## Should I Self-Host a Nestri Relay?

If you want to use and enjoy the simplicity of the Nestri ecosystem, then you should not set up the Nestri Relay locally. Our free BYOG (Bring Your Own GPU) plan includes free shared relay access, which we highly recommend for those who want to start playing quickly on their own hardware without additional setup.

However, if you prefer to install and manage the Nestri Relay yourself, there are some important considerations to keep in mind.

### Important Considerations for Self-Hosting Nestri Relay

1. WebRTC and Firewall Issues
  * WebRTC, by default, attempts to access your public IP even if both the relay and Nestri Node are on the same local network.
  * This behavior can cause firewalls to block traffic, as the connection may attempt to access itself, resulting in connection failures.
  * Unordered Third
2. Recommended Deployment Strategy
  * Instead of hosting the relay on your local network, we strongly recommend deploying the Nestri Relay on a VPS (Virtual Private Server) in the cloud.
  * Using a cloud-based VPS minimizes potential firewall conflicts and ensures a more stable connection between your Nestri Node and the relay.

If you're set on self-hosting despite the potential challenges, proceed with caution and ensure you have a proper understanding of firewall configurations and networking setups to mitigate connectivity issues.

## Self-hosted Nestri Relay

For those who prefer full control over the Nestri stack, it is possible to self-host the Nestri Relay. However, setting this up can be a bit complex, as it requires SSL Certificates for secure communication between your Nestri Node and your gaming devices. There are three main options:

- **Let's Encrypt Certificate**: This is the most common certificates for self-hosting and requires a domain name. You can generate a certificate using tools like **certbot** or **acme.sh**. Let's Encrypt provides free SSL certificates that are trusted by most browsers and are relatively straightforward to set up.

- **Purchased SSL Certificate**: The **easiest option** for most users is to buy an SSL certificate from a trusted Certificate Authority (CA). This option eliminates much of the hassle involved with certificate generation and renewals, as these certificates are already trusted by browsers and don’t require as much manual setup.

While self-hosting offers more flexibility, most users will find the **Nestri-hosted Relay** to be the easiest and most reliable option for getting started with cloud gaming on Nestri. This hosted relay is available to everyone using the BYOG package and requires no configuration.


## Prerequisites

1. **Server Requirements:**
   - Ensure **port 443** is open for both **TCP and UDP** (`:443/udp & :443/tcp`).
   - The server should have at least **6-8GB RAM** and **2 vCPUs**.
   - Supports both ARM or AMD64 architecture.

2. **Software Requirements:**
   - Docker and `docker-compose` must be installed on the server. You can use [this installation script](https://github.com/docker/docker-install) to set up Docker.
   - Git must be installed to clone the necessary repository.

3. **Certificates:**
   - You will need both private and public SSL certificates. It is recommended to use certificates from a **trusted Certificate Authority** (CA), either by using **Let's Encrypt** or purchasing a commercial SSL certificate, for secure communication. Avoid using self-signed certificates, as they can lead to compatibility issues and security warnings in browsers.

## Self-hosted Nestri Relay with an Reverse Proxy

### Caddy
As caddy user you can use the following docker-compose.yml file:

```yaml [docker-compose.caddy.yml]
services:
  caddy:
    image: caddy:latest
    container_name: caddy
    ports:
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile # your caddyfile
      - ./cert:/etc/caddy/certs
    depends_on:
      - relay
    networks:
      - relay_network
    restart: unless-stopped

  relay:
    #image: ghcr.io/nestrilabs/nestri/relay:nightly # Offical relay image
    image: ghcr.io/datcaptainhorse/nestri-relay:latest # Most current relay image
    container_name: relay
    environment:
     #- AUTO_ADD_LOCAL_IP=false # use with WEBRTC_NAT_IPS
     #- WEBRTC_NAT_IPS=1.2.3.4 # Add the LAN IP of your container here if connections fail
      - VERBOSE=true
      - DEBUG=true
    ports:
      - "8088:8088/udp"
    networks:
      - relay_network
    restart:
      unless-stopped
networks:
  relay_network:
    driver: bridge
```

The Caddyfile should look like this:
```caddyfile [Caddyfile]
relay.example.com {
        @ws {
                header Connection Upgrade
                header Upgrade websocket
        }
        tls you@example.com
        reverse_proxy @ws relay:8088
        reverse_proxy relay:8088
}
```

Please modify it to your needs and replace the placeholder values with your own.
You should also setup the Caddyfile to match your domain.

### Traefik
As traefik user you can use the following docker-compose.yml file:

```yaml [docker-compose.relay.traefik.yml]
services:
  traefik:
    image: "traefik:v2.3"
    restart: always
    container_name: "traefik"
    networks:
      - traefik
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.network=traefik"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web-secure.address=:443"
      - "--certificatesresolvers.default.acme.tlschallenge=true"
      - "--certificatesresolvers.default.acme.email=foo@example.com" # Your email for tls challenge
      - "--certificatesresolvers.default.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./letsencrypt:/letsencrypt" # Your letsencrypt folder for certificate persistence
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    restart:
      unless-stopped
  relay:
    #image: ghcr.io/nestrilabs/nestri/relay:nightly # Offical relay image
    image: ghcr.io/datcaptainhorse/nestri-relay:latest # Most current relay image
    container_name: relay
    environment:
      - AUTO_ADD_LOCAL_IP=false # Use with WEBRTC_NAT_IPS
      #- WEBRTC_NAT_IPS=1.2.3.4 # Add the LAN IP of your container here if connections fail
      - VERBOSE=true
      - DEBUG=true
    ports:
      - "8088:8088/udp"
    networks:
      - traefik
    restart:
      unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.routers.relay.rule=Host(`relay.example.com`) # Your domain for tls challenge
      - traefik.http.routers.relay.tls=true
      - traefik.http.routers.relay.tls.certresolver=default
      - traefik.http.routers.relay.entrypoints=web-secure
      - traefik.http.services.relay.loadbalancer.server.port=8088
networks:
  traefik:
    external: true
```

Please modify it to your needs and replace the placeholder values with your own.

### Where to find the relay compose files?

You will also find the relay compose files in our [github repository](https://github.com/nestrilabs/nestri/tree/main/containers).