dcrouter is a TypeScript control plane for running a serious multi-protocol edge or datacenter gateway from one process. It orchestrates HTTP/HTTPS and TCP routing through SmartProxy, email through smartmta, authoritative DNS and DNS-over-HTTPS, RADIUS, remote ingress tunnels, VPN access control, a typed Ops API, and a web dashboard.

It is built for operators who want one place to define routes, expose services, manage certificates, register domains and DNS providers, control VPN-only access, and inspect what is going on in production.

Issue Reporting and Security

For reporting bugs, issues, or security vulnerabilities, please visit community.foss.global/. This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a code.foss.global/ account to submit Pull Requests directly.

Why dcrouter

🌐 Run HTTP/HTTPS, TCP/SNI, email, DNS, RADIUS, VPN, and remote ingress from one orchestrated service.
🔐 Keep certificates, routes, tokens, domains, and reusable route references in one management plane.
🧠 Use system-managed routes for config-, email-, and DNS-derived traffic, plus API-managed routes for dynamic additions.
📊 Get an Ops UI and TypedRequest API for monitoring, automation, and day-2 operations.
⚡ Lean on Rust-backed data planes where it matters: proxying, DNS, email delivery, remote ingress, and VPN.

What It Covers

Area	What dcrouter does
HTTP / HTTPS / TCP	SmartProxy-based routing, TLS termination or passthrough, path/domain matching, optional HTTP/3 augmentation
Email	smartmta-based SMTP ingress and delivery, route-based email handling, DKIM-aware domain support
DNS	Authoritative DNS, DNS-over-HTTPS bootstrap routes, provider-backed and dcrouter-hosted domains and records
Certificates	ACME-aware certificate management with dashboard and API support
Access control	Source profiles, network targets, VPN-gated routes, API tokens, admin auth
Network edge	Remote ingress hub for edge nodes tunneling traffic into the router
Operations	Web dashboard, TypedRequest API, logs, metrics, health, route and token management

Installation

pnpm add @serve.zone/dcrouter

Quick Start

This is the smallest realistic setup: one HTTP route, embedded database enabled, and the Ops dashboard on port 3000.

import { DcRouter } from '@serve.zone/dcrouter';

const router = new DcRouter({
  smartProxyConfig: {
    routes: [
      {
        name: 'app',
        match: {
          domains: ['app.example.com'],
          ports: [80],
        },
        action: {
          type: 'forward',
          targets: [{ host: '127.0.0.1', port: 3001 }],
        },
      },
    ],
  },
  dbConfig: {
    enabled: true,
  },
  opsServerPort: 3000,
});

await router.start();

Once the router is running, you can:

open the Ops dashboard on http://localhost:3000
inspect the route in the System Routes view
add API-managed routes through the dashboard or API client
enable DNS, email, VPN, remote ingress, or RADIUS by adding the corresponding config blocks

Mental Model

dcrouter is not a toy reverse proxy with a few side features. It is an orchestrator that wires multiple specialized services into one management plane.

Layer	Responsibility
`DcRouter`	Startup order, shutdown, service wiring, configuration assembly, route hydration
SmartProxy	HTTP/HTTPS, TCP/SNI, TLS, HTTP/3-capable route execution
smartmta	SMTP ingress, queueing, DKIM-aware email processing and delivery
SmartDNS	Authoritative DNS and DoH request handling
smartradius	Network authentication, VLAN assignment, accounting
remoteingress	Edge tunnel registrations and runtime forwarding into the hub
smartvpn	VPN server and client access mediation for protected routes
OpsServer + dashboard	Typed API and browser UI for operations
smartdata-backed DB	Persistent routes, tokens, domains, records, profiles, cert metadata, caches

Route Model

Routes fall into two ownership classes:

Route kind	Origin	Ownership	What users can do
System routes	`config`, `email`, `dns`	Derived from config or runtime-managed subsystems	View and toggle only
API routes	`api`	Created through route-management API	Create, edit, delete, toggle

Important details:

system routes are persisted with a stable systemKey
config-, email-, and DNS-derived routes show up in the System Routes view
DoH routes are persisted as system-route templates and get their live socket handlers attached at apply time
system routes are managed by the system, not edited directly by operators

Core Features

Traffic Routing

Domain-, port-, and path-based SmartProxy routes
HTTP/HTTPS reverse proxying and generic TCP/SNI forwarding
Optional HTTP/3 augmentation for qualifying HTTPS routes
Reusable source profiles and network targets for route composition
Remote ingress aware routing for edge-delivered traffic

Email

smartmta-based inbound email handling
Route-based mail actions such as forward, process, deliver, reject
DKIM-aware domain handling and DNS record generation support
Email-domain management through the Ops API and UI
Queue, resend, failure, and delivery inspection through the dashboard and API

DNS

Authoritative scopes via dnsScopes
Bootstrap nameserver domains via dnsNsDomains
DNS-over-HTTPS endpoints for /dns-query and /resolve
Managed domains, managed records, and provider-backed DNS integrations
Internal email DNS record generation for internal-dns email domains

Certificates and ACME

Certificate overview and operations through OpsServer
Import, export, delete, and reprovision flows
DB-backed ACME configuration management
Integration with managed DNS for certificate provisioning flows
Routes can declare certificate: 'auto', but actual automated issuance depends on ACME being configured in the management plane

VPN, RADIUS, and Remote Ingress

VPN-gated routes with target-profile-based access matching
WireGuard-oriented VPN management with dcrouter-side client lifecycle support
RADIUS MAB, VLAN assignment, and accounting
Remote ingress hub for edge nodes tunneling traffic into central routes

Operations Plane

Web dashboard with overview, network, routes, access, security, domains, certificates, logs, and email views
TypedRequest API for automation and external control
API tokens with scoped access
Metrics, health, logs, and per-feature operational views

Configuration Overview

The main entry point is IDcRouterOptions.

Option	Purpose
`smartProxyConfig`	Main HTTP/HTTPS and TCP/SNI routing configuration
`emailConfig`	smartmta server config and email routes
`emailPortConfig`	External-to-internal email port mapping and email storage path tuning
`dnsNsDomains`	Nameserver hostnames used for NS bootstrap and DoH routes
`dnsScopes`	Authoritative DNS zones managed by dcrouter
`dnsRecords`	Static constructor-defined records
`publicIp` / `proxyIps`	DNS A-record exposure strategy
`dbConfig`	Embedded or external Mongo-backed persistence and seeding
`radiusConfig`	RADIUS authentication, VLAN, and accounting setup
`remoteIngressConfig`	Edge tunnel hub setup
`vpnConfig`	VPN server and client access configuration
`http3`	Global HTTP/3 behavior for qualifying routes
`opsServerPort`	Dashboard and TypedRequest API port

Example: Enabling DNS, Email, and VPN

import { DcRouter } from '@serve.zone/dcrouter';

const router = new DcRouter({
  smartProxyConfig: {
    routes: [
      {
        name: 'web-app',
        match: {
          domains: ['app.example.com'],
          ports: [443],
        },
        action: {
          type: 'forward',
          targets: [{ host: '127.0.0.1', port: 8080 }],
          tls: { mode: 'terminate', certificate: 'auto' },
        },
      },
    ],
  },
  emailConfig: {
    hostname: 'mail.example.com',
    ports: [25, 587, 465],
    domains: [
      {
        domain: 'example.com',
        dnsMode: 'internal-dns',
      },
    ],
    routes: [
      {
        name: 'inbound-mail',
        match: { recipients: '*@example.com' },
        action: {
          type: 'forward',
          forward: { host: 'mail-backend.example.com', port: 25 },
        },
      },
    ],
  },
  dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
  dnsScopes: ['example.com'],
  publicIp: '203.0.113.10',
  vpnConfig: {
    enabled: true,
    serverEndpoint: 'vpn.example.com',
    clients: [
      {
        clientId: 'ops-laptop',
        description: 'Operations laptop',
      },
    ],
  },
  dbConfig: {
    enabled: true,
  },
});

await router.start();

Operations API and Dashboard

With the database enabled, dcrouter exposes a management plane for:

routes and route toggles
API tokens
source profiles and network targets
DNS providers, domains, and records
ACME configuration and certificate lifecycle
email domains and email operations
VPN clients, remote ingress edges, and RADIUS data

The browser dashboard is built from the ts_web package and is served by OpsServer. The same backend is accessible programmatically via TypedRequest or the dedicated API client package.

Programmatic API Client

Use the API client when you want automation or integration code instead of clicking through the dashboard.

pnpm add @serve.zone/dcrouter-apiclient

import { DcRouterApiClient } from '@serve.zone/dcrouter/apiclient';

const client = new DcRouterApiClient({
  baseUrl: 'https://dcrouter.example.com',
});

await client.login('admin', 'password');

const { routes } = await client.routes.list();
const systemRoutes = routes.filter((route) => route.origin !== 'api');

if (systemRoutes[0]) {
  await systemRoutes[0].toggle(false);
}

await client.routes.build()
  .setName('api-gateway')
  .setMatch({ ports: 443, domains: ['api.example.com'] })
  .setAction({ type: 'forward', targets: [{ host: '127.0.0.1', port: 8081 }] })
  .save();

See ./ts_apiclient/readme.md for the dedicated API-client package docs.

Published Modules

This repository publishes multiple modules from the same codebase.

Module	Purpose	Docs
`@serve.zone/dcrouter`	Main orchestrator and server package	`./readme.md`
`@serve.zone/dcrouter-interfaces`	Shared TypedRequest request and data interfaces	`./ts_interfaces/readme.md`
`@serve.zone/dcrouter-migrations`	Startup migration runner for dcrouter data	`./ts_migrations/readme.md`
`@serve.zone/dcrouter-web`	Web dashboard entry and UI components	`./ts_web/readme.md`
`@serve.zone/dcrouter-apiclient`	Typed OO API client	`./ts_apiclient/readme.md`

Development and Testing

pnpm run build
pnpm test

Target a single test file while working on one area:

tstest test/test.dns-runtime-routes.node.ts --verbose

Notes for Operators

Database-backed management features depend on dbConfig.enabled !== false.
If you disable the DB, constructor-configured services still run, but persistent management features are limited.
Nameserver domains are still required for DNS bootstrap and DoH route generation.
HTTP/3 is enabled by default for qualifying HTTPS routes unless disabled globally or per route.

License and Legal Information

This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the license file.

Please note: The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.

Trademarks

This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.

Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.

readme.md

@serve.zone/dcrouter