Expose private services securely through reverse VPN tunnel powered by WireGuard and NGINX.
Open-source | Self-hosted

Documentation • Core Server • CLI • Helm Charts

Wiredoor is a self-hosted, open-source ingress-as-a-service platform that allows you to expose applications and services running in private or local networks to the internet—securely, reliably, and without complex infrastructure.

It uses reverse VPN connections powered by WireGuard and exposes services through a built-in NGINX reverse proxy. Perfect for developers, operators, or teams that want full control of their ingress without relying on public cloud solutions.

• Secure VPN tunnel with WireGuard (low latency and high performance)
• Reverse proxy with NGINX
• OAuth2-based Authentication support per domain and service (Google, GitHub, etc.) with OAuth2-proxy
• Automatic SSL certificates via Let's Encrypt (or self-signed fallback)
• Websocket Support Wiredoor supports WebSocket connections out of the box.
• Web UI to manage nodes, services, and domains
• Multi-environment support: works with Kubernetes, Docker, legacy servers, IoT, etc.
• CLI client (wiredoor-cli) for service management and automation
• Gateway nodes for full subnetwork exposure (site-to-site style)
• 100% self-hosted and open source

Wiredoor Server is the entry point for all external traffic.
This means that the server's public IP address or domain must be accessible from the internet,
or at least from the network where you want to access the exposed services.

Wiredoor is designed to run on a publicly reachable host so it can securely receive inbound traffic and forward it to your internal services over a private VPN tunnel.

This guide will help you get Wiredoor running and expose your first private service to the internet in just a few steps.

• Linux VPS (recommended)
• Docker Engine or Docker Desktop
• Open ports: 80, 443, and a UDP port for the VPN (default 51820)
• Optional: Port range for exposing TCP services (e.g. 32760-32767)

git clone https://github.com/wiredoor/docker-setup.git
cd docker-setup

cp .env.example .env
nano .env

Set your admin email, password, VPN public hostname or IP, and optionally, the TCP port range. If you modify the TCP port range, make sure to update the ports: section in docker-compose.yml.

docker compose up -d

In your browser, Navigate to https://your_wiredoor_domain_or_ip. Use the admin credentials from your .env file to access the dashboard.

For more information on using the web UI, visit the Usage Guide

You can use the auto-installer:

curl -s https://www.wiredoor.net/install-wiredoor-cli.sh | sh

Or download a package from GitHub Releases.

Run the following on the device you want to connect:

wiredoor login --url=https://your_deployed_wiredoor_domain_or_ip

This will:

• Promp for admin credentials (email and password)
• Ask for a name for the node (default: current hostname)
• Register the node in the server
• Connect it automatically via WireGuard

If you have a service running locally (e.g. on port 3000), you can expose it:

wiredoor http myapp --domain app.your.domain.com --port 3000

⚠️ The domain app.your.domain.com must point to the public Wiredoor server's IP address.

• ✅ Docker Gateway: Lightweight sidecar container to expose services in Compose environments.
• ✅ Kubernetes Gateway Chart: Helm chart to expose any service inside your Kubernetes cluster.

• Supports public domains with Let's Encrypt SSL.
• Also works with local/internal domains using self-signed certificates.
• Automatically handles renewal and configuration.

• Expose internal apps without opening firewall ports
• Access Kubernetes dashboards securely from the outside
• Remotely monitor or control IoT / industrial devices
• Replace complex VPN setups with a simpler alternative

More documentation, production setup examples, and deployment tools are on the way!