VPN & Tunnels

WireGuard VPN mesh and secure tunnels to connect your local environment.

VPN Mesh

Connect your development machine, office network, or CI/CD systems to RaidFrame's private network using WireGuard.

rf vpn connect

✓ WireGuard tunnel established
  Local IP: 10.8.0.2
  Network:  10.8.0.0/16
  Latency:  12ms to us-east-1

  You can now access:
    pg-main.internal:5432
    redis-cache.internal:6379
    api.internal:8080
    web.internal:3000

Once connected, access any internal service by its private hostname — databases, APIs, workers — as if you were running inside the RaidFrame network.

VPN Configuration

# Generate a WireGuard config file (for third-party clients)
rf vpn config > raidframe.conf

# Import into WireGuard
wg-quick up ./raidframe.conf

# Disconnect
rf vpn disconnect

# View status
rf vpn status

Team VPN

Share VPN access with your team. Each member gets a unique key:

rf vpn invite [email protected] --role read-only
rf vpn invite [email protected] --role full-access

✓ VPN invitation sent to [email protected]
  They can connect with: rf vpn connect --token <token>

Always-On VPN (Office)

For offices that need permanent connectivity:

rf vpn site-to-site --peer-ip 203.0.113.1 --peer-subnet 192.168.1.0/24

This creates a persistent WireGuard tunnel between your office network and RaidFrame. All machines on your office network can access RaidFrame internal services.

Secure Tunnels

Expose your local development server through a public RaidFrame URL:

rf tunnel --port 3000

✓ Tunnel active
  Public URL: https://tunnel-abc123.raidframe.app
  Forwarding: https://tunnel-abc123.raidframe.app → localhost:3000

  Press Ctrl+C to stop

Tunnel Use Cases

  • Webhook testing — give Stripe, GitHub, or Slack a public URL that routes to your local server
  • Client demos — show your work-in-progress to a client without deploying
  • Mobile testing — access your local server from a physical device
  • OAuth callbacks — test OAuth flows that require a public redirect URL

Persistent Tunnel URL

Get a stable URL that doesn't change between sessions:

rf tunnel --port 3000 --subdomain my-dev

✓ https://my-dev.tunnel.raidframe.app → localhost:3000

Tunnel Authentication

Protect your tunnel with basic auth:

rf tunnel --port 3000 --auth user:password

Or restrict to authenticated RaidFrame team members:

rf tunnel --port 3000 --team-only

Inspect Traffic

View all requests passing through the tunnel:

rf tunnel --port 3000 --inspect

14:23:01 POST /webhooks/stripe 200 12ms
14:23:05 GET  /api/health      200  2ms
14:23:12 POST /api/orders      201 45ms
PreviousRegionsNextObservability