A WireGuard-based tunnel for exposing private services — honestly reviewed for founders who are tired of Cloudflare’s TOS and ngrok’s bills.

TL;DR

What it is: Open-source (Apache-2.0) ingress-as-a-service platform that lets you expose private apps, Kubernetes clusters, databases, and IoT devices over the internet using a reverse VPN tunnel powered by WireGuard and NGINX [README][1].
Who it’s for: Developers, self-hosters, and small teams who need to expose services from behind CGNAT, a firewall, or a private network — without Cloudflare seeing your traffic or ngrok billing you per seat [1][README].
Cost savings: ngrok’s paid plans start at $8/mo with connection limits; Cloudflare Tunnels are free but ban streaming media and certain use cases. Wiredoor self-hosted runs on a $5–10/mo VPS with no per-connection or per-seat pricing [README].
Key strength: Solves CGNAT in a clean, self-contained package — WireGuard tunnel from your private node to a public VPS, NGINX terminates the traffic, auto SSL via Let’s Encrypt, OAuth2 per service. One install covers Docker containers, Kubernetes clusters, legacy servers, and Raspberry Pis simultaneously [README][1].
Key weakness: Young project (1,572 GitHub stars, launched 2024). Thin third-party review coverage. No managed cloud tier — you are entirely responsible for uptime, updates, and the VPS it runs on.

What is Wiredoor

Wiredoor is a self-hosted platform that makes it possible to expose services running on private networks to the internet without opening firewall ports, getting a static IP, or touching your router. The problem it solves is real and annoying: most residential ISPs today use Carrier Grade NAT (CGNAT), which means your home IP address is shared across dozens of customers, inbound ports are blocked, and there is no practical way to expose a service publicly without a middleman.

The architecture is straightforward. You run the Wiredoor server on a public-facing VPS. Your private nodes (the machines running your actual apps) connect to the server over a WireGuard VPN tunnel. Traffic from the internet hits the public VPS, passes through NGINX, travels down the WireGuard tunnel, and reaches your private service. The connection is encrypted end-to-end, the private server never needs open inbound ports, and Wiredoor never sees unencrypted data in transit [README][1].

This is structurally similar to Cloudflare Tunnels — which also use an outbound-only agent to punch through firewalls — except you control the VPS, WireGuard encrypts the tunnel cryptographically rather than relying on a third party, and Cloudflare’s Terms of Service restrictions (notably, the ban on streaming non-HTML content over their free tunnel) don’t apply [1]. The XDA Developers writeup [1] by Joe Rice-Jones is the clearest description of this difference: “Wiredoor is functionally similar to a Cloudflare Tunnel, in how it sets up the connection between your client and service. Except, it does this without breaking encryption anywhere on the chain, so your self-hosted solution stays safer, without anyone being able to snoop on your data. That means you can use it to access your Jellyfin library or any other streamed media that Cloudflare doesn’t want you to use its services for.”

The project is fully open source under Apache-2.0, hosted at https://github.com/wiredoor/wiredoor, and has 1,572 GitHub stars as of this review. It’s a relatively young project — the website promotes v1.6.0 — but the documentation is polished and the setup path is coherent.

Why people choose it

The comparison landscape here is more fragmented than the workflow automation space. There’s no single dominant “Zapier of tunnels.” Instead, people are picking from Cloudflare Tunnels, Tailscale, Pangolin, ZeroTier, NetBird, ngrok, frp, and combinations of Caddy/Traefik/nginx. Wiredoor competes in this space by being a self-contained, GUI-included package that handles the full stack: VPN, reverse proxy, SSL, OAuth2, and a web dashboard.

Versus Cloudflare Tunnels. Cloudflare Tunnels are free, reliable, and require almost no setup. They are also operated by Cloudflare, which means Cloudflare can see your unencrypted application traffic at their edge, their TOS prohibits certain content categories (video streaming being the most cited), and you have no control over routing or data residency. For founders building anything that handles sensitive data or media, this is a meaningful constraint [1]. Wiredoor removes Cloudflare from the chain entirely.

Versus Tailscale. Tailscale is excellent if your use case is connecting your own devices together in a mesh VPN — you want to SSH into your home server from a laptop or phone. Wiredoor is different in intent: it’s designed to expose services publicly to people who don’t have Tailscale installed. They’re solving adjacent but distinct problems [1]. Rice-Jones in the XDA review used Tailscale and Pangolin before switching to Wiredoor, and his framing is useful: “Some of us opt for Tailscale due to its simplicity, while others use a variety of other services built on the open-source WireGuard protocol.” He chose Wiredoor because it handles OAuth2, SSL, and NGINX in a single install without requiring a client on the end-user’s device [1].

Versus Pangolin. Pangolin is a newer self-hosted alternative to Cloudflare Tunnels that also uses WireGuard and has a web UI. Rice-Jones tried both and preferred Wiredoor, citing the polished documentation and shorter setup time [1]. The projects are similar enough that the choice may come down to UI preference and active development trajectory.

Versus ngrok. ngrok is developer-friendly and takes 30 seconds to expose a port, but the free tier limits you to one active tunnel, sessions time out, and URLs are random subdomains. The paid tiers start at $8/mo and scale by seat/team. For anything beyond quick demos, you’re paying a recurring bill for infrastructure that you could own outright [README].

The XDA review is the clearest window into the real-world experience: a self-hoster behind CGNAT, who had tried Pangolin, Caddy, Traefik, Nginx, and Cloudflare Tunnels, found Wiredoor easier to set up, appreciated that it didn’t route data through a third party, and specifically called out OAuth2 and auto-SSL as reasons to prefer it [1].

Features

Based on the README and the website:

Core tunnel:

WireGuard VPN tunnel from private nodes to the public Wiredoor server [README]
NGINX reverse proxy handling HTTP/TCP traffic on the server side [README]
Supports both HTTP/HTTPS services and raw TCP port exposure [README]
WebSocket connections supported out of the box [README]
Automatic SSL certificate issuance and renewal via Let’s Encrypt, with self-signed fallback [README]

Multi-environment node support:

Docker containers and Docker Compose stacks [README]
Kubernetes clusters via a Gateway node (Helm chart available) [README]
Legacy Linux servers, VMs, and on-premises hardware [README]
IoT devices and single-board computers (Raspberry Pi, etc.) [README]
“Gateway nodes” expose a full subnet, not just individual services — closer to site-to-site VPN behavior [README]

Authentication and access control:

OAuth2-based auth per domain or per service, via oauth2-proxy [README]
Supports Google, GitHub, and other OAuth2 providers [README]
Per-service access control — you can leave some services open and require OAuth2 on others [README]

Management:

Web UI for creating, managing, and revoking tunnels without touching the CLI [README]
CLI client (wiredoor-cli) for scripting, automation, and headless environments [README]
One login command registers a node and establishes the WireGuard connection automatically [README]

What it doesn’t include:

No managed cloud tier — you provide the VPS
No built-in monitoring or alerting beyond the web UI dashboard
No multi-tenant support for offering Wiredoor as a service to others (though the Apache-2.0 license permits building that)

Pricing: self-hosted vs. alternatives math

Wiredoor itself is free. There is no SaaS tier, no paid plan, no per-seat fee. The project is Apache-2.0 licensed open source and the only cost is the VPS you run it on [README].

What you pay:

A public-facing VPS: $4–6/mo on Hetzner Cloud or Contabo (2GB RAM is sufficient for most setups)
A domain name: ~$10–15/year if you want a custom domain

Alternatives for comparison:

Service	Free tier	Paid tier starts	Streaming allowed	Self-hosted
Wiredoor	Entire product	N/A	Yes	Yes
Cloudflare Tunnels	Yes, with TOS restrictions	$0 (but data goes through CF)	No (TOS §2.8)	No
ngrok	1 tunnel, timeouts, random URLs	$8/mo (personal)	Limited	No
Pangolin	Entire product	N/A	Yes	Yes
Tailscale	3 users, 100 devices	$6/user/mo	Yes (mesh only)	Partial

For a solo founder or small team exposing 5–10 services publicly, the math is: $5/mo VPS + $1.25/mo domain ≈ $6.25/mo total, versus ngrok at $8–25/mo with usage limits, or Cloudflare at $0 but with TOS constraints and data routing through Cloudflare’s infrastructure.

Over a year: ngrok Personal ≈ $96. Wiredoor self-hosted ≈ $75 including domain. Cloudflare ≈ $0 if the TOS restrictions don’t affect you — which they will if you’re serving Jellyfin, Plex, or any streaming content [1].

The more interesting comparison is for teams. ngrok Teams starts at $19/mo and charges per seat. Wiredoor doesn’t charge per node or per service — you add 20 nodes to one Wiredoor server and the only cost is the VPS spec you may need to bump.

Deployment reality check

The setup path is cleaner than most self-hosted networking tools. You’re not writing WireGuard config files by hand or debugging iptables rules. The README’s quickstart is three steps: clone the docker-setup repo, edit the .env file (admin credentials, public hostname, optional TCP port range), and run docker compose up -d. The Wiredoor server is running [README].

Connecting a node is two commands: install the CLI with the auto-installer script, then run wiredoor login --url=https://your-wiredoor-server. The login command registers the node, creates the WireGuard keypair, and establishes the tunnel automatically. From there, exposing a service is wiredoor http my-service --domain=mydomain.com --port=3000 [README].

What you need:

A Linux VPS with a public IP address (ports 80, 443, and UDP 51820 open)
Docker and docker-compose
A domain name if you want named services (required for Let’s Encrypt SSL)
Optional: a TCP port range open (e.g. 32760–32767) if you want to expose non-HTTP services

What can go wrong:

The VPS must be publicly reachable from the internet — this is the part that trips people up. The README is explicit: “Wiredoor is designed to run on a publicly reachable host so it can securely receive inbound traffic.” If you’re trying to run both the server and the client on the same private network, you’ve misunderstood the architecture. The server lives on the VPS; the clients are your private machines.

CGNAT on the server side would defeat the whole purpose. Use a VPS from any cloud provider — they all give you a dedicated public IP.

The project is young (v1.6.0 as of this review). Rice-Jones gave it a positive review in May 2025 [1], but it has limited community footprint compared to Tailscale or Cloudflare Tunnels. Bug reports and issue responses depend on a small maintainer team. There’s no Trustpilot listing, no extensive G2 review trail. You are taking a bet on a project with 1,572 stars and thin third-party validation.

Kubernetes deployment is supported via Helm charts at https://charts.wiredoor.net. The gateway node model means you can expose an entire Kubernetes cluster’s internal services without installing Wiredoor on every pod [README].

Realistic time estimate for a developer: 20–45 minutes from zero to first service exposed. For a non-technical founder: this isn’t a beginner tool. If you’ve never used SSH or Docker, you’ll need help.

Pros and Cons

Pros

End-to-end encryption. WireGuard means your data is never decrypted on the VPS — traffic is tunneled encrypted from the private node to the destination. Cloudflare Tunnels terminate TLS at Cloudflare’s edge, which is a meaningfully different trust model [1][README].
Apache-2.0 license. No commercial restrictions, no “fair-code” ambiguity. You can embed it in a product, offer it as a service, or fork it freely [README].
Solves CGNAT cleanly. The explicit design target is private networks behind CGNAT, NAT, or firewalls with no open inbound ports. It works without router access or static IPs [1][README].
Multi-environment in one install. One Wiredoor server handles Docker containers, Kubernetes clusters, Raspberry Pis, legacy servers, and IoT devices simultaneously — you don’t need different tools per environment [README].
OAuth2 per service. Granular access control via oauth2-proxy means you can put a Google login in front of any internal service without modifying the service itself [README].
Polished for its age. The documentation is complete, the CLI is clean, and the web UI handles most operations without forcing you to the terminal [1][README].
No per-service or per-seat pricing. You own the infrastructure. Ten nodes or a hundred, the cost is the VPS [README].

Cons

Young project with thin third-party coverage. 1,572 GitHub stars. One substantive third-party review found ([1]). No community forum, no Subreddit, no extensive issue database to learn from. You’ll be debugging edge cases with limited community help.
No managed cloud option. You are responsible for the VPS, updates, backups, and uptime. If the VPS goes down, all your exposed services go down. There’s no fallback SLA.
Not for non-technical users. The setup is straightforward for a developer, but there’s no hosted wizard, no click-through installer, no support line. If Docker Compose is unfamiliar, this isn’t where you start.
Requires a dedicated public VPS. You can’t run this entirely at home. The server component needs a public IP, which means a VPS bill even if it’s a small one.
Streaming and media limitations on Cloudflare don’t apply here, but you may hit VPS bandwidth limits. If you route high-volume video traffic through a $5 Hetzner VPS, you’ll hit monthly bandwidth caps. Plan accordingly.
No audit logs or enterprise governance features. Fine for solo use and small teams, but there’s no RBAC, no centralized logging, no compliance controls. This isn’t a replacement for a proper zero-trust network access solution in enterprise environments.
CLI-dependent for nodes. Managing nodes still requires command-line access to each private machine. The web UI handles configuration, but initial node registration requires running commands on the target device [README].

Who should use this / who shouldn’t

Use Wiredoor if:

You’re a developer or self-hoster behind CGNAT who wants to expose services publicly without paying ngrok or routing traffic through Cloudflare.
You have multiple environments (home server, Kubernetes cluster, Raspberry Pi, cloud VM) and want one tool to manage all the ingress rather than separate solutions per environment.
Privacy matters: you want WireGuard encryption end-to-end, not TLS-terminated-at-Cloudflare.
You want OAuth2 protection on internal tools (Grafana, internal dashboards, dev environments) without modifying the apps.
You’re comfortable with Docker and a Linux VPS, or willing to learn.

Skip it (use Cloudflare Tunnels instead) if:

You don’t self-host any streaming media, you’re fine with Cloudflare seeing your traffic, and you want zero infrastructure to maintain.
You need something working in under 10 minutes with no VPS to provision.

Skip it (use Tailscale instead) if:

Your goal is connecting your own devices together in a mesh VPN — laptop to home server, team members to an internal network. Tailscale is more mature, has a generous free tier, and doesn’t require a public VPS.

Skip it (stay on ngrok) if:

Your need is temporary demos and webhooks during development, not permanent public exposure. ngrok’s free tier is fine for this and takes 30 seconds to set up.

Skip it entirely if:

You’re a non-technical founder who has never touched a VPS. The tool solves a real problem but the setup requires Docker fluency. Get help or use a managed alternative.

Alternatives worth considering

Cloudflare Tunnels — free, zero infrastructure, excellent for most web apps. Limits: Cloudflare sees your traffic, TOS restricts streaming/proxy use, no self-hosting option.
Pangolin — the closest architectural equivalent. Also WireGuard-based, also self-hosted, also has a web UI. Similar feature set; Wiredoor was described as slightly simpler to configure in the one head-to-head comparison available [1].
Tailscale — better for mesh VPN between known devices. Free for small teams. Not designed for exposing services to anonymous public users.
ZeroTier — similar to Tailscale, mesh-oriented. Open-source core. Less polished web UI.
NetBird — newer, WireGuard-based, also self-hostable. More focused on zero-trust network access than public ingress.
frp (fast reverse proxy) — lightweight, open-source, no web UI, configuration-file-based. Good if you want minimal overhead and are comfortable with manual config.
ngrok — best for development workflows and temporary tunnels. Paid tiers for permanent use.

For a developer or small team wanting permanent public ingress from a private network, the realistic shortlist is Wiredoor vs Pangolin vs Cloudflare Tunnels. Cloudflare wins on simplicity and zero cost if TOS isn’t a concern. Wiredoor and Pangolin compete on self-hosted, encrypted, no-third-party options — and the choice between them is likely personal preference until one project clearly pulls ahead on community and features.

Bottom line

Wiredoor is the cleanest solution currently available for the specific problem of exposing private services from behind CGNAT or a firewall without routing data through a third party. If Cloudflare Tunnels cover your use case and you don’t care about data residency or streaming restrictions, Cloudflare is simpler and free. But if you’re running Jellyfin, exposing sensitive internal tools, operating across multiple environments, or simply don’t want a corporation in the middle of your traffic, Wiredoor is the self-hosted answer — a $5 VPS, 30–45 minutes of setup, and you own the infrastructure permanently. The risk is its youth: thin community, no SLA, no managed fallback. For a developer comfortable with Docker, that’s an acceptable trade. For a non-technical founder, you’ll need someone to deploy it for you — which is exactly the kind of one-time setup that upready.dev handles for clients.

Sources

Joe Rice-Jones, XDA Developers — “I use this self-hosted tool to use my home network while I’m traveling” (May 31, 2025). https://www.xda-developers.com/self-hosted-tool-to-use-my-home-network-while-im-traveling/

Primary sources:

GitHub repository and README: https://github.com/wiredoor/wiredoor (1,572 stars, Apache-2.0 license)
Official website: https://www.wiredoor.net
Documentation: https://www.wiredoor.net/docs
Helm charts: https://charts.wiredoor.net
CLI repository: https://github.com/wiredoor/wiredoor-cli

Features

Authentication & Access

OAuth / Social Login
Single Sign-On (SSO)

Integrations & APIs

WebSocket Support

Security & Privacy

Encryption
Reverse Proxy Support
SSL / TLS / HTTPS

Compare Wiredoor

Traefik vs

Wiredoor

Both are networking tools. Traefik has 4 unique features, Wiredoor has 5.

Related Networking & VPN Tools

View all 99 →

Caddy

71K

A fast, extensible web server with automatic HTTPS — zero-config TLS certificates for every site, built-in reverse proxy, and a simple Caddyfile config format.

networking Apache-2.0

Traefik

62K

Cloud-native application proxy and ingress controller that auto-discovers services and handles TLS certificates, load balancing, and routing with zero manual configuration.

networking MIT