How to Self-Host a Tunnel Relay Server (Docker + Go)

Why Self-Host?

Tryb's managed relay works out of the box. But you might want to self-host if:

• You need data to stay within your network
• You want to customize the firewall rules at the Go level
• You're running in an air-gapped environment
• You just prefer owning your infrastructure

Prerequisites

• A VPS with a public IP (DigitalOcean, Hetzner, AWS EC2, etc.)
• Docker installed
• A Supabase project for auth and data storage

Step 1: Get the Relay Code

# Clone or download the relay/ directory from the Tryb repo
scp -r relay/ root@your-server:/opt/tryb-relay/

Step 2: Configure Environment

Create a .env file:

SUPABASE_URL=https://your-project.supabase.co
SUPABASE_SERVICE_KEY=eyJ...
RELAY_PORT=8000
CORS_ORIGIN=https://your-dashboard.vercel.app

Security note: Set chmod 600 .env so only the owner can read it.

Step 3: Build and Run

docker build -t tryb-relay .
docker run -d \
  --name tryb-relay \
  --restart unless-stopped \
  -p 127.0.0.1:8000:8000 \
  --env-file .env \
  tryb-relay

Note: We bind to 127.0.0.1:8000 (not 0.0.0.0) so the port isn't exposed to the internet. Use a reverse proxy for public access.

Step 4: Add HTTPS with Caddy

apt install caddy

echo 'relay.yourdomain.com {
    reverse_proxy localhost:8000
}' > /etc/caddy/Caddyfile

systemctl restart caddy

Caddy auto-provisions TLS certificates from Let's Encrypt.

Step 5: Point Your Dashboard

Set the environment variable in your Vercel project:

NEXT_PUBLIC_RELAY_URL=https://relay.yourdomain.com

Architecture

Internet -> Caddy (443) -> Go relay (8000) -> WebSocket -> Your agent
                              |
                              v
                          Supabase (auth, queue, logs)

The Go relay handles WebSocket connections, payload firewall scanning, webhook queuing, and human relay.

Related

• Webhook security beyond signatures
• The human relay pattern
• Tryb vs Cloudflare tunnels