So I built a CLI tool that reverses the connection direction of the hosting server, primarily to create an outbound connection, requiring no listening ports on my homelab gateway. These connection (the server and all clients) needed a rendezvous point where their outbound connections would be tied. I also wanted to avoid issues like complex TLS termination, authentication and possible DDoS attacks on the relay, so it was decided to use WebSockets rather than UDP connections. This provided the possibility to host the relay on the web behind reverse proxies, offloading all other complexities to the battle hardened nginx, while keeping my codebase tiny. Hence BastionRoute was born.
BastionRoute tries to solve one thing and one thing only. To provide a means for a UDP server to initiated outbound connections towards a Websocket relay. In doing so, BastionRoute remains payload agnostic, as long as UDP traffic is flowing, it does not care if its Wireguard traffic or any other software. BastionRoute does not require Wireguard keys to operate, in fact for a Wireguard perspective, only the connection configuration changes, nothing else. Wireguard encryption remains end-to-end. In doing so the relay becomes a blind transport broker.
I loved working on this project and I wanted to share it with the community. Any feedback is much appreciated.