Warpgate

Warpgate is a self‑hosted bastion platform that transparently forwards SSH, HTTPS, MySQL, and PostgreSQL traffic without requiring any client‑side agents or wrappers. Built entirely in Rust with a single statically linked binary, it emphasizes safety, low runtime overhead, and minimal external dependencies. The service runs on a DMZ or bastion host and exposes configurable ports for each protocol; users authenticate against an internal SQLite/PG database or via OpenID Connect, after which Warpgate establishes a direct tunnel to the target host. All traffic is recorded in real‑time and replayable through an integrated web UI, providing auditability without modifying client configurations.

Architecture & Technical Stack

• Language: Rust 1.80+ (fully safe, no unsafe blocks exposed)
• Runtime: Single binary, no dynamic libraries
• Networking: Asynchronous I/O with tokio; multiplexed TLS via rustls for HTTPS, native SSH handling through the ssh2 crate
• Datastore: Optional SQLite for lightweight deployments; PostgreSQL for production; schema‑managed via sqlx migrations
• Web UI: Actix‑web based API serving a React front‑end (bundled into the binary)
• Auth: Local credential store, TOTP via otpauth, OpenID Connect integration using the openidconnect crate
• Session Recording: Binary‑encoded event stream stored in local file system or S3-compatible object store; replayed by the UI using a WebSocket bridge

The core process listens on user‑defined ports, performs TLS/SSH handshakes, authenticates the incoming request, and then spawns a bi‑directional proxy that forwards packets to the target endpoint. The proxy layer is fully transparent: clients see no difference between a direct connection and one routed through Warpgate.

Core Capabilities & APIs

• Protocol Support: SSH (including agent forwarding), HTTPS, MySQL, PostgreSQL
• Transparent Forwarding: No client configuration changes; credentials are passed via URL query parameters or SSH key annotations
• Audit & Replay: Live session view, replay feature, and export to zip/tar
• Webhooks: Trigger on session start/end, authentication failures, or recording uploads
• REST API: CRUD for users, hosts, and URL mappings; pagination, filtering, and role‑based access
• SDKs: OpenAPI spec available; community Rust & Go clients under development

Deployment & Infrastructure

Warpgate is designed for containerized environments and bare‑metal hosts alike. Docker images are available on the official registry, with an optional docker-compose example that mounts a shared volume for recordings. The binary can be run as a systemd service, or embedded in an init container on Kubernetes with hostNetwork: true for port exposure. Horizontal scaling is achieved by running multiple instances behind a load balancer; each instance shares the same database and recording store to maintain session consistency. The single‑binary nature reduces attack surface and simplifies patch management.

Integration & Extensibility

• Plugin System: Custom authentication plugins can be loaded via dynamic library hooks (dlopen) without recompiling the core
• Webhooks & Callbacks: Expose JSON payloads for integration with SIEM, Slack, or custom audit tools
• SSO & MFA: Native support for OpenID Connect and TOTP; can be extended with custom OIDC providers
• Custom Routing Rules: Declarative YAML/JSON configuration allows fine‑grained host/url mapping, TLS termination policies, and rate limiting

Developer Experience

Warpgate’s configuration is generated through an interactive CLI (warpgate setup) and can be overridden with environment variables. The documentation is API‑first, featuring an OpenAPI spec, Swagger UI in the admin panel, and example request/response snippets. Community support is active via Discord and GitHub Discussions; the project follows semantic versioning, with nightly builds for early adopters. The Rust codebase is well‑structured, heavily commented, and audited by the community, making it approachable for developers familiar with async Rust.

Use Cases

• Enterprise Bastion: Replace jump hosts with a single, auditable gateway for SSH and database access
• DevOps Pipelines: Provide temporary, time‑bound credentials to CI/CD runners without exposing internal IPs
• Compliance Auditing: Real‑time session monitoring and replay for SOC 2, HIPAA, or PCI DSS requirements
• Remote Team Collaboration: Securely expose internal services to contractors while keeping them behind a transparent proxy

Advantages Over Alternatives

• Zero‑Dependency Binary: Simplifies deployment and reduces runtime risk compared to multi‑service stacks
• Native Rust Performance: Low latency proxying and minimal CPU/memory footprint, ideal for high‑volume environments
• Transparent Forwarding: No client configuration changes—great for legacy systems or non‑technical users
• Open Licensing: MIT‑licensed, no vendor lock‑in; fully self‑hostable
• Extensibility: Plugin hooks and webhooks allow integration with existing tooling without modifying the core

In summary, Warpgate offers a lightweight, secure, and highly extensible bastion solution that caters to developers who need a transparent gateway with robust auditing, all