Overview
This project builds a complete self-hosted remote desktop infrastructure on top of RustDesk Community Edition.
The signal relay server (hbbs), data relay server (hbbr), and Web management console are consolidated into a single Docker Compose deployment.
Cloudflare Tunnel provides secure inbound connectivity without exposing any ports, while Cloudflare Access restricts management console access to authorized users only.
The result is an unlimited-device, low-maintenance connection infrastructure suitable for individuals, labs, or small teams.
Tech Stack
- Core services: RustDesk Server (Community Edition), hbbs, hbbr
- Management UI: RustDesk Web Console
- Network tunneling: Cloudflare Tunnel (Zero Trust)
- Containerization: Docker Compose
- Access control: Cloudflare Access Policy
Key Features
- hbbs, hbbr, and Web console unified in a single Compose file
- Cloudflare Tunnel with zero open ports and no exposed host IP
- Cloudflare Access policy gates the management console to authorized users
- No device count limits, suitable for multi-endpoint environments
- Low maintenance overhead with automatic service restart on failure
Deployment Architecture
Service Layout
Network Flow
self-host-rustdesk-server/
├── docker-compose.yml # hbbs + hbbr + Web console
├── .env.example # Key and config template
└── cloudflared/
└── config.yml # Cloudflare Tunnel routing
Client (RustDesk App)
→ Cloudflare Tunnel
→ hbbs (signal negotiation)
→ hbbr (data relay)
Admin browser
→ Cloudflare Access
→ Web management console
Security note.env contains RustDesk keys and the Cloudflare Tunnel token. Never commit it to version control.
Verify your Cloudflare Access policy is active before deployment to avoid exposing the management console publicly.
GitHub
Source code: github.com/felimet/self-host-rustdesk-server
