Developers commonly use apps like ngrok, localtunnel, or cloudflared to expose a local web service at a publicly-accessible URL. This is useful for developing with HTTPS or sharing a site preview with a colleague or client.
By utilizing Fly, WireGuard, and a reverse proxy, you can achieve something similar with the added benefits of a custom domain and subdomains mapped to specific ports. Best of all, it’s free as long as you stay within Fly’s generous limits.
Follow the instructions for your OS. After installation, run fly auth login
to sign up or sign in.
Install WireGuard for your OS. Next, run fly wireguard create
to create a WireGuard config. Save it as Fly.conf
. Run fly wireguard list
to get your region and peer IPv6 address.
Note: The default config sets Fly as your DNS resolver. If you don’t need Fly’s internal DNS features, edit Fly.conf
and comment out the DNS line with a pound sign (#
).
Finally, set up the tunnel in WireGuard:
- On Mac or Windows, open the WireGuard app and click
Import Tunnel(s) from File
. Once imported, clickActivate
to connect. - On Linux, use the command line.
Download and open this repo. Run fly launch
to create the app. Give it a name and select the same region as your WireGuard connection from step 2. Don’t deploy yet.
The reverse proxy is configured using two environment variables:
SUBDOMAINS
: A comma-separated list in the formatsubdomain:local_port
. An underscore (_
) matches the default (catch all) domain.UPSTREAM
: The private IPv6 address of your local machine on the WireGuard network from step 2.
Edit fly.toml
and update the [env]
section with your values:
[env]
SUBDOMAINS = "_:8000"
UPSTREAM = "your-peer-ip"
Run fly deploy
. Once the app is deployed, you should have a tunnel from https://your-app-name.fly.dev
to port 8000
on your local machine.
Visit the Apps dashboard and select your app. Under the Certificates section, follow the instructions to add a custom domain. You can also add a wildcard subdomain, but this incurs a monthly fee. To map subdomains to local ports, update your fly.toml
and re-run fly deploy
. Example:
[env]
SUBDOMAINS = "_:8000,app1:9001,app2:9002"
UPSTREAM = "your-peer-ip"
All traffic is proxied over IPv6, so your local web service should bind to an IPv6 address. To take down the tunnel and prevent traffic from reaching your machine, simply deactivate the WireGuard tunnel.