Self-hosted VPS & container manager.
Containers · Firewall · VPN — from one dashboard, across any number of servers.
The cPanel/Plesk/Coolify alternative built for people who care about security.
One binary per VPS. All traffic encrypted over WireGuard. No SaaS. No cloud lock-in. No Docker daemon.
📦 Containers — Podman rootless, per-organization isolation, survive VPS reboots without Lynx running
🔥 Firewall — Full nftables control from the dashboard, three-layer hierarchy, atomic apply, auto-restore on any tampering
🔒 Networking — All dashboard → agent traffic over WireGuard + mTLS. Cross-VPS scaling via direct agent tunnels — no relay through dashboard
🔑 Encryption — PostgreSQL AES-256 at rest (pg_tde) + per-user envelope encryption (KEK/DEK)
📁 Single binary — No runtime dependencies on the server. No Node.js, no Bun, no Docker Engine. Install one binary, uninstall one binary
🔄 Auto-update — Hourly GitHub Releases check, Ed25519 signature verification before any swap, automatic rollback if the new binary fails to start
Dashboard VPS
├── Frontend ── Next.js (compiled binary, no runtime)
├── Backend ── Rust
│ ├── WireGuard ──► Agent (local, same VPS)
│ ├── WireGuard ──► Agent (remote VPS #1)
│ └── WireGuard ──► Agent (remote VPS #2)
│
└── Each agent: Podman + nftables + WireGuard
Each agent connects to the dashboard over a 1:1 WireGuard tunnel with its own PSK. Agents never talk to each other through the dashboard — cross-VPS scaling uses direct agent-to-agent tunnels.
Firewall hierarchy (nftables)
table inet lynx-agent {
chain lynx-base ← Lynx invariants. Never editable. Auto-restored instantly on any change.
chain lynx-global ← Rules pushed to ALL agents simultaneously
chain lynx-local ← Per-VPS rules for this agent only
}
lynx-base— default deny, WireGuard allowlist, inter-org isolation, anti-spoofinglynx-global— IP blocklists, protocol restrictions — propagated to all agents in parallel; agents offline receive pending rules on reconnectlynx-local— per-VPS port rules, IP allowlists
Horizontal scaling — cross-VPS
Internet → 80/443
↓
lynx-nginx (Agent-1, entry point)
├── replica:1 (Agent-1, local Podman network)
└── WireGuard ──► Agent-2
├── replica:2
└── replica:3
Agent-2 never exposes public ports for the project. All traffic enters through Agent-1 via WireGuard.
curl -fsSL https://raw.githubusercontent.com/Jaro-c/Lynx/main/install.sh | sudo bashThe installer handles everything:
- Detects and removes incompatible software (Docker, firewalld, ufw, iptables)
- Installs Podman, WireGuard, nftables
- Generates all secrets — never written to disk in plaintext
- Starts PostgreSQL → Redis → Backend → Frontend
- Prints a one-time setup URL:
https://YOUR-IP:19443/register?setup_token=<token>
- Dashboard → Connect new VPS → copy the displayed keypair + PSK
- On the new VPS, run the same installer and paste the dashboard data when prompted
- Done — the tunnel is up and the agent appears online in the dashboard
| OS | Ubuntu 22.04+, Debian 12+, Fedora 39+, CentOS/RHEL 9+, Rocky/AlmaLinux 9+ |
| SSH port | Auto-detected — any port works |
| Fixed ports | 19443/TCP (dashboard) · 51820/UDP (WireGuard) — opened automatically. Must be free and allowed by your VPS provider's external firewall if applicable. |
| Root access | Required for install |
| Lynx | Coolify | Dokploy | cPanel / Plesk | |
|---|---|---|---|---|
| Container runtime | Podman (rootless) | Docker | Docker | varies |
| Firewall management | ✅ Full nftables | ❌ | ❌ | Partial |
| VPN between servers | ✅ WireGuard | ❌ | ❌ | ❌ |
| Encryption at rest | ✅ AES-256 (pg_tde) | ❌ | ❌ | ❌ |
| Per-user encryption | ✅ KEK/DEK | ❌ | ❌ | ❌ |
| Signed binary updates | ✅ Ed25519 | ❌ | ❌ | ❌ |
| Runtime dependencies | None | Docker Engine | Docker Engine | Heavy |
| Pricing | Free / self-hosted | Free tier + paid | Free / self-hosted | Paid license |
| SaaS / cloud | Never | Optional | Optional | Optional |
Transport & cryptography
- WireGuard + mTLS — double-layer encryption on all dashboard ↔ agent traffic
- TLS 1.3 minimum — no TLS 1.0/1.1/1.2 accepted anywhere
- Ed25519 — JWT signing, agent command signing, and binary update verification
- Per-agent PSK — each tunnel has its own unique preshared key, rotated automatically
Signed commands & immutable audit log
Every command the dashboard sends to an agent is Ed25519-signed. The agent verifies signature, nonce (replay prevention), and timestamp (< 30s window) before executing anything.
All executed and rejected commands are stored in a hash-chained append-only audit log on the agent, synced to dashboard PostgreSQL in real time. Tampering with any entry is mathematically detectable.
Made with ❤️ by Jaroc