Exit Node

Turn a small VPS into an exit node that exposes services running on your home servers (Raspberry Pi, NUC, etc.) to the internet via a WireGuard VPN tunnel and Caddy reverse proxy with automatic HTTPS.

Supports multiple services on one device, multiple devices, and multiple exit nodes for redundancy — all with automatic HTTPS.

┌─────────────────────────────────────────────────────────────────────────┐
│  Internet                                                               │
│    │                                                                    │
│    ▼  HTTPS                                                             │
│ ┌─────────────────────────────────┐                                     │
│ │  VPS — Exit Node                │                                     │
│ │  ┌────────┐    ┌─────────────┐  │                                     │
│ │  │ Caddy  │───▶│  WireGuard  │  │                                     │
│ │  │ :443   │    │   Server    │  │                                     │
│ │  └────────┘    └──────┬──────┘  │                                     │
│ └───────────────────────┼─────────┘                                     │
│              VPN tunnel │ (UDP :51820)                                   │
│         ┌───────────────┼───────────────┐                               │
│         │               │               │                               │
│         ▼               ▼               ▼                               │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐                   │
│ │ Raspberry Pi 1│ │ Raspberry Pi 2│ │   NUC / VM    │                   │
│ │  10.13.13.2   │ │  10.13.13.3   │ │  10.13.13.4   │                   │
│ │ ┌───────────┐ │ │ ┌───────────┐ │ │ ┌───────────┐ │                   │
│ │ │ App :8080 │ │ │ │ Blog :4000│ │ │ │ Tool :5000│ │                   │
│ │ │ API :3000 │ │ │ │ Dash :9090│ │ │ └───────────┘ │                   │
│ │ └───────────┘ │ │ └───────────┘ │ │               │                   │
│ └───────────────┘ └───────────────┘ └───────────────┘                   │
└─────────────────────────────────────────────────────────────────────────┘

Quick Start — Exit Node (VPS)

Prerequisites

• A VPS with a public IP address
• Docker and Docker Compose installed
• A domain name with DNS pointed to the VPS IP
• Ports 80, 443 (TCP) and 51820 (UDP) open in your firewall

1. Clone and configure

git clone https://github.com/lunibo/exit.git
cd exit
cp .env.example .env

Edit .env with your values:

WG_HOST=vpn.example.com       # public IP or hostname of your VPS
WG_PASSWORD=a-strong-password  # password for the WireGuard web UI
CADDY_ACME_EMAIL=you@example.com

2. Start the exit node

docker compose up -d

This starts:

• WireGuard — VPN server on UDP port 51820, web UI on port 51821
• Caddy — reverse proxy on ports 80/443 with automatic HTTPS

3. Create a VPN client

Access the WireGuard web UI at port 51821. For security, use an SSH tunnel instead of exposing it directly:

ssh -L 51821:localhost:51821 user@your-vps-ip
# Then open http://localhost:51821 in your browser

Log in with your WG_PASSWORD and create a new client. Download the configuration file.

4. Add domain routes

Edit caddy/Caddyfile and add a block for each service you want to expose. You can route multiple domains to different services on the same client, or across multiple clients:

# Two services on Raspberry Pi 1 (VPN IP 10.13.13.2)
app.example.com {
    reverse_proxy 10.13.13.2:8080
}

api.example.com {
    reverse_proxy 10.13.13.2:3000
}

# A service on Raspberry Pi 2 (VPN IP 10.13.13.3)
dashboard.example.com {
    reverse_proxy 10.13.13.3:9090
}

Each VPN client gets its own IP (shown in the wg-easy UI). Services on the same client just use different ports.

Reload Caddy without downtime:

docker compose exec caddy caddy reload --config /etc/caddy/Caddyfile

Connecting Clients (Raspberry Pi, etc.)

See the full guide in docs/client-setup.md.

Each client device (Raspberry Pi, NUC, VM, …) gets its own WireGuard VPN connection and can run multiple services. Repeat this for every device you want to connect.

Quick version (per device):

# On your Raspberry Pi
cd client/
mkdir -p wg-config
# Copy the .conf file you downloaded from wg-easy into wg-config/wg0.conf
cp ~/Downloads/my-client.conf wg-config/wg0.conf
docker compose up -d

Add your services to client/docker-compose.yml using network_mode: "service:wireguard-client" — each service listens on a different port. All of them share the VPN connection and are reachable from the exit node.

Project Structure

├── docker-compose.yml      # Exit node — WireGuard + Caddy
├── caddy/
│   └── Caddyfile           # Caddy routing rules (edit to add domains)
├── client/
│   ├── docker-compose.yml            # Single-exit client WireGuard + your apps
│   └── docker-compose.multi-exit.yml # Multi-exit client (multiple VPN tunnels)
├── docs/
│   ├── client-setup.md         # Detailed client setup guide
│   ├── adding-services.md      # How to extend (WAF, analytics, etc.)
│   └── multiple-exit-nodes.md  # Running multiple exit nodes
├── .env.example            # Exit node config template
└── .gitignore

Extending

This setup is designed to be easy to extend. See docs/adding-services.md for guides on adding:

• Web Application Firewall (WAF) — add a Coraza WAF layer in Caddy
• Analytics / monitoring — add Prometheus + Grafana
• Rate limiting — built-in Caddy rate limiting
• Access control — Caddy basic auth or IP allowlists
• Multiple exit nodes — redundancy and geographic distribution

License

MIT