Frequently Asked Questions
General
What is Gatwy?
Gatwy is a self-hosted remote access gateway that lets you connect to remote machines via RDP, SSH, VNC, Telnet, SMB, SFTP, and FTP — directly from your browser. No Java, no plugins, no middleware.
What makes Gatwy different from Apache Guacamole?
Gatwy's RDP client runs as WebAssembly in the browser (no server-side rendering), ships as a single container (no Java/Tomcat/guacd), and includes features Guacamole lacks: SSH recording, command audit log, granular RBAC, encrypted backups, file management (SMB/FTP), and built-in alerting.
Is Gatwy open source?
Yes — MIT licensed. See the GitHub repository.
What browsers are supported?
Any modern browser with WebAssembly support:
- Chrome / Edge 90+
- Firefox 90+
- Safari 15+
Deployment
What port does Gatwy use?
7443 (HTTPS) by default. Change it with the PORT environment variable.
What are the minimum system requirements?
- 1 CPU core, 256 MB RAM, 1 GB disk
- Docker Engine 20.10+
- See Docker Deployment for details
Can I run Gatwy without Docker?
Gatwy can be run without Docker (Node.js 20+ required): npm install && npm run build && npm start. Docker is the recommended and officially supported method.
How do I update Gatwy?
docker compose pull && docker compose up -d
Data is preserved in the mounted ./data directory.
Where is the Docker image?
GitHub Container Registry: ghcr.io/kotoxie/gatwy:latest
Security
Do I need to set GATWY_ENCRYPTION_KEY?
Yes, for production. Without it, Gatwy auto-generates a key file inside the data volume — anyone with access to the volume can decrypt credentials and recordings. Set GATWY_ENCRYPTION_KEY to keep the key separate from the data.
Are session recordings encrypted?
Yes. All recordings (asciinema for SSH/Telnet, WebM for RDP) are encrypted using the GATWY_ENCRYPTION_KEY. Files in the data volume are inaccessible without authenticating through the Gatwy UI.
Does Gatwy support SSO?
Yes — OpenID Connect (OIDC) is supported, including Azure AD, Okta, Google, Keycloak, and any OIDC-compatible provider. Users are auto-provisioned on first login.
Does Gatwy support MFA?
Yes — per-user TOTP (authenticator app) with trusted device cookies.
Does Gatwy support LDAP / Active Directory?
Yes — authenticate users against any LDAP directory, with LDAP group-to-admin-role mapping.
Connectivity
Why can't I connect to an RDP host?
- Verify the target is reachable from inside the Gatwy container:
docker exec gatwy ping <target-host> - Check RDP is enabled on the target (port 3389 by default)
- Verify credentials — NLA (Network Level Authentication) requires valid domain credentials
- Check Gatwy logs:
docker logs gatwy
Do I need to open extra ports on the target machines?
No. All protocol traffic is tunneled through the HTTPS connection to Gatwy on port 7443. Your target machines only need to be reachable from the Gatwy container, not from the internet.
Does Gatwy support SSH key-based authentication?
Yes — SFTP and SSH connections support both password and private-key authentication.
Data & Backup
Where is my data stored?
In the Docker bind mount at ./data (mapped to /app/data in the container). This includes the database, TLS certificate, and session recordings.
How do I back up Gatwy?
Use the built-in backup: Settings → Backup & Restore → Create Backup. This produces a single encrypted .geb file containing the database, all recordings, and the encryption key. See Backup & Restore.
Can I export my connections?
Yes — Settings → Import/Export lets you export and import the full connection tree as JSON.