gw.run establishes a secure proxy between public internet and your internal app.
Your application does not need to be exposed to the internet directly and therefore may reside on any machine behind firewall or NAT.
A lightweight daemon runs alongside your internal application and establishes a secure connection to the gw.run server in the region you specified when creating a tunnel.
When user makes any HTTP request, gw.run will verify whether user browser contains a securely signed session cookie, authenticating a user.
- if cookie is expired or does not exist, user request is redirected to authentication endpoint, that would prompt the user to authenticate using providers you specified - i.e. Google, GMail, Office365.
- gw.run does not collect or store user passwords; authentication happens using industry standard OAuth mechanism, and we only receive a secure JWT token, signed by your auth provider, such as Google,
that is issued for gw.run specifically to confirm the user identity, and does not provide any access to the user account.
Once user is authenticated, gw.run checks whether this email is listed in the access control list that you specified in the admin panel for this tunnel.
If user is authorized to access this tunnel, request is proxied to your internal application, if not an error is returned and an audit log record is posted.
How gw.run is different to VPN?
VPNs are legacy of a centralized office environment, where circle of trust was inner perimeter of the office.
gw.run follows the modern Zero Trust security model and supports modern deployment environments such as Docker.
Ease of set up
- Your end-users do not need to install any client side software, while for the VPN they have to install a VPN client on every device they want to use to access your app.
- Setting up a tunnel does not require any root or administrator privileges or any additional set up, and is super easy with web based admin panel.
Higher security compared to VPN
- gw.run does not expose your application directly; instead, it proxies requests to it via a secure HTTPS tunnel with OAuth authentication,
and checks whether a particular user is both authenticated and authorized, before request reaches your app.
- VPN provides access to wide spectrum of ports and hosts as VPN setup is typically reused. gw.run only provides access to your specific application.
- It is easy to provide 3rd party access to your application, and just that, while with VPN it would involve waiting for a
gw.run works for Docker and Kubernetes apps
Please check out Tutorials.