To setup your private Remotly Relay Server through Docker in an isolated process space please follow the tutorial below:
1. Download the Relay image. We provide a multi-arch image for both amd64 and arm64:
docker pull mirillis/remotly-relay
2. Create the RelayGoConfig.json file on your Docker host, adjusting the configuration to your needs:
{
"tlsEnabled": false,
"key": "/srv/remotly-config/key.pem",
"cert": "/srv/remotly-config/crt.pem",
"forceTLS": false,
"domain": "domain assigned to your relay server IP address in DNS",
"port": 443,
"max_bandwidth": 40000000,
"allowed_bandwidth": 30000000,
"password": "PasswordPasswordPasswordPassword"
}
Configuration parameters:
tlsEnabled – Set to true if you want to enable additional TLS encryption.
key – If tlsEnabled is enabled, provide the path to the certificate’s private key, generated by Let’s Encrypt or another certificate issuer. The path must point to the location inside the container image. If the certificate is renewed on your host machine or another Docker container, you need to map that path when running the Docker image using the parameter:
-v host_path_to_certificate: path_to_key_provided_in_RelayGoConfig
In this sample configuration, the private key is placed in the same folder as RelayGoConfig.json
cert – If tlsEnabled is enabled, provide the path to the certificate. See the instructions above for details.
forceTLS – When tlsEnabled is set to false, this parameter must also be set to false. If forceTLS is set to true, the client will always connect to the server through a TLS connection, and non-TLS connections will be rejected. Remotly always uses end-to-end encryption, but you can enforce additional TLS encryption (note: this consumes extra CPU power and adds slight latency).
domain – If tlsEnabled is enabled, specify the domain for which the certificate has been registered.
port – The port that the relay opens for communication. You can change it, but remember: for the relay to work, you must map this port to a port on your host machine. The value here defines the port inside the container, which will be needed later when running the Docker image.
password – To prevent others from using your Remotly relay as a custom relay, set a password of at least 32 characters. If password is not long enough, the relay will not start. If you don’t want to use a password, leave this field blank.
3. When the image is downloaded, run it with the following command:
docker run -dp host_external_ip_address:host_relay_port:container_relay_port -v host_path_to_config_folder:/srv/remotly-config --restart=always mirillis/remotly-relay:latest
This command needs a little explanation:
host_external_ip_address – The IP address of the machine on which Docker is running.
host_relay_port – The port on which you want the relay to run.
container_relay_port – The port specified in your RelayGoConfig.json file.
host_path_to_config_folder – The path to the folder on the host machine that contains RelayGoConfig.json. The relay process inside the container always looks for this file at /srv/remotly-config/RelayGoConfig.json. Therefore, you must map the host folder to /srv/remotly-config.
Example (Windows): If Docker is running on Windows and you want to map the folder G:\dockerConfig, you would use parameter:
-v G:/dockerConfig:/srv/remotly-config
If your RelayGoConfig.json looks like this:
{
"tlsEnabled": true,
"key": "/srv/remotly-config/key.pem",
"cert": "/srv/remotly-config/crt.pem",
"forceTLS": false,
"domain": "domain.remotly.com",
"port": 443,
"max_bandwidth": 40000000,
"allowed_bandwidth": 30000000,
"password": "PasswordPasswordPasswordPasswordPasswordPassword123"
}
And your setup is as follows:
External IP address: 8.8.8.8
Relay should run on port 80
Certificate private key (key.pem), certificate file (crt.pem), and RelayGoConfig.json are placed in G:/dockerConfig
Then the command to run the image will be:
docker run -dp 8.8.8.8:80:443 -v G:/dockerConfig:/srv/remotly-config --restart=always mirillis/remotly-relay:latest
Alternative configuration (separate certificate folder)
If you provided TLS certificates in your RelayGoConfig.json file and they are stored in a different folder than RelayGoConfig.json, you must also map the certificate folder from the host machine to the path specified in the key and cert fields.
{
"tlsEnabled": true,
"key": "/srv/cert/key.pem",
"cert": "/srv/cert/crt.pem",
"forceTLS": false,
"domain": "domain.remotly.com",
"port": 443,
"max_bandwidth": 40000000,
"allowed_bandwidth": 30000000,
"password": "PasswordPasswordPasswordPasswordPasswordPassword123"
}
If the certificate files key.pem and crt.pem are located in G:\certificates on the host machine, the command will be:
docker run -dp 8.8.8.8:80:443 -v G:/dockerConfig:/srv/remotly-config -v G:/certificates:/srv/cert --restart=always mirillis/remotly-relay:latest
If you are using a 90-day Let’s Encrypt certificate, you should restart the image container every time the certificate is renewed. You can do this with the following command if the certificate is renewed on your host machine:
certbot renew --quiet --post-hook "docker restart container_name"
For example, if the container running the Remotly relay image is named friendly_hellman, the command would be:
certbot renew --quiet --post-hook "docker restart friendly_hellman"
Regardless of the method you use to update the certificate, you should always restart the Docker container running remotly-relay to reload the server certificate. Use the command:
docker restart container_name
Verifying the configuration
If everything is configured properly, you should see the message “OK” after opening the following URL in your browser:
With a domain and certificate:
https://relay_domain:host_relay_port/connectionTest
Example (from the sample configuration):
https://your_relay_domain:80/connectionTest
Without a server certificate:
http://relay_ip_address:host_relay_port/connectionTest
Example (from the sample configuration):
4. Registering the relay
Log in to your account at remotly.com, go to CUSTOM RELAYS, and click Add relay server. Provide:
IP address of your relay server
Port from RelayGoConfig.json
Password (if set)
Once configured, when connecting to another computer with Remotly and Force Connect Anywhere is enabled, you should see only the country code of your relay server.
1. Download the Relay image. We provide a multi-arch image for both amd64 and arm64:
docker pull mirillis/remotly-relay
2. Create the RelayGoConfig.json file on your Docker host, adjusting the configuration to your needs:
{
"tlsEnabled": false,
"key": "/srv/remotly-config/key.pem",
"cert": "/srv/remotly-config/crt.pem",
"forceTLS": false,
"domain": "domain assigned to your relay server IP address in DNS",
"port": 443,
"max_bandwidth": 40000000,
"allowed_bandwidth": 30000000,
"password": "PasswordPasswordPasswordPassword"
}
Configuration parameters:
tlsEnabled – Set to true if you want to enable additional TLS encryption.
key – If tlsEnabled is enabled, provide the path to the certificate’s private key, generated by Let’s Encrypt or another certificate issuer. The path must point to the location inside the container image. If the certificate is renewed on your host machine or another Docker container, you need to map that path when running the Docker image using the parameter:
-v host_path_to_certificate: path_to_key_provided_in_RelayGoConfig
In this sample configuration, the private key is placed in the same folder as RelayGoConfig.json
cert – If tlsEnabled is enabled, provide the path to the certificate. See the instructions above for details.
forceTLS – When tlsEnabled is set to false, this parameter must also be set to false. If forceTLS is set to true, the client will always connect to the server through a TLS connection, and non-TLS connections will be rejected. Remotly always uses end-to-end encryption, but you can enforce additional TLS encryption (note: this consumes extra CPU power and adds slight latency).
domain – If tlsEnabled is enabled, specify the domain for which the certificate has been registered.
port – The port that the relay opens for communication. You can change it, but remember: for the relay to work, you must map this port to a port on your host machine. The value here defines the port inside the container, which will be needed later when running the Docker image.
password – To prevent others from using your Remotly relay as a custom relay, set a password of at least 32 characters. If password is not long enough, the relay will not start. If you don’t want to use a password, leave this field blank.
3. When the image is downloaded, run it with the following command:
docker run -dp host_external_ip_address:host_relay_port:container_relay_port -v host_path_to_config_folder:/srv/remotly-config --restart=always mirillis/remotly-relay:latest
This command needs a little explanation:
host_external_ip_address – The IP address of the machine on which Docker is running.
host_relay_port – The port on which you want the relay to run.
container_relay_port – The port specified in your RelayGoConfig.json file.
host_path_to_config_folder – The path to the folder on the host machine that contains RelayGoConfig.json. The relay process inside the container always looks for this file at /srv/remotly-config/RelayGoConfig.json. Therefore, you must map the host folder to /srv/remotly-config.
Example (Windows): If Docker is running on Windows and you want to map the folder G:\dockerConfig, you would use parameter:
-v G:/dockerConfig:/srv/remotly-config
If your RelayGoConfig.json looks like this:
{
"tlsEnabled": true,
"key": "/srv/remotly-config/key.pem",
"cert": "/srv/remotly-config/crt.pem",
"forceTLS": false,
"domain": "domain.remotly.com",
"port": 443,
"max_bandwidth": 40000000,
"allowed_bandwidth": 30000000,
"password": "PasswordPasswordPasswordPasswordPasswordPassword123"
}
And your setup is as follows:
External IP address: 8.8.8.8
Relay should run on port 80
Certificate private key (key.pem), certificate file (crt.pem), and RelayGoConfig.json are placed in G:/dockerConfig
Then the command to run the image will be:
docker run -dp 8.8.8.8:80:443 -v G:/dockerConfig:/srv/remotly-config --restart=always mirillis/remotly-relay:latest
Alternative configuration (separate certificate folder)
If you provided TLS certificates in your RelayGoConfig.json file and they are stored in a different folder than RelayGoConfig.json, you must also map the certificate folder from the host machine to the path specified in the key and cert fields.
{
"tlsEnabled": true,
"key": "/srv/cert/key.pem",
"cert": "/srv/cert/crt.pem",
"forceTLS": false,
"domain": "domain.remotly.com",
"port": 443,
"max_bandwidth": 40000000,
"allowed_bandwidth": 30000000,
"password": "PasswordPasswordPasswordPasswordPasswordPassword123"
}
If the certificate files key.pem and crt.pem are located in G:\certificates on the host machine, the command will be:
docker run -dp 8.8.8.8:80:443 -v G:/dockerConfig:/srv/remotly-config -v G:/certificates:/srv/cert --restart=always mirillis/remotly-relay:latest
If you are using a 90-day Let’s Encrypt certificate, you should restart the image container every time the certificate is renewed. You can do this with the following command if the certificate is renewed on your host machine:
certbot renew --quiet --post-hook "docker restart container_name"
For example, if the container running the Remotly relay image is named friendly_hellman, the command would be:
certbot renew --quiet --post-hook "docker restart friendly_hellman"
Regardless of the method you use to update the certificate, you should always restart the Docker container running remotly-relay to reload the server certificate. Use the command:
docker restart container_name
Verifying the configuration
If everything is configured properly, you should see the message “OK” after opening the following URL in your browser:
With a domain and certificate:
https://relay_domain:host_relay_port/connectionTest
Example (from the sample configuration):
https://your_relay_domain:80/connectionTest
Without a server certificate:
http://relay_ip_address:host_relay_port/connectionTest
Example (from the sample configuration):
4. Registering the relay
Log in to your account at remotly.com, go to CUSTOM RELAYS, and click Add relay server. Provide:
IP address of your relay server
Port from RelayGoConfig.json
Password (if set)
Once configured, when connecting to another computer with Remotly and Force Connect Anywhere is enabled, you should see only the country code of your relay server.