using a different port than 22 on a public server is one important point in order to harden the server. There is no option to use a different port in your scripts.

Two fairly annoying issues with the current implementation:

1. Random port assignments from docker do not persist after reboot.
2. Gateway link container overwrites WireGuard keys in entrypoint

Possible solutions:

1. Generate random port number in create-link.sh and set it explicitly on the gateway's link container so it will persist on reboot
2. Add a check in gateway link's entrypoint for existing WireGuard private key, if it exists do not overwrite it

Hi,

I'm setting up this for my vaultwarden. My vaultwarden previously worked on localhost:7843. So in this case, should I expose nginx:7843 or should I keep nginx:80 as instructions?

Thanks

Hello and thank you for the great repository.

I am in the process of configuring a gateway for accessing my local server behind a cgnat.
From what I understand, I need to create a new docker-compose file for each of my existing containers (effectively replacing it), is it correct ?

One use-case would be to access this server with ssh, but I can't figure how to set this up as it is not a docker/container thing.
Is it a possible scenario ?

Thank you for your help.

hey team, first off thanks for putting this proj together. It reads and looks promising!

I've configured my VPS as instructed, no errors received there. However, I have reached the 'make link' part of building the client server and I have entered the 'expose' portion exactly as it states (EXPOSE=nextcloud:443) in the instructions, but my containers apparently invalid. I'm trying to expose my nextcloud container, which is on 443.

I've also opt'd to set my the VPS to have a wildcard record - if that makes any difference.

docker-compose below for nextcloud
--- services: nextcloud: container_name: nextcloud image: lscr.io/linuxserver/nextcloud:latest environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC volumes: - /home/whoami/nextcloud:/config - /Volume/mnt:/data ports: - 443:443 restart: unless-stopped collabora: image: collabora/code:latest container_name: collabora cap_add: - MKNOD

Let me know if you need any more snippets or further clarification on my setup.

Hello again. I've had the selfhosted-gateway running for a week or so. My local server is a ansible node, so has scheduled reboots (when required). The local server rebooted and now docker suddenly notices there's a conflict between the link container & app container.

I know how to resolve this, I have to re-create the link. But is there a plan to fix this behaviour? Or maybe there's something we the end-users can do?

Thanks in advance

Step #3 references Wireguard public/private key but nowhere in the README is it mentioned how/when to get these values.

GATEWAY_CLIENT_WG_PRIVKEY: 4M7Ap0euzTxq7gTA/WIYIt3nU+i2FvHUc9eYTFQ2CGI=
GATEWAY_LINK_WG_PUBKEY: Wipd6Pv7ttmII4/Oj82I5tmGZwuw6ucsE3G+hwsMR08=

I know that the nature of this is to create a tunnel to localhost however I am using this to expose a few apps of mine to the internet and one downside I have noticed is I can no longer see connecting IP's which is useful for applications that allow you to limit traffic usage for external connections.

Is there a way for the link to be able to parse through their IPs or is the nature of it being a local connection the restraint?

Explanation:

Hi fractal team, while setting up your selfhosted-gateway I ran into a Permission Denied (publickey) error while creating the client to gateway link.

I can access Client 》 Host & Host 》 Client via openssh CLI without issues & I have followed your guide to the letter as far as I am aware. More Details Below

Kindest Regards 💯

Hi!

I'm looking to run this on a client that doesn't have docker installed and I'm looking for the steps to achieve this. I looked into link-entrypoint.sh but I was unable to make it work properly, so I'd appreciate a more detailed guide on how to do it.

Thank you!

Unless I'm mistaken this seems to require leaving port 80 open on the VPS which is not ideal. Recommend updating to allow DNS based certificate challenges / generation.

Hello,
I recently updated the selfhoted gateway server and received the following error, when trying to connect. I have tried several different subdomains (workout, music, auth, etc...) but receive from all instances the same error. I ran wget and then received:

wget https://music.domain.xyz
Response:
--2024-02-18 19:26:10-- https://music.domain.xyz/
Resolving music.domain.xyz (music.domain.xyz)... 49.14.67.othernumber
Connecting to music.domain.xyz (music.domain.xyz)|49.14.67.othernumber|:443... connected.
OpenSSL: error:0A000126:SSL routines::unexpected eof while reading
Unable to establish SSL connection.

previously *.app.domain.com was routed to a single link, a contributor submitted an enhancement to disambiguate sub.sub domains making the default behavior as routing different sub.subdomain.domain domains to different links (requiring multiple links when attempting to route traffic to links in the same docker compose project)

we should make this disambiguation optional so multiple sub subdomain can be hosted via the same link, we would also need to add support on the client side so that caddy could be configured to properly route traffic for multiple sub subdomains to the appropriate docker compose service (container)

I have set up everything and double-checked it. But after creating my first 3 links. They all resolved to a blank screen. So https://tautulli.mydomain.tld/ gives me a blank page.

After testing with tracert tautulli.mydomain.tld I discovered that that packets eventually reach a datacenter of my VPS provider, Oracle. But there are no hops after that whatsoever.

Here's a screenshot of my rules in case it's useful

Is this a feature worth adding? I was thinking of tackling this via an IF within the entrypoint script.

Unless I'm mistaken this seems to require leaving root access open on the VPS which is not ideal. Recommend updating to allow link creation via a non-root sudo account.

I found that for the gateway-client the certificates are stored in /root/.local/share/caddy but if I persist the directory it seems from the logs that the certificates are still being pulled from LetsEncrypt. I move my PC around frequently enough that I sometimes hit the 50 certificates per registered domain per week rate limit. Is there a way for me to get it to reuse the certificates on restart?
Loving this software!!

Currently, create_link.sh launches a standalone container on the gateway for each link, instead lets write links to the same docker compose so the gateway operator can easily modify links without having to recreate them, for example when changing the domain(s) a link serves.

This change will also make it possible to backup all of gateway's link for easy recreation when upgrading or migrating to a new host.

Hello,

I was wondering whether there is a possibility to publish Nginx Proxy Manager (hosted locally) and let Nginx do the proxying for the multiple services (hosted inside).
I was able to publish Nginx and establish a tunnel with the VPS, however I am only able to access the Nginx proxy itself (not the other services hosted inside)

Thanks

I would love to use this for my k3s homelab cluster.

Anyone interessted in adding k8s support?

Thx.

I would love for selfhosted-gateway to support subdomains, not just sub-subdomains. For example, service.domain.tld as opposed to service.sub.domain.tld. In doing so, I could expose self-hosted services via *.domain.tld as opposed to *.sub.domain.tld.

There are a number of reasons this would be good, though admittedly a lot of it is cosmetic (shorter URLs for your exposed services). However, there's one use case in particular that I would position as the most important: Cloudflare doesn't let you proxy sub-subdomains without being on a subscription plan. If I want to use Cloudflare DNS to point service.sub.domain.tld to my gateway, I need to disable their 'proxy' feature, thereby exposing my gateway IP to the world.

As a Cloudflare DNS user, I'd like selfhosted-gateway to support FQDNs in the format of *.domain.tld instead of *.sub.domain.tld so that I can continue to use Cloudflare's 'proxy' feature and not expose my gateway IP without needing to pay $10/month for an advanced certificate.

Excellent project !
Looks like I wouldn't need OpenVPN fee based projects like portmap anymore.

1. Can we use DDNS for the server VPS instead of a regular domain with fixed IP?
   There are many domain registrars like Google and Cloudflare that support DDNS.

2. There is mention of raw UDP not tested.
   But can we stream UDP Steam games (e.g., CSGO) in general ?

3. Nice to see Docker is not needed client side for servers behind NAT.
   Any help with how to set up behind NAT devices without Docker?
   Windows 10 will bloat further with Docker Engine as opposed to a Linux OS.

How does this compare to LocalTunnel.me and Expose.dev?

Could be interesting to mention in readme.

I would love to use SofetherVPN for the tunneling instead of Wireshark.
What would I need to manually change to add a SofetherVPN endpoint instead of wireshark?

make docker
docker build -t fractalnetworks/selfhosted-gateway:latest ./src/gateway/
[+] Building 1.5s (8/8) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 215B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/nginx:latest 1.0s
=> [1/3] FROM docker.io/library/nginx@sha256:add4792d930c25dd2abf2ef9ea79de578097a1c175a16ab25814332fe33622de 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 79B 0.0s
=> CACHED [2/3] ADD http.conf.template /etc/nginx/templates/http.conf.template 0.0s
=> CACHED [3/3] ADD nginx.conf.template /etc/nginx/templates/nginx.conf.template 0.0s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:728c552059a3817f42c470460402cd9aec206944a0c3168d9581cde18e402ce1 0.0s
=> => naming to docker.io/fractalnetworks/selfhosted-gateway:latest 0.0s
docker build -t fractalnetworks/gateway-link:latest ./src/gateway-link/
[+] Building 11.9s (7/7) FINISHED docker:default
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 244B 0.0s
=> [internal] load metadata for docker.io/library/alpine:latest 0.8s
=> [internal] load build context 0.1s
=> => transferring context: 35B 0.0s
=> [1/3] FROM docker.io/library/alpine:latest@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978 0.0s
=> CACHED [2/3] ADD entrypoint.sh /usr/bin/entrypoint.sh 0.0s
=> ERROR [3/3] RUN apk add iptables socat wireguard-tools 10.8s

[3/3] RUN apk add iptables socat wireguard-tools:
0.674 fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
5.680 fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
5.680 WARNING: updating and opening https://dl-cdn.alpinelinux.org/alpine/v3.18/main: temporary error (try again later)
10.69 WARNING: updating and opening https://dl-cdn.alpinelinux.org/alpine/v3.18/community: temporary error (try again later)
10.69 ERROR: unable to select packages:
10.69 iptables (no such package):
10.69 required by: world[iptables]
10.69 socat (no such package):
10.69 required by: world[socat]
10.69 wireguard-tools (no such package):
10.69 required by: world[wireguard-tools]

Dockerfile:7

5 | ADD entrypoint.sh /usr/bin/entrypoint.sh
6 |
7 | >>> RUN apk add iptables socat wireguard-tools
8 |
9 | ENV NOTEWORTHY_ENV $RELEASE_TAG

ERROR: failed to solve: process "/bin/sh -c apk add iptables socat wireguard-tools" did not complete successfully: exit code: 3
make: *** [Makefile:5: docker] Error 1

Current behavior of make link ... is to output a docker-compose service snippet with WireGuard parameters as environment variables.

A welcome convenience would be the ability to output a WireGuard configuration that can be consumed directly by the existing Linux, Windows and macOS WireGuard clients.

Unable to find image 'fractalnetworks/gateway-cli:latest' locally
docker: Error response from daemon: pull access denied for fractalnetworks/gateway-cli, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.

someone else posted about it on youtube, as well, 6 months ago.
nevermind. figured it out. 'make docker'

The image seems to not be available anymore, was that intentional?

https://hub.docker.com/search?q=fractalnetworks%2Fgateway-client

Pulling link (fractalnetworks/gateway-client:latest)...
ERROR: pull access denied for fractalnetworks/gateway-client, repository does not exist or may require 'docker login': denied: requested access to the resource is denied