is represented by a "Service" that's implemented as a L7-aware identity-aware proxy in the Octelium Cluster, which is a distributed system that's running on top of a k8s cluster. Users simply access the protected resource/upstream through the Cluster, namely the Service, from a data-plane perspective, and the Service/identity-aware proxy does authentication/authorization/routing/visibility on a per-request basis. This upstream could be an internal resource directly accessible by the Cluster, or remotely behind NAT, or simply publicly protected SaaS resource (e.g. API protected by an access token, SaaS database protected by a password, etc.). You can read more about how Octelium works here https://octelium.com/docs/octelium/latest/overview/how-octel...
