SkillAgentSearch skills...

Wireport

Self-hosted ingress proxy & VPN tunnel. Securely exposes private local & Docker-based services to the Internet, with free, automatically renewable SSL certificates and docker container hostname resolution.

GenerateConvertImprove

Install / Use

/learn @MultionLabs/Wireport
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<p align="center"> <img src="assets/wireport-with-slogan.png" alt="wireport logo" width="200" /> </p> <h1 align="center" style="color:#23132d"> wireport </h1> <p align="center"> <strong>Self-hosted ingress proxy & VPN tunnel. Securely exposes private local & Docker-based services to the Internet, with free, automatically renewable SSL certificates.</strong><br /> Powered by WireGuard, CoreDNS and Caddy </p> <p align="center"> <a href="#features">Features</a> • <a href="#preparation">Preparation</a> • <a href="#quick-start">Quick Start</a> • <a href="#how-it-works">How it works</a> • <a href="#security-considerations">Security</a> • <a href="#troubleshooting">Troubleshooting</a> • <a href="#sponsorship">Sponsorship</a> </p>
<div align="center">

Platform Architecture
License: MIT Sponsor me on GitHub

</div>

wireport is a self-hosted ingress proxy and VPN tunnel that securely exposes private local and Docker-based services to the Internet, with free, automatically renewable SSL certificates.

  • Exposing local and Docker-based services running in a local network (e.g., on the local machine, on a corporate network, on a NAS, or on a home server) to the Internet
  • Secure tunneling into remote development/staging/production environments to facilitate debugging and troubleshooting of remote Docker-based services

Features

  • SSL/TLS termination with 100% free and automated certificate provisioning and renewal
  • Reverse proxy with support for HTTP(S) 1/2/3, WebSocket, gRPC (over HTTP/2) and TCP/UDP (Layer-4)
  • Securely connect locally running services to remote infrastructure for debugging complex production issues
  • Secure access to internal docker-based services and admin dashboards
  • Automatic service discovery and hostname resolution (remote service hostname = Docker container name)
  • Multiplatform CLI (Linux, macOS, Windows — ARM64 & AMD64)
  • Secure VPN tunneling (WireGuard)
  • Self-hosted and open-source
  • High performance with a low memory footprint
  • Easy, declarative tunnel configuration via docker labels
  • Quick and easy start in self-hosted mode in just two commands - no tinkering with docker/compose files

| Ingress Proxy | Hostname Resolution | |:--:|:--:| | Ingress proxy with free, automated SSL certificate provisioning and renewal | Hostname resolution (hostname = docker container name) |

Key Concepts

  • GATEWAY – a Linux-based machine with Docker installed, a public IP address, and the following open ports: 80/tcp, 443/tcp, 4060/tcp, 51820/udp and 32420-32421/tcp+udp. This node acts as the ingress gateway and an entry point to your published services.
  • CLIENT – any number of laptops/PCs that will connect to the WireGuard network to manage the ingress network and expose services from their local machines to the Internet.
  • SERVER (optional) – one or more Linux-based machines (with Docker) that run the workloads you want to expose. These nodes join the same private WireGuard network, provided by the GATEWAY.

| Ingress Proxy and VPN tunnel | Docker Service Discovery | |:--:|:--:| | Ingress Proxy and VPN tunnel - conceptual scheme | Docker Service Discovery - conceptual scheme |

Network Architecture

Internet
    ↕ 
Caddy (tcp/udp/http/https/websocket forwarding & automated SSL renewal)
    ↕ 
[GATEWAY] ↔ WireGuard VPN ↔ [SERVER] ↔ [Docker Containers]
    ↕ 
WireGuard VPN
    ↕ 
[CLIENT] ↔ [Local Services]

Video Tutorial

Watch a quick setup tutorial on YouTube:

| <a href="https://youtu.be/9wvxT-QOZ2Q"><img src="https://img.youtube.com/vi/9wvxT-QOZ2Q/maxresdefault.jpg" alt="Quick Setup Tutorial" width="100%"></a> | |:--:|

Preparation

Before getting started with wireport, you need to prepare your CLIENT, GATEWAY and (optionally) SERVER nodes. This section covers all the prerequisites and setup requirements for each node type.

CLIENT Node Preparation (e.g., your laptop/PC)

Prerequisites

  • Installed WireGuard client: required for connecting to the VPN tunnel between GATEWAY, SERVER and CLIENT nodes of wireport (official WireGuard website)
  • Installed wireport CLI: required for managing services, exposed via ingress-proxy, as well as gateway, server and client nodes

wireport CLI Installation

via Homebrew (macOS, Linux)

brew install MultionLabs/wireport/wireport

or

via scoop (Windows)

scoop bucket add wireport https://github.com/MultionLabs/scoop-wireport
scoop install wireport

or

from binaries (Linux, macOS, Windows)

<details> <summary>Links to latest pre-built packages & unsigned binaries (Linux, macOS, Windows)</summary>

| Platform | AMD64 | ARM64 | |:---------|:------|:------| | macOS (.pkg) | wireport-macos-amd64.pkg | wireport-macos-arm64.pkg | | macOS (.zip) | wireport-macos-amd64.zip | wireport-macos-arm64.zip | | Linux (.tar) | wireport-linux-amd64.tar | wireport-linux-arm64.tar | | Linux (.deb) | wireport-linux-amd64.deb | wireport-linux-arm64.deb | | Linux (.rpm) | wireport-linux-amd64.rpm | wireport-linux-arm64.rpm | | Windows | wireport-windows-amd64.zip | wireport-windows-arm64.zip |

Installing from a .deb package on Ubuntu or Debian (amd64):

wget https://github.com/MultionLabs/wireport/releases/latest/download/wireport-linux-amd64.deb && \
sudo dpkg -i ./wireport-linux-amd64.deb

Installing from an .rpm package on Alma or Rocky (amd64):

wget https://github.com/MultionLabs/wireport/releases/latest/download/wireport-linux-amd64.rpm && \
sudo rpm -ivh ./wireport-linux-amd64.rpm

Installing from a .tar package (e.g., on Arch; amd64):

wget https://github.com/MultionLabs/wireport/releases/latest/download/wireport-linux-amd64.tar && \
sudo tar -xvf wireport-linux-amd64.tar -C /

⚠️ Running Unsigned Binaries on macOS and Windows

Since the binaries are not signed with commercial certificates, your operating system may prevent them from launching by default.
You will need to manually allow them.

🪟 On Windows

When you try to launch the program, you may see a warning similar to:

Windows protected your PC
Windows Defender SmartScreen prevented an unrecognized app from starting.

To proceed:

  1. Click More info.
  2. Click Run anyway.

This will start the application despite the warning.

🍎 On macOS

When you attempt to open the app or installer, you may see:

"wireport cannot be opened because the developer cannot be verified."

To allow it:

  1. Open Finder and locate the application or .pkg file.
  2. Right-click (or Control-click) the file and select Open.
  3. You will see a similar warning, but this time it includes an Open button.
  4. Click Open to confirm you trust the file.

Alternatively, you can allow the app through System Preferences:

  1. Open Apple Menu > System Settings > Privacy & Security > General.
  2. You will see a message that the app was blocked.
  3. Click Allow Anyway.
  4. Then, try opening the app again.

Note:

  • These steps are necessary only once per file.
  • If you have any concerns about file integrity, consider verifying checksums or building binaries from the source code yourself.
  • In enterprise environments, administrators can whitelist the binaries using Group Policy (Windows) or Gatekeeper settings (macOS).
</details>

GATEWAY Node Preparation

Prerequisites

  • A small Linux node with a Public IPv4 address (any 5$/month Ubuntu/Debian/Rocky/Alma-based VPS would typically suffice; e.g., this one (ref. link))
  • Docker Installation: the gateway must have Docker installed and running (e.g., tutorial for Ubuntu)
  • SSH Access: the SSH account used for gateway bootstrapping must have privileges for executing Docker commands

MultionLabs

View profile

View on GitHub
GitHub Stars40
CategoryDevelopment
Updated15h ago
Forks0
MultionLabs/wireport

Languages

Go

Security Score

95/100

Audited on Apr 5, 2026

No findings