GateControl - Server
Your VPN server and reverse proxy — in one interface.
GateControl - Server
GateControl combines WireGuard VPN and Caddy reverse proxy in a single, self-hosted web interface. Connect your devices through an encrypted tunnel and securely expose internal services to the internet — with automatic HTTPS, without opening ports on your home network.
Running a homelab with Proxmox, Docker, or a NAS? Want to access your services from anywhere without setting up VPN for every guest? GateControl solves exactly that: one Docker container replaces the manual configuration of WireGuard, Caddy, certificates, and firewall rules.
For self-hosters and small teams who want full control over their infrastructure — without the complexity of an enterprise VPN or a cloud-based tunnel service.
At a glance
How it compares
| GateControl | Cloudflare Tunnel | Tailscale | |
|---|---|---|---|
| Self-hosted | Yes | No ·Cloudflare servers | Coordination server is cloud |
| Data sovereignty | 100% ·your server | Traffic flows through CF | Peer-to-peer, but coordination via cloud |
| Upload limit | None | 100 MB (Zero Trust) | None |
| Reverse Proxy built-in | Yes ·Caddy with auto HTTPS | Yes | No ·VPN only, Funnel is limited |
| TCP/UDP forwarding | Yes ·L4 proxy (SSH, RDP, DBs) | Limited (Spectrum, paid) | Yes (via VPN) |
| Custom domain SSL | Let's Encrypt ·any domain | CF-managed only | MagicDNS subdomains only |
| Auth per route | Yes ·Basic, OTP, TOTP, 2FA | Yes (Access policies) | No |
| Monitoring & Alerts | Yes ·Uptime, Circuit Breaker | Basic analytics | No |
| Vendor lock-in | None ·standard WireGuard | High ·proprietary tunnel | Medium ·WireGuard-based but proprietary coordination |
| Price | Free Community plan | Free tier, paid for teams | Free for max. 3 users, from $6/user for teams |
Everything you need to manage your network
VPN Peers
Create, manage, and connect WireGuard peers via QR code. Automatic key generation and IP allocation.
HTTP Reverse Proxy Routes
Domain-based reverse proxy routes with automatic HTTPS via Let's Encrypt. Zero-configuration TLS.
Layer 4 Routes (TCP/UDP)
Raw TCP/UDP forwarding for SSH, RDP, databases, and game servers — without requiring the client to be inside the VPN.
Route Authentication & 2FA
Custom login page per route with email & password, OTP via email, or TOTP authenticator. Optional two-factor.
Custom Branding per Route
Customize logo, title, colors, and background image per route login page. Each protected service gets its own branded appearance.
IP Access Control / Geo-Blocking
Whitelist/blacklist per route by IP, CIDR, or country. Geo-blocking with ip2location.io integration.
Peer Access Control (ACL)
Restrict route access to specific VPN peers. Only authorized devices can reach the service — all others are blocked.
Per-Route Rate Limiting
Limit requests per IP to prevent brute-force, scraping, and API abuse. Configurable per route.
Gzip/Zstd Compression
Automatic Gzip/Zstd compression for responses. Typically 60-80% savings on HTML, CSS, JavaScript, and JSON.
From zero to fully connected in minutes
Deploy
One Docker command. GateControl starts with WireGuard, Caddy, and the web interface ready to go.
Connect
Create VPN peers, scan the QR code with your phone, or download the config for your server. Connected in seconds.
Expose
Add a domain, pick a peer, set the port — your service is live with automatic HTTPS. No port forwarding needed.
Ready to take control of your network?
One Docker container. Five minutes to set up. Full control over VPN and reverse proxy.