serve.zone/remoteingress
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 8 Wiki Activity
189 Commits 1 Branch 92 Tags
main
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
jkunz e7d1f88c83
Docker (tags) / release (push) Failing after 1s
Details
Release / build-and-release (push) Successful in 5m49s
Details
v4.24.1
2026-06-10 00:24:44 +00:00
.gitea/workflows
fix(release): install Rust arm64 cross-build dependencies in release workflow
2026-05-29 14:44:54 +00:00
.vscode
fix(hub-core): improve stream shutdown handling and connection cleanup in hub and edge
2026-03-26 07:10:15 +00:00
binary
feat(packaging): add Linux binary builds and release automation
2026-05-29 10:21:45 +00:00
rust
feat(hub): add configurable stream telemetry modes
2026-06-03 14:03:46 +00:00
test
fix(registry-upload-test): close client socket after registry upload response ends
2026-06-02 12:12:30 +00:00
ts
v4.24.1
2026-06-10 00:24:44 +00:00
.dockerignore
fix: modernize docker publishing
2026-04-29 12:58:06 +00:00
.gitignore
BREAKING CHANGE(remoteingress): migrate core to Rust, add RemoteIngressHub/RemoteIngressEdge JS bridge, and bump package to v2.0.0
2026-02-16 11:22:23 +00:00
.smartconfig.json
feat(build): produce statically linked Rust binaries
2026-06-10 00:10:22 +00:00
changelog.md
v4.24.1
2026-06-10 00:24:44 +00:00
cli.child.ts
fix(core): update
2024-04-14 03:38:00 +02:00
cli.js
fix(core): update
2024-04-14 03:38:00 +02:00
cli.ts.js
fix(core): update
2024-04-14 03:38:00 +02:00
deno.json
v4.24.1
2026-06-10 00:24:44 +00:00
Dockerfile
fix(docker): include pnpm workspace manifest before dependency install
2026-06-10 00:24:42 +00:00
install.sh
feat(distribution): add binary installer
2026-05-29 13:58:05 +00:00
license
docs: refresh readme and legal info
2026-05-07 20:22:12 +00:00
license.md
fix(hub-core): improve stream shutdown handling and connection cleanup in hub and edge
2026-03-26 07:10:15 +00:00
package.json
v4.24.1
2026-06-10 00:24:44 +00:00
pnpm-lock.yaml
feat(build): produce statically linked Rust binaries
2026-06-10 00:10:22 +00:00
pnpm-workspace.yaml
fix(quic): reserve QUIC control stream outside data stream limits
2026-05-27 18:27:12 +00:00
readme.hints.md
feat(build): produce statically linked Rust binaries
2026-06-10 00:10:22 +00:00
readme.md
feat(hub): add configurable stream telemetry modes
2026-06-03 14:03:46 +00:00
tsconfig.json
fix(hub-core): improve stream shutdown handling and connection cleanup in hub and edge
2026-03-26 07:10:15 +00:00

readme.md

@serve.zone/remoteingress

@serve.zone/remoteingress is a Rust-powered, TypeScript-controlled edge tunnel for moving TCP and UDP traffic from public edge nodes into a private dcrouter or SmartProxy host while preserving the original client IP through PROXY protocol.

Issue Reporting and Security

For reporting bugs, issues, or security vulnerabilities, please visit community.foss.global/. This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a code.foss.global/ account to submit Pull Requests directly.

What It Does

Remote ingress solves the common edge problem: your workload or gateway lives behind NAT, a firewall, or a private network, but public traffic should enter through one or more hardened edge VPS nodes.

Internet clients
      |
      v
public edge node: RemoteIngressEdge
      |
      | TLS or QUIC tunnel
      v
private site: RemoteIngressHub -> dcrouter / SmartProxy

The edge binds public TCP and UDP ports assigned by the hub. Each accepted connection or datagram is tunneled to the hub, which forwards it to a local target host with PROXY headers so downstream routing can still see the real client address.

Highlights

  • Rust networking core managed from TypeScript through @push.rocks/smartrust
  • 🔁 Hub/edge model with dynamic updateAllowedEdges() reconciliation
  • 🌐 TCP forwarding over frame-multiplexed TLS or native QUIC streams
  • 📡 UDP forwarding over TCP frames or QUIC datagrams
  • 🧾 PROXY protocol preservation for client IP visibility at SmartProxy
  • 🛡️ Hub-pushed nftables firewall snapshots for blocklists, rate limits, and custom rules
  • 🔐 Shared-secret edge authentication and compact connection tokens
  • 🚦 Transport modes: tcpTls, quic, and quicWithFallback
  • 📊 EventEmitter status events for edge lifecycle, streams, port assignments, and crash recovery

Install

Use the package as a TypeScript library:

pnpm add @serve.zone/remoteingress

Install the CLI on a Linux edge or hub host with the released self-extracting binary:

curl -sSL https://code.foss.global/serve.zone/remoteingress/raw/branch/main/install.sh | sudo bash

The installer downloads remoteingress-linux-x64 or remoteingress-linux-arm64 from the latest Gitea release, installs it under /opt/remoteingress, and links /usr/local/bin/remoteingress. Use --version vX.Y.Z to pin a release, --install-dir /path to change the target directory, or --source to clone the tag and build the NodeNext package locally.

curl -sSL https://code.foss.global/serve.zone/remoteingress/raw/branch/main/install.sh | sudo bash -s -- --source

Hub Side

Run the hub next to the private service you want to expose. In dcrouter deployments the target is usually SmartProxy on 127.0.0.1.

import { RemoteIngressHub } from '@serve.zone/remoteingress';

const hub = new RemoteIngressHub();

hub.on('edgeConnected', ({ edgeId }) => console.log('edge connected', edgeId));
hub.on('edgeDisconnected', ({ edgeId }) => console.log('edge disconnected', edgeId));
hub.on('streamSummary', ({ edgeId, activeStreams }) => console.log('streams', edgeId, activeStreams));

await hub.start({
  tunnelPort: 8443,
  targetHost: '127.0.0.1',
  streamEventMode: 'summary',
});

await hub.updateAllowedEdges([
  {
    id: 'edge-fra-01',
    secret: 'replace-with-a-long-random-secret',
    listenPorts: [80, 443],
    listenPortsUdp: [443],
    stunIntervalSecs: 300,
    firewallConfig: {
      blockedIps: ['198.51.100.25'],
      rateLimits: [
        { id: 'https-per-ip', port: 443, protocol: 'tcp', rate: '200/second', burst: 100, perSourceIP: true },
      ],
    },
  },
]);

const status = await hub.getStatus();
console.log(status.connectedEdges);

await hub.stop();

Edge Side

The edge runs on the public node. It normally needs root privileges to bind privileged ports and apply nftables rules. If nftables cannot be initialized, the tunnel can still run, but kernel-level edge firewalling is skipped.

import { RemoteIngressEdge } from '@serve.zone/remoteingress';

const edge = new RemoteIngressEdge();

edge.on('tunnelConnected', () => console.log('tunnel connected'));
edge.on('portsAssigned', ({ listenPorts }) => console.log('TCP ports', listenPorts));
edge.on('firewallConfigUpdated', () => console.log('firewall snapshot applied'));

await edge.start({
  hubHost: 'ingress-hub.example.com',
  hubPort: 8443,
  edgeId: 'edge-fra-01',
  secret: 'replace-with-a-long-random-secret',
  transportMode: 'quicWithFallback',
});

console.log(await edge.getStatus());

await edge.stop();

Connection Tokens

Tokens are base64url-encoded compact JSON. They are useful when the hub operator provisions an edge and wants to hand over one opaque string.

import {
  RemoteIngressEdge,
  encodeConnectionToken,
  decodeConnectionToken,
} from '@serve.zone/remoteingress';

const token = encodeConnectionToken({
  hubHost: 'ingress-hub.example.com',
  hubPort: 8443,
  edgeId: 'edge-fra-01',
  secret: 'replace-with-a-long-random-secret',
});

console.log(decodeConnectionToken(token));

const edge = new RemoteIngressEdge();
await edge.start({ token });

CLI Mode

The package entry point exports runCli(), and the remoteingress CLI can run hub or edge mode.

remoteingress hub --tunnel-port 8443 --target-host 127.0.0.1 --stream-event-mode summary
remoteingress edge --token eyJoIjoiaW5ncmVzcy1odWIuZXhhbXBsZS5jb20i...

Environment-based startup is also supported:

Variable Purpose
REMOTEINGRESS_MODE hub or edge
REMOTEINGRESS_TOKEN Edge connection token
REMOTEINGRESS_HUB_HOST / REMOTEINGRESS_HUB_PORT Explicit edge connection target
REMOTEINGRESS_EDGE_ID / REMOTEINGRESS_SECRET Explicit edge credentials
REMOTEINGRESS_TARGET_HOST Hub-side forwarding target, default 127.0.0.1
REMOTEINGRESS_ALLOWED_EDGES_JSON Hub-side allowed edge list
REMOTEINGRESS_PERFORMANCE_JSON Optional performance configuration
REMOTEINGRESS_STREAM_EVENT_MODE Hub stream event mode: perStream, summary, or off

Docker Image

Release builds publish a multi-arch OCI image at code.foss.global/serve.zone/remoteingress:latest for linux/amd64 and linux/arm64.

Hub example:

docker run --rm --name remoteingress-hub \
  --network host \
  -e REMOTEINGRESS_MODE=hub \
  -e REMOTEINGRESS_TARGET_HOST=127.0.0.1 \
  -e REMOTEINGRESS_ALLOWED_EDGES_JSON='[{"id":"edge-fra-01","secret":"replace-me","listenPorts":[80,443]}]' \
  code.foss.global/serve.zone/remoteingress:latest

Edge example:

docker run --rm --name remoteingress-edge \
  --network host \
  --cap-add NET_ADMIN \
  -e REMOTEINGRESS_MODE=edge \
  -e REMOTEINGRESS_TOKEN='<connection-token>' \
  code.foss.global/serve.zone/remoteingress:latest

Use host networking when the container must bind public ports directly or reach a localhost target on the host. NET_ADMIN is needed only when the edge should apply nftables firewall snapshots.

Transport Modes

Mode Behavior
tcpTls Single TLS connection with frame-based stream multiplexing. Good for conservative networks.
quic QUIC streams for TCP and QUIC datagrams for UDP. Best latency and no TCP head-of-line blocking.
quicWithFallback Default edge mode. Tries QUIC and falls back to TCP/TLS when UDP is blocked.

Stream Event Modes

The hub can emit stream telemetry in three modes through IHubConfig.streamEventMode or REMOTEINGRESS_STREAM_EVENT_MODE.

Mode Behavior
perStream Compatibility/debug mode. Emits streamOpened and streamClosed for each stream. This is the library default.
summary Production dashboard mode. Suppresses per-stream events and emits streamSummary once per second per connected edge.
off Suppresses stream telemetry events. Consumers should poll getStatus() when they need counts.

streamSummary carries { edgeId, activeStreams, streamsOpenedTotal, streamsClosedTotal }. The hub status returned by getStatus() remains the authoritative source for current stream and traffic counters.

Firewall Config

firewallConfig travels in the same hub-to-edge configuration update as port assignments. Each update is a full desired-state snapshot.

await hub.updateAllowedEdges([
  {
    id: 'edge-fra-01',
    secret: 'secret',
    listenPorts: [80, 443],
    firewallConfig: {
      blockedIps: ['203.0.113.0/24'],
      rateLimits: [
        { id: 'http', port: 80, protocol: 'tcp', rate: '100/second', perSourceIP: true },
      ],
      rules: [
        { id: 'allow-monitoring', direction: 'input', action: 'accept', sourceIP: '10.0.0.0/8', destPort: 9090, protocol: 'tcp' },
      ],
    },
  },
]);

API Surface

Export Purpose
RemoteIngressHub Starts/stops the private hub, authorizes edges, pushes runtime config, and reports connected edges.
RemoteIngressEdge Starts/stops the public edge, connects to the hub, binds assigned ports, and applies firewall rules.
encodeConnectionToken() Encodes hub host, port, edge ID, and secret into a token.
decodeConnectionToken() Decodes and validates a token.
IHubConfig, IEdgeConfig, TAllowedEdge, TStreamEventMode Primary TypeScript shapes for integrating the module.

Development

pnpm run build
pnpm test

Useful source entry points:

  • ts/index.ts exports the public API and CLI runner.
  • ts/classes.remoteingresshub.ts wraps hub management commands and hub events.
  • ts/classes.remoteingressedge.ts wraps edge management commands, nftables application, and edge events.
  • ts/classes.token.ts implements compact connection tokens.
  • rust/ contains the performance-critical tunnel implementation compiled by tsrust.

License and Legal Information

This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the license file.

Please note: The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.

Trademarks

This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.

Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.

Company Information

Task Venture Capital GmbH Registered at District Court Bremen HRB 35230 HB, Germany

For any legal inquiries or further information, please contact us via email at hello@task.vc.

By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

Reference in New Issue View Git Blame Copy Permalink
S
Description
remoteingress allows a cluster to be on some computer behind a NAT, and have a RemotePublicConnector runing on a small VPS running somewhere in the cloud.
bininterfacesocirusttypescript
Readme 4.8 MiB
Releases 8
RemoteIngress v4.24.1 Latest
2026-06-10 00:24:44 +00:00
Languages
Rust 71.1%
TypeScript 26.5%
Shell 2%
Dockerfile 0.3%