RootlessRelay
March 2, 2026 ยท View on GitHub
A WebSocket based VPN/proxy relay for virtual machines.
Features
- Secure Communication: Supports secure WebSockets (WSS) for encrypted data transfer.
- Dynamic IP Allocation: Built-in DHCP-like server to automatically assign IP addresses to virtual machines.
- VM-to-VM Networking: Allows virtual machines on the same relay to communicate communicate with each other (configurable).
- Admin Interface: A web-based UI to monitor active sessions and manage proxy rules.
- HTTP Proxying: Reverse proxy functionality to expose services from VMs to the host network.
- Rate Limiting: Configurable bandwidth limits for each connected VM.
Configuration
These default values can be overridden by setting corresponding environment variables.
General Settings
| Setting | Purpose | Default |
|---|---|---|
RATE_LIMIT_KBPS | Maximum upload/download bandwidth for each VM in kilobytes per second. | 1024 |
MAX_CONNECTIONS_PER_IP | Maximum number of concurrent WebSocket connections from a single IP. | 4 |
ENABLE_WSS | Use Secure WebSockets (WSS). Requires cert.pem and key.pem. | true |
ENABLE_VM_TO_VM | Allow VMs on the same relay to communicate with each other. | true |
LOG_LEVEL | Controls logging verbosity. 0 (Disabled), 1 (Debug), 2 (Trace). | 1 (Debug) |
Network & Port Settings
| Setting | Purpose | Default |
|---|---|---|
GATEWAY_IP | IP address of the virtual gateway within the VM's network. | 10.0.2.2 |
DHCP_START | The starting IP address for the DHCP pool (last octet). | 15 |
DHCP_END | The ending IP address for the DHCP pool (last octet). | 254 |
DNS_SERVER_IP | DNS server provided to VMs via DHCP. | 8.8.8.8 |
TCP_WINDOW_SIZE | TCP window size for connections to/from the VM. | 10240 |
WS_PORT | Port for the WebSocket server. | 8443 (WSS) / 8086 (WS) |
WS_BIND_ADDRESS | IP address for the WebSocket server to bind to. | 0.0.0.0 |
ADMIN_PORT | Port for the web-based admin interface. | 8001 |
ADMIN_BIND_ADDRESS | IP address for the admin interface to bind to. | 127.0.0.1 |
PROXY_PORT | Port for the HTTP reverse proxy server. | 8080 |
PROXY_BIND_ADDRESS | IP address for the reverse proxy to bind to. | 127.0.0.1 |
How to use
1. Installation
This project requires Node.js. You can install the dependencies using npm:
npm install
2. Generating SSL/TLS key pair (for WSS)
For secure WebSockets (WSS), you need to generate a private key and a certificate. You can generate a self-signed pair using the following npm script:
npm run keygen
This will create key.pem and cert.pem in your project directory. When prompted,
you can leave the fields for distinguished name blank.
Alternatively, you can run the openssl command directly.
This is useful if you want to use different settings:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
3. Running the relay
Once the dependencies are installed and you have your key pair (if using WSS), you can start the relay server:
npm start
| In the browser you will use the relay first visit https://127.0.0.1:8443 and | trust the certificate you created.
The server will start, and you can see log output in your console.
4. Admin UI
The project includes a simple web-based admin UI. By default, it's available at http://localhost:8001.