Table of Contents

1. Introduction
2. Key Features of Wiredoor
3. Use Cases
4. Installation and Setup
5. Usage
6. Comparisons: Wiredoor vs Ngrok vs Cloudflare Tunnel vs Traditional Reverse Proxy
7. Conclusion

Introduction

In today’s world, securing internal apps exposed to the internet is more critical than ever before. However, traditional approaches come with their own complexities. Wiredoor is a solution to this problem.

Wiredoor is a self-hosted, open-source Ingress-as-a-Service platform that securely connects private networks to the outside world, without the need for intricate configurations.

Wiredoor uses WireGuard, a fast and secure VPN protocol, to establish encrypted VPN connections, ensuring privacy. It also includes a built-in NGINX reverse proxy for traffic management, making it easier to expose HTTP, TCP, and UDP services.

Wiredoor is the perfect tool for developers and teams who want total control over their ingress setup while avoiding reliance on cloud services.

In this article, we will explore Wiredoor, how it works, its features, and why it’s an excellent choice for managing service exposure.

Key Features of Wiredoor

Here are the key features that make Wiredoor standout:

• Secure and Lightweight VPN via WireGuard: Wiredoor utilizes WireGuard, a fast and secure VPN protocol, to establish encrypted tunnels between internal systems and the public internet. This ensures that all communication is protected with minimal overhead, making it an ideal choice for security-conscious users.
• Built-in NGINX Reverse Proxy: With an integrated NGINX reverse proxy, Wiredoor routes incoming traffic to the appropriate internal service based on domain and port configurations. This eliminates the need for external reverse proxies and simplifies service exposure.
• Automatic SSL Certificate Provisioning: Wiredoor supports automatic SSL certificate provisioning via Let’s Encrypt. This means that all exposed services can be secured with trusted certificates without manual intervention, ensuring that your services are always encrypted and trusted by clients.
• Expose HTTP, TCP, or UDP Services: Whether you're exposing web applications, databases, or other network services, Wiredoor supports the exposure of HTTP, TCP, and UDP services. This versatility makes it suitable for a wide range of applications and use cases.
• Works with Docker, Kubernetes, Legacy Servers, IoT, and More: Wiredoor can seamlessly integrate with modern technologies like Docker and Kubernetes, as well as legacy systems and IoT devices. This flexibility makes it an excellent solution for both new and existing infrastructure.
• Supports Single-Node and Gateway (Site-to-Site) Modes: Wiredoor supports both single-node configurations for individual services and gateway (site-to-site) configurations for more complex network topologies. This gives users the ability to scale their setup according to their specific needs.
• CLI Tools for Automation and Scripting: For advanced users and automation enthusiasts, Wiredoor provides command-line tools that allow for easy registration of nodes, service exposure, and ongoing management. These tools are perfect for scripting and integrating Wiredoor into DevOps workflows.
• No Need to Expose Internal Firewalls or Use Cloud Services: Unlike traditional cloud-based ingress solutions, Wiredoor does not require you to expose internal firewalls or rely on third-party cloud services. This results in a more secure and cost-effective solution for managing ingress.
• 100% Open Source and Self-Hosted: As an open-source platform, Wiredoor provides full transparency, and it can be entirely self-hosted on your own infrastructure. This gives you complete control over your network and eliminates any dependency on external vendors or services.

Use Cases

• Secure Remote Access:Access internal applications and dashboards securely from remote locations without exposing the entire network.
• IoT Device Management: Remotely monitor and control IoT or industrial devices without modifying firewall configurations
• Simplified VPN Replacement: Replace complex VPN setups with Wiredoor's streamlined approach for connecting remote systems.
• Development Environments: Expose local development environments to the internet for testing or collaboration purposes.

Installation and Setup

Setting up Wiredoor is straightforward. Follow the following steps.

Prerequisites

Before you begin, ensure you have the following:

• A Linux-based server (e.g., Ubuntu, Debian, or CentOS)
• Docker and Docker Compose installed on the server
• A domain name pointed to your server (for SSL certificate provisioning via Let’s Encrypt)
• A basic understanding of using the terminal

Wiredoor Installation steps

Step 1: Clone the Wiredoor Repository

First, clone the Wiredoor repository from GitHub:

git clone https://github.com/wiredoor/docker-setup.git
cd docker-setup

This will download the necessary files for the Wiredoor application.

Step 2: Configure Environment Variables

Wiredoor uses a .env file for configuration. Create the file by copying the provided template:

cp .env.sample .env

Edit the .env file to customize your settings. The most important settings to adjust are:

1. admin email
2. password
3. VPN public hostname
4. TCP port range(Optional) -- if you edit the ports you should reconfigure docker-compose.yml.

Step 3: Start Up Docker Compose

Run the following command to start the service:

docker-compose up -d

Step 4: Verify the Installation

Once the containers are up and running, you can check if Wiredoor is working by visiting your domain in a web browser. If everything is set up correctly, you should see the Wiredoor dashboard or a service landing page.

You can also check the status of the containers with:

docker-compose ps

Step 5: Expose a Service

Now that Wiredoor is installed, you can begin exposing your services. For example, to expose a simple web service, follow these steps:

1. Run the web service at your desired port.
2. Run the following command at your terminal, changing the port, domain name and appname as needed:

wiredoor http myapp --domain app.your.domain.com --port 3000

Step 6: Configure SSL Certificates (Optional)

Wiredoor supports Let’s Encrypt for automatic SSL certificate provisioning. Ensure your domain is properly configured to point to your server. Once your service is exposed, Wiredoor will automatically request and configure an SSL certificate for secure HTTPS access.

Usage

Once Wiredoor is running, you can begin exposing services. This section guides you through configuring domains, understanding node types, and exposing services using both the Web UI and CLI.

Domains

Wiredoor maps incoming internet traffic to your internal services using domain names.

• For public-facing apps, you’ll typically register real domains (like myapp.example.com) and point them to your Wiredoor server’s IP. Wiredoor will fetch and manage SSL certificates for you.
• If you’re just testing or staying local, internal domains like test.internal or dev.local also work. Just note that they won’t get trusted SSL certs and might show browser warnings unless you install the cert manually.

How Nodes Work in Wiredoor

Every system that hosts a service behind Wiredoor is called a node. You can think of nodes as connection points from your internal network into Wiredoor’s ingress layer.

• Local Node: Used when your service is on the same machine that’s running Wiredoor itself. It connects without VPN and is ideal for dashboards or internal dev tools.
• Client Node: A machine elsewhere that connects back to Wiredoor through a WireGuard VPN tunnel. Perfect for exposing apps on laptops, containers, VMs, etc.
• Gateway Node: Instead of exposing just one app, this node bridges an entire internal network or subnet. It's useful when you have legacy devices or a fleet of machines behind a NAT that need exposure without modifying each one.

How to Expose a Service in Wiredoor

There are two main ways to register services with Wiredoor: through the dashboard or using the CLI.

With the Dashboard

You can log into the web interface and add services with just a few fields: name, domain, port, protocol. Wiredoor handles the heavy lifting—routing, certificates, and reverse proxy setup happen automatically.

Using the CLI

For automation or scripting, the CLI is the better option. For example, to expose a local HTTP app on port 3000:

wiredoor http my-app --domain myapp.example.com --port 3000

You may be required to tologin via:

wiredoor login --url https://your-wiredoor-ip-or-domain

Managing and Monitoring

Once services are live, you can use Wiredoor’s interface or CLI to check their status, tail logs, or make changes. If anything breaks, built-in logging and connection health info will help you troubleshoot fast.

Comparisons: Wiredoor vs Ngrok vs Cloudflare Tunnel vs Traditional Reverse Proxy

When it comes to exposing internal services, several tools are commonly used—but each comes with trade-offs. Here's how Wiredoor compares:

Conclusion

Wiredoor makes securely exposing internal services simple and efficient without the need for complex infrastructure. With its lightweight design and self-hosted approach, it’s a great solution for anyone looking to maintain control while safely connecting private networks to the internet.