Documentation

Getting Started

Quick start guide and flag overview.

Get Ghostunnel running with mTLS in 5 minutes using a self-signed CA.

Quick reference for all Ghostunnel command-line flags, grouped by mode.

How Ghostunnel obtains, loads, and rotates certificates.

Supported certificate and key formats, how to prepare them, and how Ghostunnel selects the right loader.

Automatically obtain and renew public TLS certificates via Let's Encrypt or other ACME certificate authorities.

Automatically manage certificates and trusted roots via SPIRE or other SPIFFE-compatible workload identity providers.

Load private keys from hardware security modules via the PKCS#11 interface.

Load certificates and private keys from the macOS Keychain or Windows Certificate Store, including hardware-backed keys.

Protocol configuration and AuthZ to decide who is allowed to connect.

Landlock sandboxing, TLS protocol settings, cipher suites, address restrictions.

Control which clients or servers are allowed to connect based on certificate fields (CN, OU, DNS/URI SAN) or OPA policies.

PROXY protocol, graceful draining, and metrics.

Pass original client connection metadata (IP, TLS version, client certificate) through to plaintext backends using HAProxy's PROXY protocol v2.

How Ghostunnel handles shutdown signals, drains in-flight connections, and force-exits after a timeout.

Expose status, health checks, and metrics in JSON or Prometheus format via the built-in status port.

Running Ghostunnel as a container or as a supervised system service.

Available Docker image variants and tags for running Ghostunnel in containers.

Run Ghostunnel as a systemd service with socket activation, readiness notification, and watchdog support.

Run Ghostunnel as a macOS launchd daemon with socket activation.

Install and manage Ghostunnel as a native Windows service via the Service Control Manager.

Platform-specific man pages with every flag and mode documented.

Complete command-line reference with all flags, modes, and examples.

Complete command-line reference with all flags, modes, and examples.