wiredoor-cli Container as a Gateway for Other Docker Services

[buildplan]

I am not sure if the right way to do it, but here is how I am using wiredoor-cli docker container. Hope this little guide will help someone.

---

Step 1: Create a Gateway on the Wiredoor Server

The first step is to configure a new gateway on your main Wiredoor server. This gateway will represent the network of services you intend to proxy.

1. Add Gateway: In your Wiredoor server's administrative interface, add a new gateway.
2. Enable Gateway Network: Select the option for the gateway to "act as a gateway network."
3. Assign Subnet: Define a subnet for this network. We will use 172.31.1.0/24 for this example, but you can use any private CIDR range that doesn't conflict with your existing networks.
4. Copy the Token: After the gateway is created, copy the generated access token. This token is required to authenticate the wiredoor-cli client.

---

Step 2: Create a Custom Docker Network on Your Host

On the machine where you will run your services, you need to create a dedicated Docker network. This network must use the same subnet that you defined on the Wiredoor server.

• Execute the Docker Command: Open your terminal and run the following command:

  docker network create --driver=bridge --subnet=172.31.1.0/24 wiredoor-net

  This creates a local bridge network named wiredoor-net that your containers will connect to.

---

Step 3: Deploy the wiredoor-cli Gateway Container

Now, deploy the wiredoor-cli container. It will connect to the Wiredoor server and act as the entry point for traffic into your custom Docker network.

• Create a docker-compose.yml file:

  networks:
    wiredoor-net:
      external: true
  
  services:
    wiredoor-gw:
      image: ghcr.io/wiredoor/wiredoor-cli:latest
      container_name: wiredoor-gw
      restart: unless-stopped
      cap_add:
        - NET_ADMIN
      sysctls:
        - net.ipv4.ip_forward=1
      environment:
        WIREDOOR_URL: ${WD_URL}
        TOKEN: ${WD_TOKEN}
      networks:
        - wiredoor-net

• Configuration Explained:

  • networks: wiredoor-net: external: true: This instructs Docker Compose to use the wiredoor-net network that you created manually in the previous step.
  • cap_add: - NET_ADMIN & sysctls: - net.ipv4.ip_forward=1: These permissions are essential. They allow the container to manage network interfaces and forward IP traffic, enabling it to function as a gateway.
  • environment: You must provide your Wiredoor Server URL (WD_URL) and the gateway Token (WD_TOKEN) you copied in Step 1. For security, it is best practice to place these in a .env file in the same directory.

• Launch the Container:

  docker-compose up -d

---

Step 4: Deploy Your Services into the Same Network

You can now run other services, like Uptime Kuma, and attach them to the same wiredoor-net.

• Add the service to your docker-compose.yml:

  networks:
    wiredoor-net:
      external: true
  
  services:
    # ... your wiredoor-gw service from above ...
  
    uptime-kuma:
      image: louislam/uptime-kuma:beta-slim
      container_name: uptime-kuma
      volumes:
        - ./data:/app/data
      restart: unless-stopped
      networks:
        - wiredoor-net

• Important Note: There is no need to add a ports section for the uptime-kuma service. Since it shares a Docker network with wiredoor-gw, the gateway can reach it directly using its container name. This is a more secure approach than exposing ports on the host.

• Launch the Service:

  docker-compose up -d

---

Step 5: Add the Service Route on the Wiredoor Server

The final step is to tell your Wiredoor server how to route traffic to the new service.

1. Select Your Gateway: On the Wiredoor server interface, navigate to the gateway you configured in Step 1.
2. Add a New Service: Create a new service entry.
3. Set the Service Address: For the address, use the Docker container's name and its internal port. Based on our example, the address would be: uptime-kuma:3001.

Your Uptime Kuma instance is now accessible through the Wiredoor server without being directly exposed to the internet from your host machine. You can repeat Steps 4 and 5 for any other containerized service you wish to proxy.

[dmesad]

Thank you so much for sharing this detailed guide!

You've implemented an excellent and secure variation of the Docker-based gateway pattern we describe in the official docs (Docker Gateway - Wiredoor Docs), and your clear explanation will definitely be helpful to other users in the community.

We also appreciate your help with the recent CrowdSec integration, and of course, thank you for your sponsorship 💙. Your support helps us continue improving Wiredoor.

If you're interested in contributing, whether it's by providing feedback, improving the documentation or submitting code, you're welcome to do so. We look forward to seeing more of your setups, so feel free to share them anytime.

Thanks again for everything! 🙌