Skip to Content
🚀 Wiredoor 1.0.0 now available - Ready to expose your private services? Get Started →
DocumentationIntroduction

Wiredoor Documentation

Welcome to the official documentation for Wiredoor — a self-hosted, open-source Ingress-as-a-Service platform that lets you expose local services from any private network — Docker containers, on-prem servers, even IoT devices — to the public internet, without opening firewall ports or setting up reverse proxies manually. Everything runs over a secure, encrypted reverse VPN tunnel powered by WireGuard .

Wiredoor acts as your own ingress controller, giving you full control and visibility over how external traffic reaches your services—whether they’re running in Docker, Kubernetes, on-prem servers, industrial devices, or IoT setups.

What is Wiredoor?

Wiredoor is a self-hosted ingress-as-a-service platform that enables you to securely expose internal services, devices, or infrastructure located in private networks, LANs, or isolated environments without needing to open firewall ports, configure public cloud load balancers, or deploy reverse proxies manually.

At its core, Wiredoor creates a reverse VPN tunnel using WireGuard , allowing your internal services to establish outbound, encrypted connections to the Wiredoor Server, which acts as a public ingress point. Once connected, traffic from the internet can be securely routed into your network via domain-based rules, without requiring any inbound access to your local environment.

Core components

ComponentRole
WireGuard VPNEstablishes encrypted tunnel between nodes and server
NGINX ProxyRoutes incoming internet traffic to internal services
Admin PanelUI + API to manage domains, nodes, and certificates
Wiredoor CLITool to register, connect, and expose services from your devices

How is it different from traditional ingress or tunnels?

Most existing ingress solutions require:

  • A cloud provider (e.g. AWS ELB, Cloudflare Tunnel, Azure VPN)
  • Port forwarding on routers or firewalls
  • Manual reverse proxy configuration
  • Exposure of your private environment to the internet

Wiredoor flips this model:

Your services stay hidden in private networks. Only outbound WireGuard connections are needed. All ingress is managed from the outside, through a secure, authenticated VPN tunnel that you fully control.

How it works?

  1. Wiredoor runs on a public-facing server (with Docker or bare metal).
  2. Nodes (clients or gateways) connect to Wiredoor over WireGuard.
  3. Services running in private networks are securely exposed to the internet via domain/port routing.
  4. SSL certificates are handled automatically (Let’s Encrypt or self-signed).

Key Features

  • Secure and lightweight VPN via WireGuard
  • Built-in NGINX reverse proxy
  • Automatic SSL certificate provisioning (Let’s Encrypt support)
  • Expose HTTP, TCP, or UDP services
  • Works with Docker, Kubernetes, legacy servers, IoT, and more
  • Supports both single-node and gateway (site-to-site) modes
  • CLI tools for automation and scripting
  • No need to expose internal firewalls or use cloud services
  • 100% Open Source and Self-Hosted

Use Cases

  • Expose websites and other services publicly
  • Expose dashboards and dev environments remotely
  • Access private services without opening firewall ports
  • Connect remote Kubernetes clusters for development
  • Provide secure ingress to industrial systems and IoT devices
  • Act as a site-to-site VPN for full subnetwork routing

Get Started

→ Ready to deploy? Continue to the Installation Guide

Community & Support

Wiredoor is built with ❤️ by INFLADOOR LLC.

If you have questions, suggestions, or want to contribute, feel free to open an issue  or contact us via support@wiredoor.net.

Last updated on
Quickstart