make docker
docker build -t fractalnetworks/selfhosted-gateway:latest ./src/gateway/
[+] Building 1.5s (8/8) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 215B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/nginx:latest 1.0s
=> [1/3] FROM docker.io/library/nginx@sha256:add4792d930c25dd2abf2ef9ea79de578097a1c175a16ab25814332fe33622de 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 79B 0.0s
=> CACHED [2/3] ADD http.conf.template /etc/nginx/templates/http.conf.template 0.0s
=> CACHED [3/3] ADD nginx.conf.template /etc/nginx/templates/nginx.conf.template 0.0s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:728c552059a3817f42c470460402cd9aec206944a0c3168d9581cde18e402ce1 0.0s
=> => naming to docker.io/fractalnetworks/selfhosted-gateway:latest 0.0s
docker build -t fractalnetworks/gateway-link:latest ./src/gateway-link/
[+] Building 11.9s (7/7) FINISHED docker:default
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 244B 0.0s
=> [internal] load metadata for docker.io/library/alpine:latest 0.8s
=> [internal] load build context 0.1s
=> => transferring context: 35B 0.0s
=> [1/3] FROM docker.io/library/alpine:latest@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978 0.0s
=> CACHED [2/3] ADD entrypoint.sh /usr/bin/entrypoint.sh 0.0s
=> ERROR [3/3] RUN apk add iptables socat wireguard-tools 10.8s

[3/3] RUN apk add iptables socat wireguard-tools:
0.674 fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
5.680 fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
5.680 WARNING: updating and opening https://dl-cdn.alpinelinux.org/alpine/v3.18/main: temporary error (try again later)
10.69 WARNING: updating and opening https://dl-cdn.alpinelinux.org/alpine/v3.18/community: temporary error (try again later)
10.69 ERROR: unable to select packages:
10.69 iptables (no such package):
10.69 required by: world[iptables]
10.69 socat (no such package):
10.69 required by: world[socat]
10.69 wireguard-tools (no such package):
10.69 required by: world[wireguard-tools]

Dockerfile:7

5 | ADD entrypoint.sh /usr/bin/entrypoint.sh
6 |
7 | >>> RUN apk add iptables socat wireguard-tools
8 |
9 | ENV NOTEWORTHY_ENV $RELEASE_TAG

ERROR: failed to solve: process "/bin/sh -c apk add iptables socat wireguard-tools" did not complete successfully: exit code: 3
make: *** [Makefile:5: docker] Error 1

using a different port than 22 on a public server is one important point in order to harden the server. There is no option to use a different port in your scripts.

Hi!

I'm looking to run this on a client that doesn't have docker installed and I'm looking for the steps to achieve this. I looked into link-entrypoint.sh but I was unable to make it work properly, so I'd appreciate a more detailed guide on how to do it.

Thank you!

Explanation:

Hi fractal team, while setting up your selfhosted-gateway I ran into a Permission Denied (publickey) error while creating the client to gateway link.

I can access Client 》 Host & Host 》 Client via openssh CLI without issues & I have followed your guide to the letter as far as I am aware. More Details Below

Kindest Regards 💯

Hello,
I recently updated the selfhoted gateway server and received the following error, when trying to connect. I have tried several different subdomains (workout, music, auth, etc...) but receive from all instances the same error. I ran wget and then received:

wget https://music.domain.xyz
Response:
--2024-02-18 19:26:10-- https://music.domain.xyz/
Resolving music.domain.xyz (music.domain.xyz)... 49.14.67.othernumber
Connecting to music.domain.xyz (music.domain.xyz)|49.14.67.othernumber|:443... connected.
OpenSSL: error:0A000126:SSL routines::unexpected eof while reading
Unable to establish SSL connection.

Hi,

I'm setting up this for my vaultwarden. My vaultwarden previously worked on localhost:7843. So in this case, should I expose nginx:7843 or should I keep nginx:80 as instructions?

Thanks

How does this compare to LocalTunnel.me and Expose.dev?

Could be interesting to mention in readme.

Two fairly annoying issues with the current implementation:

1. Random port assignments from docker do not persist after reboot.
2. Gateway link container overwrites WireGuard keys in entrypoint

Possible solutions:

1. Generate random port number in create-link.sh and set it explicitly on the gateway's link container so it will persist on reboot
2. Add a check in gateway link's entrypoint for existing WireGuard private key, if it exists do not overwrite it

I found that for the gateway-client the certificates are stored in /root/.local/share/caddy but if I persist the directory it seems from the logs that the certificates are still being pulled from LetsEncrypt. I move my PC around frequently enough that I sometimes hit the 50 certificates per registered domain per week rate limit. Is there a way for me to get it to reuse the certificates on restart?
Loving this software!!

Hello and thank you for the great repository.

I am in the process of configuring a gateway for accessing my local server behind a cgnat.
From what I understand, I need to create a new docker-compose file for each of my existing containers (effectively replacing it), is it correct ?

One use-case would be to access this server with ssh, but I can't figure how to set this up as it is not a docker/container thing.
Is it a possible scenario ?

Thank you for your help.

Hi~

Today I used "git pull" to synchronize the latest code. After cleaning all docker containers, images and networks, I rebuilt the docker images according to the README and reconnected to the gateway.

As a result, I found that the "make link" command would get stuck on the ssh connection and eventually prompt a timeout error.
After investigation, it was found that this may be a problem with openssh-client under the alpine:latest image.

The exact reason is not yet clear. I manually ran the alpine:latest image and executed "apk add" to install openssh-client, and found that the ssh command also failed to work properly.

I replaced the following content in the src/create-link/Dockerfile file

FROM alpine:latest

RUN apk add gettext openssh-client wireguard-tools;

to

FROM ubuntu:latest

RUN apt update && apt install gettext openssh-client wireguard-tools -y

After cleaning and re-build the docker images, you can connect to the gateway normally.

In order to avoid strange problems, it is recommended to change the base image from alpine:latest to ubuntu:latest.

Hi, I have an existing NPM container running on my home server. Is it possible to point the traffic from the VPS to the NPM?

For example: VPS (immich.domain.com) > tunnel > NPM (immich.domain.com > 192.168.30.3:2381) > Immich container with local IP 192.168.30.3:2381.

Or any other suggestions?

I have set up everything and double-checked it. But after creating my first 3 links. They all resolved to a blank screen. So https://tautulli.mydomain.tld/ gives me a blank page.

After testing with tracert tautulli.mydomain.tld I discovered that that packets eventually reach a datacenter of my VPS provider, Oracle. But there are no hops after that whatsoever.

Here's a screenshot of my rules in case it's useful

Excellent project !
Looks like I wouldn't need OpenVPN fee based projects like portmap anymore.

1. Can we use DDNS for the server VPS instead of a regular domain with fixed IP?
   There are many domain registrars like Google and Cloudflare that support DDNS.

2. There is mention of raw UDP not tested.
   But can we stream UDP Steam games (e.g., CSGO) in general ?

3. Nice to see Docker is not needed client side for servers behind NAT.
   Any help with how to set up behind NAT devices without Docker?
   Windows 10 will bloat further with Docker Engine as opposed to a Linux OS.

Running throught the instructions it appears that its possible to essentially tunnel all traffic for a single subdomain to a "backend" reverse proxy to handle the TLS/SSL encryption and forwarding on to an app.

Is it possible to forward the traffic for the entire domain this way? This would prevent the need to stand up a new seperate tunnel for each sub domain and the "backend" reverse proxy can sort our the traffic based on the subdomain forwarded.

Cheers

The image seems to not be available anymore, was that intentional?

https://hub.docker.com/search?q=fractalnetworks%2Fgateway-client

Pulling link (fractalnetworks/gateway-client:latest)...
ERROR: pull access denied for fractalnetworks/gateway-client, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

I would love for selfhosted-gateway to support subdomains, not just sub-subdomains. For example, service.domain.tld as opposed to service.sub.domain.tld. In doing so, I could expose self-hosted services via *.domain.tld as opposed to *.sub.domain.tld.

There are a number of reasons this would be good, though admittedly a lot of it is cosmetic (shorter URLs for your exposed services). However, there's one use case in particular that I would position as the most important: Cloudflare doesn't let you proxy sub-subdomains without being on a subscription plan. If I want to use Cloudflare DNS to point service.sub.domain.tld to my gateway, I need to disable their 'proxy' feature, thereby exposing my gateway IP to the world.

As a Cloudflare DNS user, I'd like selfhosted-gateway to support FQDNs in the format of *.domain.tld instead of *.sub.domain.tld so that I can continue to use Cloudflare's 'proxy' feature and not expose my gateway IP without needing to pay $10/month for an advanced certificate.

Unless I'm mistaken this seems to require leaving root access open on the VPS which is not ideal. Recommend updating to allow link creation via a non-root sudo account.

I would love to use this for my k3s homelab cluster.

Anyone interessted in adding k8s support?

Thx.

Hello again. I've had the selfhosted-gateway running for a week or so. My local server is a ansible node, so has scheduled reboots (when required). The local server rebooted and now docker suddenly notices there's a conflict between the link container & app container.

I know how to resolve this, I have to re-create the link. But is there a plan to fix this behaviour? Or maybe there's something we the end-users can do?

Thanks in advance

My VPS appeared to crashed, all my link containers stayed up but lost connection.

I'm able to create links fine which create the containers correctly and have set this up a few times before with no issues.

I am using the Split DNS without SSL Termination method and forwarding all traffic to NPM which again previous worked with no issues.

I've wiped the VPS, and It's had a fresh installation on the gateway and updated the client to the newest version of self-hosted-gateway and created new links

gateway container logs *redacted *

** update I appear to have resolved the issue by rolling back to using this version https://github.com/Dotsch2005/selfhosted-gateway.git **

Current behavior of make link ... is to output a docker-compose service snippet with WireGuard parameters as environment variables.

A welcome convenience would be the ability to output a WireGuard configuration that can be consumed directly by the existing Linux, Windows and macOS WireGuard clients.

Unless I'm mistaken this seems to require leaving port 80 open on the VPS which is not ideal. Recommend updating to allow DNS based certificate challenges / generation.

hey team, first off thanks for putting this proj together. It reads and looks promising!

I've configured my VPS as instructed, no errors received there. However, I have reached the 'make link' part of building the client server and I have entered the 'expose' portion exactly as it states (EXPOSE=nextcloud:443) in the instructions, but my containers apparently invalid. I'm trying to expose my nextcloud container, which is on 443.

I've also opt'd to set my the VPS to have a wildcard record - if that makes any difference.

docker-compose below for nextcloud
--- services: nextcloud: container_name: nextcloud image: lscr.io/linuxserver/nextcloud:latest environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC volumes: - /home/whoami/nextcloud:/config - /Volume/mnt:/data ports: - 443:443 restart: unless-stopped collabora: image: collabora/code:latest container_name: collabora cap_add: - MKNOD

Let me know if you need any more snippets or further clarification on my setup.

Currently, create_link.sh launches a standalone container on the gateway for each link, instead lets write links to the same docker compose so the gateway operator can easily modify links without having to recreate them, for example when changing the domain(s) a link serves.

This change will also make it possible to backup all of gateway's link for easy recreation when upgrading or migrating to a new host.

I know that the nature of this is to create a tunnel to localhost however I am using this to expose a few apps of mine to the internet and one downside I have noticed is I can no longer see connecting IP's which is useful for applications that allow you to limit traffic usage for external connections.

Is there a way for the link to be able to parse through their IPs or is the nature of it being a local connection the restraint?

Is this a feature worth adding? I was thinking of tackling this via an IF within the entrypoint script.

Hello,

I was wondering whether there is a possibility to publish Nginx Proxy Manager (hosted locally) and let Nginx do the proxying for the multiple services (hosted inside).
I was able to publish Nginx and establish a tunnel with the VPS, however I am only able to access the Nginx proxy itself (not the other services hosted inside)

Thanks

Unable to find image 'fractalnetworks/gateway-cli:latest' locally
docker: Error response from daemon: pull access denied for fractalnetworks/gateway-cli, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.

someone else posted about it on youtube, as well, 6 months ago.
nevermind. figured it out. 'make docker'

I've ran into a problem when my link is exposing an nginx container to route traffic to various containers. The problem was that the scheme was not being correctly provided to nginx from the link container, so my proxied request in nginx would be through http instead of https.

previously *.app.domain.com was routed to a single link, a contributor submitted an enhancement to disambiguate sub.sub domains making the default behavior as routing different sub.subdomain.domain domains to different links (requiring multiple links when attempting to route traffic to links in the same docker compose project)

we should make this disambiguation optional so multiple sub subdomain can be hosted via the same link, we would also need to add support on the client side so that caddy could be configured to properly route traffic for multiple sub subdomains to the appropriate docker compose service (container)

I would love to use SofetherVPN for the tunneling instead of Wireshark.
What would I need to manually change to add a SofetherVPN endpoint instead of wireshark?

Step #3 references Wireguard public/private key but nowhere in the README is it mentioned how/when to get these values.

GATEWAY_CLIENT_WG_PRIVKEY: 4M7Ap0euzTxq7gTA/WIYIt3nU+i2FvHUc9eYTFQ2CGI=
GATEWAY_LINK_WG_PUBKEY: Wipd6Pv7ttmII4/Oj82I5tmGZwuw6ucsE3G+hwsMR08=