Skip to content

Reverse Proxy Tunnel in Practice

The previous post introduced reverse proxy and intranet penetration concepts. This post demonstrates practical use of the reverse proxy tunnel through concrete examples.

A reverse proxy tunnel combines reverse proxy with intranet penetration. These two concepts aren't inherently linked — reverse proxy can function without intranet penetration, and intranet penetration isn't solely for reverse proxy. However, many scenarios require combining them. For example, home or corporate networks may lack a public IP, making direct public access impossible — intranet penetration via a public IP server provides indirect access to intranet services.

Assume a public server with domain my.domain. We want router.my.domain to access the home router (192.168.1.1:80) and work.my.domain to access the company project management platform (172.10.1.1:80).

Server Side

Using Docker Compose with Traefik as the front-end proxy for domain-based routing to the tunnel service.

The tunnel service listens on port 8080 using WebSocket transport, accessible via tunnel.my.domain. Traefik routes router.my.domain and work.my.domain traffic to the public entry point on port 8000.

Two tunnels are defined: - router.my.domain → tunnel 6c538042-cc24-4910-8887-0f50916ad97f → home network - work.my.domain → tunnel 68e15803-a287-4ebd-b2ac-1aee1aa733ca → company network

docker-compose.yaml

version: '3'
services:
  traefik:
    image: traefik:v2.9.6
    restart: always
    command:
    - "--providers.docker"
    - "--entrypoints.web.address=:80"
    - "--entrypoints.websecure.address=:443"
    - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
    - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
    ports:
    - "80:80"
    - "443:443"
    volumes:
    - "/var/run/docker.sock:/var/run/docker.sock:ro"

  gost-tunnel:
    image: gogost/gost:3.0.0-rc10
    command: "-L tunnel+ws://:8080?entrypoint=:8000&tunnel=router.my.domain:6c538042-cc24-4910-8887-0f50916ad97f,work.my.domain:68e15803-a287-4ebd-b2ac-1aee1aa733ca"
    restart: always
    labels:
    - "traefik.http.routers.gost-tunnel.tls=true"
    - "traefik.http.routers.gost-tunnel.rule=Host(`tunnel.my.domain`)"
    - "traefik.http.routers.gost-tunnel.service=gost-tunnel"
    - "traefik.http.services.gost-tunnel.loadbalancer.server.port=8080"
    - "traefik.http.routers.gost-ingress.tls=true"
    - "traefik.http.routers.gost-ingress.rule=Host(`router.my.domain`, `work.my.domain`)"
    - "traefik.http.routers.gost-ingress.service=gost-ingress"
    - "traefik.http.services.gost-ingress.loadbalancer.server.port=8000"

Client Side

On a machine in the home network, establish a tunnel to the server:

gost -L rtcp://:0/192.168.1.1:80 -F tunnel+wss://tunnel.my.domain:443?tunnel.id=6c538042-cc24-4910-8887-0f50916ad97f

On a machine in the company network:

gost -L rtcp://:0/172.10.1.1:80 -F tunnel+wss://tunnel.my.domain:443?tunnel.id=68e15803-a287-4ebd-b2ac-1aee1aa733ca

For services accessed by domain internally (e.g., home router via router.my.home):

services:
- name: service-0
  addr: :0
  handler:
    type: rtcp
    metadata:
      sniffing: true
  listener:
    type: rtcp
    chain: chain-0
  forwarder:
    nodes:
    - name: router
      addr: 192.168.1.1:80
      http:
        host: router.my.home
chains:
- name: chain-0
  hops:
  - name: hop-0
    nodes:
    - name: node-0
      addr: tunnel.my.domain:443
      connector:
        type: tunnel
        metadata:
          tunnel.id: 6c538042-cc24-4910-8887-0f50916ad97f
      dialer:
        type: wss

After setup, router.my.domain accesses the home router and work.my.domain accesses the company project management platform.

Comments