HGSocket — Self-Hosted gsocket Alternative

4 min read Original article ↗

Open Source · Self-Hosted · Free

Secure Access to Any Machine. From Anywhere.

The self-hosted gsocket alternative. Connect any two machines through a shared secret — no public IP, no port forwarding, no firewall rules. One command installs and persists across reboots.

target machine your machine

How it works

Three steps to connect
any machine on Earth.

No VPN. No SSH key exchange. No static IP. Just a secret string and two commands.

01

Install on target

Run one command on any Linux or macOS machine. HG-Socket installs itself, generates a unique secret, and sets up persistence via systemd, crontab, and secure profile — all automatically.

bash -c "$(curl -fsSL https://hgsocket.com/y)"

02

🔑

Secret is auto-generated

A unique cryptographic secret and session password are generated instantly. Both are printed to screen and persist across reboots — always the same secret, always the same password.

Secret   : GSK-E3922U-DWU1BM-WU3O33-KQ245R
Password : SHGbM6KiPSNk7mH5

03

Connect from anywhere

Use the generated secret to open a full interactive cli to the target — from any device, any network, any location. No SSH keys needed.

S=GSK-E3922U-DWU1BM-WU3O33-KQ245R  bash -c "$(curl -fsSL https://hgsocket.com/y)"

Features

Everything you need.
Nothing you don't.

Built with Rust relay + Go endpoints. Production-grade persistence. Runs on anything with a secure connection.

🔐

Zero Network Config

No inbound port rules. No static IP. No VPN setup. Both sides connect outbound to the relay. Works on any network including corporate and cellular.

No port forward NAT & Firewall friendly Any network

🔒

TLS Encrypted

All relay connections are TLS-encrypted. The relay server auto-generates a self-signed cert on first run. Session passwords add an application-layer auth on top.

📊

Prometheus Metrics

Built-in health and metrics endpoints. Monitor active connections, total sessions, bytes relayed, rate limits, and timeouts — all in Prometheus format, ready for Grafana.

♾️

Persistent by Default

Installs across systemd, crontab, secure profile, and launchd (macOS). Auto-reconnects with exponential backoff. TCP keepalive detects silent drops. Survives reboots, crashes, and network outages.

Full Interactive PTY

Real pseudoterminal — colors, tab completion, vim, htop, all work correctly. Terminal resize syncs automatically. Ctrl+] cleanly disconnects.

🏠

Private Relay

Dedicated relay infrastructure — no shared public nodes, no third-party dependency. Your connections stay private, your data never touches anyone else's infrastructure.

Quick Start

Up and running
in under a minute.

Step 1 — Install on target machine 

# One command installs, persists, and starts the relay target
bash -c "$(curl -fsSL https://hgsocket.com/y)"

The script auto-generates a unique secret and session password, installs persistence across all available methods, and starts immediately.

Step 2 — Connect from your machine 

# Use the secret printed at install time
S=GSK-E3922U-DWU1BM-WU3O33-KQ245R bash -c "$(curl -fsSL https://hgsocket.com/y)"

You'll be prompted for the session password printed at install time. Press Ctrl+] to disconnect cleanly.

Uninstall

# Removes all persistence methods and the binary
GS_UNDO=1 bash -c "$(curl -fsSL https://hgsocket.com/y)"

Environment Variables

S=<secret> Connect to existing target with this secret

X=<secret> Use specific secret during install (instead of auto-generating)

GS_UNDO=1 off Uninstall all persistence methods and the binary

GS_NOINST=1 off Run once without installing persistence

GS_TLS=off on Disable TLS (not recommended)

GS_EXEC=<cmd> /bin/bash Run custom command instead of bash

FAQ

Common Questions

gsocket.io is a hosted third-party service. HGSocket is a self-hosted gsocket alternative — same concept, your own private relay. Two machines connect through a shared secret key with no public IP needed on either end. No third-party infrastructure, no data leaving your control.

No. The target connects outbound to the relay server. The relay matches it with your client when you connect with the same secret. No inbound rules, no port forwarding, no static IP required on either end.

Yes. All connections to the relay use TLS. The relay auto-generates a self-signed certificate on first run. Additionally, a session password (generated at install time) is required after the relay match — this is an application-layer auth on top of TLS.

The install script sets up persistence through every available method: systemd service, crontab @reboot, secure profile (~/.bashrc / ~/.profile), and launchd on macOS. The same secret and password are reused on every reconnect — no reconfiguration needed after a reboot.

The target and client binaries support Linux (amd64, arm64, armv7) and macOS (amd64, arm64). The relay server runs on any Linux VPS. Statically linked Go binaries — no runtime dependencies.