Meet Orion-Belt, Go ZeroTrust Bastion
Source: Dev.to
Overview
In the world of infrastructure, we’ve long accepted a “security tax.”
If you want your servers to be accessible, you either:
- open holes in your firewall,
- maintain a complex VPN, or
- pay thousands for enterprise PAM (Privileged Access Management) tools.
I felt there was a massive gap for a lightweight, developer‑centric tool that follows Zero Trust principles without the enterprise bloat. That’s why I built Orion‑Belt.
Orion‑Belt in Action
Seeing is believing. Below is a quick look at osh (the Orion‑Belt SSH client) connecting to a machine that has zero inbound ports open, while the gateway handles authentication and recording.
The “Security Tax” of Traditional Access
Most teams handle remote server access in one of three ways, and all of them have a catch:
| Approach | Drawbacks |
|---|---|
| Static SSH Keys | Great until a laptop is stolen or an employee leaves. Auditing “who did what” is nearly impossible. |
| Jump Box (Bastion) | A single point of failure – if compromised, the whole network is exposed. |
| VPNs | Provide “flat” network access; once a user is on the VPN they can often see everything, violating the Principle of Least Privilege. |
I wanted something that felt like a modern SaaS (e.g., Teleport or Boundary) but remained self‑hosted, open‑source, and dead simple.
Feature Comparison: Why Orion‑Belt?
| Feature | Orion‑Belt (Open Source) | Traditional SSH / VPN | Enterprise Gateways |
|---|---|---|---|
| Inbound Firewall Rules | ❌ No (Reverse Tunnel) | ✅ Yes (Port 22 / VPN) | ❌ No (Agent / Tunnel) |
| Session Recording | ✅ Yes (Built‑in) | ❌ No (Hard to config) | ✅ Yes (Built‑in) |
| Access Control | ReBAC (Fine‑grained) | Coarse‑grained | RBAC / ABAC |
| Temporary Access | ✅ Yes (JIT Approval) | ❌ No | ✅ Yes |
| Protocol Support | SSH, SCP | SSH, SCP (VPN allows more) | SSH, Kubernetes, Databases, HTTP |
| Cost | Free (Self‑Hosted) | Free | $$$ High |
| Architecture | Lightweight Go binary | Standard utilities | Complex micro‑services |
How It Works (Under the Hood)
Orion‑Belt uses a Reverse SSH Tunnel architecture. Instead of you reaching into your private network, your servers reach out to the Orion‑Belt gateway.
- The Agent – a small Go binary that runs on target VMs and creates an outbound connection to the Orion‑Belt server.
- The Gateway – the “brain.” It handles authentication, ReBAC, and session recording.
- The Client (
osh/ocp) – CLI tools that feel like standard SSH/SCP but verify permissions with the gateway’s API first.
Because the connection is outbound from the server to the gateway, Port 22 can stay closed, effectively hiding your infrastructure from automated bot scans and 0‑day SSH exploits.
Key Features for Modern Teams
ReBAC (Relationship‑Based Access Control)
Orion‑Belt checks the relationship between the user and the resource, enabling fine‑grained permissions that scale as your team grows.
Session DVR‑Style Replay
Compliance regimes (SOC 2, HIPAA, …) often require a full audit trail. Orion‑Belt records every keystroke at the gateway level, allowing you to replay an entire session later.
JIT (Just‑In‑Time) Temporary Access
osh --request-access prod-db-01 --duration 1h --reason "Investigating latency"An admin receives a notification, approves the request, and the access automatically expires. No “orphaned” keys are left behind.
Architecture Diagram
Client (osh/ocp)
│
▼
Orion‑Belt Gateway Server (ReBAC + Session Recording)
│
▼ (Reverse SSH Tunnel)
Agent (on your locked‑down servers)Quick Start
1. Build from source
git clone https://github.com/zrougamed/orion-belt.git
cd orion-belt && make build2. Start the Server
The server acts as your central hub and uses PostgreSQL to store sessions and permissions.
3. Deploy the Agent
Drop the agent binary on any server behind a firewall. Once it connects to the gateway, that server becomes accessible via osh.
I Need Your Feedback!
Orion‑Belt is currently in Alpha – functional and stable, but looking for early adopters to shape the roadmap.
- Does this architecture fit your current workflow?
- What notification plugins would you like to see (Slack, Discord, Email)?
Check out the repo, leave a ⭐ if you like the concept, and let’s discuss in the comments!
GitHub:
GitHub – Orion‑Belt
Final Thoughts
Infrastructure access doesn’t need to be a choice between “easy” and “secure.” By combining Go’s performance with a Zero‑Trust architecture, Orion‑Belt makes high‑end security accessible to everyone.