Waitgate is a fully self-hosted, secure reverse proxy tunnel, designed to expose any local service (HTTP, HTTPS, raw TCP, SSH, RDP, etc.) without ever directly exposing a public IP or port. All application data is encrypted client-side (ChaCha20-Poly1305) before being sent through the WebSocket tunnel (WS or WSS, HTTP or HTTPS). Modern admin dashboard, only one port to open, security and simplicity first.
- π End-to-end ChaCha20-Poly1305 encryption (all traffic: dashboard, HTTP & raw TCP)
- π‘οΈ 2FA (TOTP) for dashboard login
- π¦ Brute-force protection
- π³οΈ NAT/firewall bypass (outgoing only)
- π₯οΈ Expose any TCP service (HTTP, SSH, RDPβ¦)
- π HTTP/HTTPS reverse proxy
- βοΈ Single public port (dashboard & tunnel share the same port)
- π¦ Auto-generated, encrypted client.js
- ποΈ Real-time connected users
- π€ Self-hosted & open source
- Clone the repo:
git clone https://github.com/votre_user/waitgate.git
cd waitgate- Install dependencies:
npm install- Start the server:
node server.js- Access the dashboard:
- http://localhost:8000/dashboard
- Default login: admin / (randomly generated at first launch)
- Download the tunnel client:
- From dashboard (βDownload client.jsβ button)
- Or http://localhost:8000/download
- Configure client.js:
- Edit
LOCAL_HOST&LOCAL_PORTin client.js on the target machine. - Run:
node client.jsTUNNEL_CHACHA_KEY: ChaCha20-Poly1305 encryption key (256 bits, auto-generated)TUNNEL_TOKEN: Tunnel connection token (wgt_ prefix, auto-generated)DASH_USER/DASH_PASS: Admin credentialsLOGIN_SECRET: Password encryption key for dashboard login
Edit the .env file to customize.
- ChaCha20-Poly1305 application-level encryptionΒ : All buffers are encrypted before being sent through the tunnel (WS, WSS, HTTP, HTTPS). Even on plain HTTP/WS, your data is not readable without the ChaCha20 key.
- No public port required on the client side (outgoing only).
- Strong authentication for both dashboard and tunnel.
- No admin/tunnel secret is ever stored client-side.
βΌοΈ Waitgate does not require HTTPS/TLS or any proxy on its own port. Only the service you want to expose needs to handle HTTPS/TLS if required (for ex: if you expose a web server with HTTPS, itβs your web server that must serve HTTPS, not Waitgate). Waitgate simply tunnels all traffic as-is. Every message is individually ChaCha20-encrypted client-side before entering the tunnel. If you run Waitgate behind a reverse proxy (Nginx, Caddy, etc.), only HTTP services can be exposed; raw TCP will not work through the tunnel.
This tool is provided for educational and legitimate use only. The author is not responsible for any misuse, illegal activity, or damage caused by this software. Users are responsible for complying with applicable laws.
waitgate/
ββ core/
β ββ crypto-utils.js # ChaCha20-Poly1305 encryption/decryption
β ββ exposer-ip.js # IP exposer logic
β ββ rateLimiter.js # Request rate limiting
β ββ tcp-tunnel.js # TCP tunnel logic
β ββ ws-handler.js # WebSocket handler
β
ββ routes/
β ββ dashboard.js # HTTP/dashboard routing
β ββ download.js # Generates client.js
β
ββ server/
β ββ httpServer.js # HTTP SRV
β ββ tcpServer.js # TCP SRV
β ββ wsServer.js # WS SRV
β
ββ views/ # HTML frontend
β ββ index.html
β ββ login.html
β ββ panel.html
β
ββ config.js # Env management
ββ server.js # Main server entry
ββ package.json # Node.js dependencies
ββ .env # Secret config (auto)
- Expose an internal web service to the outside (no public IP/port exposed).
- Share a dev service temporarily (API, webapp, SSH, etc.).
- Secure remote raw TCP access (shell, RDP, local proxy, etc.).
- Create a temporary, secured TCP bastion to a specific port.
Project by Macxzew
Give a βοΈ if this project helped you!