Skip to main content

20: Warpgate - SSH Bastion Host

Warpgate is a securemodern SSH/RDP bastion host providing centralized access control, session recording, and web-based management. It acts as a gateway for all SSH gatewayconnections, (alsoreducing calledthe aattack "bastionsurface host")by thateliminating providesdirect aserver web interface for managing SSH access to your server. Instead of connecting directly to your server, you connect through Warpgate, which adds an extra layer of security and makes it easier to manage who can access what.access.

For protocol specifications, advanced features, API documentation,configuration, and technical details,documentation, see the official Warpgate documentation.

Why Warpgate?

  • Secure SSH gateway - All SSH connections go through Warpgate
  • Web-based management - Easy-to-use web interface for managing access
  • User access control - Control who can access which servers
  • Session recording - Keep track of SSH sessions for security
  • No direct server access - Server SSH port can be closed, only Warpgate port open
  • Centralized access - Manage all SSH access from one place
  • Better security - Reduces attack surface by closing direct SSH access

Prerequisites

  • Docker runninginstalled (fromChapter 3)
  • Docker Compose (Chapter 3)
  • Optional: Traefik installed (from Chapter 4) for HTTPS access with aLet's domainEncrypt
  • Optional: SubdomainDomain configured (from Chapter 4.5), e.g., warpgate.yourdomain.example.com
  • Firewall access - Ability to open port 2222 (SSH)SSH and optionally close port 22bastion)

Note:

Installation Warpgate works great with Traefik and a domain name. Having a friendly URL like warpgate.yourdomain.com makes it easy to access the web management interface.

Step 1: Startvia Infinity Tools

Menu Installation

📱 APPLICATIONS → Warpgate → Install

CLI Installation

sudo infinity-toolsbash /opt/InfinityTools/Solutions/setup-warpgate.sh --install

# With domain (Traefik mode)
export WARPGATE_DOMAIN="warpgate.example.com"
export WG_USE_TRAEFIK="true"
sudo -E bash /opt/InfinityTools/Solutions/setup-warpgate.sh --install

# Standalone mode
export WG_USE_TRAEFIK="false"
export WG_PORT="8888"
sudo -E bash /opt/InfinityTools/Solutions/setup-warpgate.sh --install

# With domain argument
sudo bash /opt/InfinityTools/Solutions/setup-warpgate.sh --install warpgate.example.com

Step 2: Install WarpgateArchitecture

  1. Go to 📱 APPLICATIONS
  2. Select Warpgate
  3. Choose Install Warpgate

Using the Infinity Tools GUIContainer

  • Use ↑/↓warpgate to- move,Warpgate Entercontainer to select, Esc to go back
  • Look for the turquoise cursor indicating the current selection
  • Each screen shows a short description at the top explaining what's needed(ghcr.io/warp-tech/warpgate:latest)

StepPorts

2.1:
    Choose
  • 2222 - SSH bastion port (exposed directly, TCP)
  • 8888 - Web interface port (via Traefik or standalone, HTTPS)

Data Persistence

  • Data: /opt/speedbits/warpgate/data/ (configuration, database)
  • Config: /opt/speedbits/warpgate/data/warpgate.yaml (main configuration)
  • Database: /opt/speedbits/warpgate/data/db/ (SQLite database)
  • SSL: /opt/speedbits/warpgate/ssl/ (standalone mode certificates)

Deployment Modes

Traefik Mode (Default)

Uses Traefik for SSL termination and domain routing:

  • Automatic Let's Encrypt certificate provisioning
  • Domain-based access: https://warpgate.example.com
  • SSH bastion: ssh -p 2222 user@warpgate.example.com
  • Requires: Traefik running, DNS A record configured

Standalone Mode

You'llDirect seeaccess twowith options.HTTPS Here's what each means:(self-signed):

  • TraefikHTTPS: https://SERVER_IP:8888 (recommended)self-signed
      cert)
    • SSH bastion: ssh -p 2222 user@SERVER_IP
    • Default web UI port: 8888 (configurable)
    • No domain required

    Installation Process

    Configuration Steps

    1. WhatSSL itMode is:Selection: UsesChoose yourTraefik domainor name with a trusted HTTPS certificate from Let's EncryptStandalone
    2. WhatDomain you need:Configuration: AIf subdomainTraefik, specify domain (e.g., warpgate.yourdomain.com) pointing to your server (see Chapter 4.5)example.com)
    3. WhatPort you get:Configuration: ProfessionalIf URLStandalone, likespecify https://warpgate.yourdomain.comweb with trusted SSL
    4. Pick this if: You have a domain and want secure, easy access (recommended)
  • Standalone
    • What it is: Uses HTTPS with a self-signed certificate and direct port access
    • What you need: Just a freeUI port (default: 8888)
    • Container Creation: Warpgate container created and started
    • Interactive Setup: Admin account creation via warpgate setup command

      • What youGets get:Created

      • Directory: URL/opt/speedbits/warpgate
        • like
      • Container: warpgate
      • Docker Compose: /opt/speedbits/warpgate/docker-compose.yml
      • Configuration: /opt/speedbits/warpgate/data/warpgate.yaml
      • Database: SQLite database in /opt/speedbits/warpgate/data/db/

      Access Methods

      Traefik Mode

      # Web interface
https://warpgate.example.com

# SSH bastion
ssh -p 2222 user@warpgate.example.com

      Direct web access after DNS propagation and SSL certificate generation (30-60 seconds).

      Standalone Mode

      # Web interface
https://SERVER_IP:8888

# SSH bastion
ssh -p 2222 user@SERVER_IP
      with

      Accept aself-signed certificate warning you(Advanced must accept once

    • Pick this if: You don't have a domain or prefer direct access

    • Simple rule of thumb: Use Traefik if you have a domain (recommended)Proceed). Use Standalone if you don't have a domain.

    Step

    Initial 2.2: Domain Configuration (Traefik Mode)

    If you chose Traefik, you'll be asked for your domain:

    • What it is: The subdomain where Warpgate will be accessible
    • Example: warpgate.yourdomain.com
    • Important: DNS must already point to your server (see Chapter 4.5)
    Setup

    Step 2.3: Port Configuration (Standalone Mode)

    If you chose Standalone, you'll be asked for a port:

    • Default: 8888
    • What it is: The port for the web interface
    • Note: SSH port (2222) is always exposed directly

    What Happens During Installation

    • Warpgate container is created
    • Data directory is set up
    • Web interface becomes accessible
    • SSH gateway starts on port 2222
    • Interactive setup prompts for admin credentials

    Step 3: Set Up Admin Account

     Creation

    After installation,container creation, Warpgate willruns interactive setup:

    docker run an--rm interactive-it setup.\
  You'll-v be/opt/speedbits/warpgate/data:/data prompted\
  toghcr.io/warp-tech/warpgate:latest create\
  ansetup
    admin account:

    Prompts:

    Admin Setup Prompts

      • Admin username: Choose a usernameUsername for the admin account (e.g., admin)
      • Admin password: ChoosePassword afor strongadmin password (you'll use this to log into the web interface)account
      • Confirm password: EnterPassword the password again to confirmconfirmation

    Configuration File

    ⚠️After IMPORTANT:setup, Saveconfiguration theseis credentialsstored immediately!in:

    You'll
    /opt/speedbits/warpgate/data/warpgate.yaml
    need

    File thempermissions: to600 access(owner: theuid web interface.1000)

    StepAuthentication

    4: Access Warpgate

    Web Interface

    If Using TraefikAuthentication

      • WaitUsername/password 30-60 seconds for SSL certificate generationauthentication
      • OpenAdmin https://warpgate.yourdomain.com in your browser
      • You'll see the Warpgate login page

    If Using Standalone

    1. Open https://SERVER_IP:8888 in your browser
    2. You'll see a security warning (normal for self-signed certificates)
    3. Click "Advanced" → "Proceed to site" to continue
    4. You'll see the Warpgate login page

    Step 5: Login to Web Interface

    1. Enter the admin username youaccount created during setup
    2. EnterAdditional the admin password youusers created duringvia setupweb interface
    3. Click "Login"
    4. You'll see the Warpgate dashboard!

    Step 6: Understanding Warpgate

    Warpgate acts as a gateway (or "bastion") between you and your server:

    HowSSH ItBastion WorksAuthentication

    • BeforeWarpgate Warpgate:username/password Youauthentication
      • connect
    • After directlyauthentication, user selects target
    • Warpgate connects to yourtarget serverusing viaconfigured SSH (port 22)
    • With Warpgate: You connect to Warpgate (port 2222), which then connects you to your server
    • Benefits: All SSH access goes through Warpgate, making it easier to manage and securecredentials

    Target Configuration

    WhatAdding You Can DoTargets

      Targets

    • Manage users - Add users who can access servers through Warpgate
    • Control access - Decide which users can access which servers
    • View sessions - See who's connected and what they're doing
    • Record sessions - Keep logs of SSH sessions for security
    • Manage targets - Addare servers that users can connect to
    through

    Step 7: Add Your First Target (Server)

    Before users can connect, you need to add a "target" (the server they'll connect to):Warpgate:

    Adding a Target

    1. In the web interface, go to "Targets" or "Servers"
    2. Click "Add Target" or the "+" button
    3. Enter target details:
      • Name: A friendlyFriendly name (e.g.,for "Mythe Server")target
      • Host: The server's IP address or hostname (usuallyuse localhost or 127.0.0.1 for the same server)
      • Port: SSH port (usually 22)22)
      • Username: The SSH username (e.g.,for yourthe servertarget
        • username)
      • Key-based auth: Optional SSH key configuration
    4. Click "Save" or "Create"

    For Same-Server AccessTarget

    IfFor accessing the server where Warpgate is running on the same server you want to access:runs:

    • Host: localhost or 127.0.0.1
    • Port: 22 (or your server'scustom SSH port)
    • Username: Your serverServer username

    StepUser 8: Add UsersManagement

    Now

    Web addInterface

    • Create users whovia web interface
    • Assign access to specific targets
    • Manage user permissions
    • View user sessions

    User Access Control

    • Users can connectonly throughaccess Warpgate:

      targets they're granted access to
    • Access can be granted/revoked per user per target
    • Session recording available per user/target

    SSH Connection Flow

    AddingConnection a UserProcess

    1. InClient the web interface, go to "Users"
    2. Click "Add User" or the "+" button
    3. Enter user details:
      • Username: A username for Warpgate (e.g., "john")
      • Password: A password for this user
      • Email: Optional email address
    4. Click "Save" or "Create"

    Granting Access

    After creating a user, grant them access to targets:

    1. Go to the user's profile
    2. Find "Access" or "Targets" section
    3. Select which targets this user can access
    4. Save the changes

    Step 9: Connect via SSH Through Warpgate

    Now you can connect to your server through Warpgate:

    SSH Connection

    ssh -p 2222 warpgate-user@warpgate.yourdomain.com

    Or if using standalone mode:

    ssh -p 2222 warpgate-user@SERVER_IP

    What Happens

    1. You connectconnects to Warpgate on port 2222
    2. Warpgate asksauthenticates foruser your Warpgate username and password(username/password)
    3. After authentication, Warpgate shows youpresents available targets
    4. YouUser select whichselects target (server) you want to connect to
    5. Warpgate connects you to thattarget serverusing configured credentials
    6. Session is established and optionally recorded

    First-TimeSSH ConnectionCommand

    On

    # yourTraefik firstmode
connection,ssh you'll-p see:
    2222 
      warpgate-user@warpgate.example.com

# Standalone mode
ssh -p 2222 warpgate-user@SERVER_IP

    Security Configuration

    Access Security

    • Warpgate loginTraefik promptmode uses Let's Encrypt SSL (production-ready)
    • Enter yourStandalone WarpgateHTTPS usernameuses andself-signed passwordcertificates (acceptable for internal use)
    • List ofSSH availablebastion targetsport (2222) exposed directly
    • Select a target to connect
    • You're now connected to your server!

      • Step 10: Security Best Practices

      Close Direct SSH Access

      port

      Once(22) can be closed after Warpgate issetup working,

    you

    Firewall canBest closePractices

    # Open Warpgate SSH bastion port
sudo ufw allow 2222/tcp

# Close direct SSH access to(after yourtesting server:
    

    # Close port 22 (direct SSH)Warpgate)
sudo ufw delete allow 22/tcp

# KeepOpen web interface port 2222(if open (Warpgate SSH)standalone)
sudo ufw allow 2222/8888/tcp
    

    ⚠️
    Container WARNING: Only do this after testing Warpgate! Make sure you can connect through Warpgate before closing port 22.
    

    Firewall ConfigurationSecurity
    

      

    • Runs Openas portuid 22221000 - Required for Warpgate SSH access(non-root)
      • 

    • Data Opendirectory portmounted 80/443with -proper If using Traefik (for web interface)permissions
      • 

    • Configuration Openfile port 8888 - If using standalone modesecured (for600 web interface)
      • 

    • ⚠️ Close port 22 - After testing Warpgate (optional but recommended)permissions)
      • 

    

    Environment Variables
    

    UserStandalone ManagementMode
    

      

    • Use strong passwordsWARPGATE_HTTP_LISTEN - ForHTTP bothlisten adminaddress and(default: user accounts0.0.0.0:8888)
      • 

    • Limit accessWARPGATE_SSH_LISTEN - OnlySSH grantlisten accessaddress to(default: targets users need
      • 

    • Regularly review users - Remove users who no longer need access
      • 

    • Monitor sessions - Check who's connecting and when0.0.0.0:2222)
      • 

    

    Troubleshooting
    

    Can't Access Web Interface Issues
    

      

    • Traefik mode: Wait 30-60 seconds after installation for SSL certificate generation
      • 

    • Standalone mode: Accept the self-signed certificate warning
      • 

    • Check container:container Runstatus: docker ps | grep warpgate to see if it's running
      • 

    • CheckView logs: Run docker logs warpgate
      • 
to
    • Verify seeconfiguration: errorcat messages/opt/speedbits/warpgate/data/warpgate.yaml
      • 

    • Check file permissions: ls -la /opt/speedbits/warpgate/data/
      • 

    

    Can'tSSH ConnectConnection via SSHIssues
    

      

    • CheckVerify firewall: Make sure port 2222 is open: sudo ufw status | grep 2222
      • 

    • CheckTest credentials:connectivity: Verifync you're-v usingSERVER_IP the correct Warpgate username and password2222
      • 

    • Check target:user Makecredentials surein theweb interface
      • 

    • Verify target server is configured correctlyconfiguration
      • 

    • Check access: Verify the user has access to the target
      • 

    

    Forgot Admin Password
    

      

    • You'll need to reinstall Warpgate with --deleteall flag
      • 

    • This will wipe all data and let you create a new admin account
      • 

    • Make sure to back up any important data first!permissions
      • 

    

    Target Connection FailsFailures
    

      

    • CheckVerify target host: Verify the host IP/namehost/IP is correct
      • 

    • Check target port:SSH port
      • 

    • Verify target username
      • 

    • Test direct connection to target
      • 

    • Check SSH key configuration (if using key-based auth)
      • 

    

    Production Considerations
    

      

    • Access Method: VerifyUse theTraefik mode for production (trusted SSL)
      • 

    • Firewall: Close direct SSH port (22) after Warpgate verification
      • 

    • User Management: Regularly review and remove unused users
      • 

    • Session Recording: Enable for security auditing
      • 

    • Monitoring: Monitor SSH sessions and access patterns
      • 

    • Backup: Backup configuration and database regularly
      • 

    • Updates: Re-run install script periodically for updates
      • 

    

    Integration with Infinity Tools
    

    Warpgate complements Infinity Tools by providing:
    

      

    • Centralized SSH access management
      • 

    • Secure gateway for all server access
      • 

    • Session recording and auditing
      • 

    • User access control
      • 

    


      

    • Open only Warpgate SSH port (2222) publicly
      • 

    • Close direct SSH port (22) after testing
      • 

    • Use Traefik for web interface HTTPS
      • 

    • Enable session recording for security
      • 

    • Regularly audit user access
      • 

    

    Advanced Configuration
    

    Custom Ports
    

    # Custom web UI port (standalone)
export WG_PORT="9999"
sudo -E bash setup-warpgate.sh --install

# SSH port is correctalways 2222 (usuallyexposed 22)directly)
    

  • Check target credentials: Verify the username is correct
    • 

  • Test direct connection: Try connecting directly to the target to verify it's accessible
    • 


    Where to Find Warpgate After Install
    

      

    • On the finish screen, Infinity Tools prints the web interface URL
      • 

    • You can also see it in 📊 STATUS & HEALTH → STATUS
      • 

    • Check the installation directory: /opt/speedbits/warpgate
      • 

    • Configuration file:File
      

      Edit configuration directly:
      

      # Backup first
cp /opt/speedbits/warpgate/data/warpgate.yaml
      •  
    • Database: /opt/speedbits/warpgate/data/db/warpgate.yaml.backup

# Edit configuration
nano /opt/speedbits/warpgate/data/warpgate.yaml

# Restart container
docker restart warpgate
      •

    ManagingSession WarpgateRecording

    Adding More Users

    Simply repeat Step 8 for each user you want to add. Each user can have access to different targets.

    Adding More Targets

    Add more servers by repeating Step 7. Users can then be granted access to these new targets.

    Viewing Sessions

    The web interface shows active SSH sessions, including who's connected and what they're doing.

    SessionEnabling Recording

    WarpgateSession recording can recordbe SSHenabled sessionsper foruser securityor auditing.per Check the settingstarget in the web interfaceinterface. Recorded sessions are stored in the database and can be reviewed for security auditing.

    User Management Script

    Infinity Tools provides a helper script for creating system users:

    sudo bash /opt/InfinityTools/Infrastructure/add-warpgate-user.sh

    This script creates a warpgate system user with SSH key access. Edit the script to enableadd this.your SSH public key before running.

    You'reNext Ready!Steps

    Warpgate is now installedoperational. andUse readyit to use! Remember:to:

    • 🔐Add Savetargets your(servers) adminusers credentialscan securelyconnect to
    • 🚪 Connect via port 2222 (not port 22)
    • 👥 AddCreate users and grant themassign access to targets
    • 🛡️Connect Closevia portSSH 22through after testing (optional but recommended)Warpgate
    • 📊 Monitor sessions inand the web interfaceaccess
    • 🔒 Use strong passwords for all accounts

    Next steps: Add your first target, create users, grant access, test SSH connection through Warpgate, and optionally closeClose direct SSH access (port 22) for better security!security

    For advanced features, API documentation, and development guides, refer to the official Warpgate documentation.

    Back to top