Appearance
Edge relays
An edge relay is a relay you run yourself, with burrowee-edge. It does the same job as Burrowee's hosted relays — blind forwarding between your gateways and your clients, web-viewer ingress on :443, optional QUIC — but it runs on your own machine and carries only your own account's gateways.
Three properties define it:
- Self-hosted. You run the binary — on a VPS, a home server, a NAS, anything that runs macOS or Linux. You own the machine and the ports.
- Single-tenant and account-bound. The edge serves the gateways of the account that minted it, and nothing else. Its configuration arrives as a manifest signed by the console; it cannot widen its own scope.
- Hard-bound to the console. The console identity is compiled into the binary. There is no flag to point an edge at a different control plane — if a setup blob doesn't come from
console.burrowee.com, the edge won't enroll with it.
When to use one
You don't need an edge relay to use Burrowee — the hosted relays cover the normal path. Run one when:
- You want traffic on your own domain and your own machine. A frontier edge sits on a public host (say
edge.example.com), terminates TLS with certificates the console issues and pushes to it, and serves your custom domains end to end through infrastructure you control. - You want fast hops inside your LAN. A LAN edge runs on your local network and serves clients there directly — a gateway and a CLI on the same network connect through it without ever leaving the building.
The two roles are the LAN and frontier modes; you pick when you mint the relay in the console.
How it fits together
The edge keeps a persistent outbound connection (the carrier) to the console. Everything flows through that: enrollment approval, the signed manifest that tells it what to serve, certificates for your custom domains, and the routes that map a hostname to a gateway. The console's Edge Relays page is where you mint, approve, monitor, and remove edges.
Data through the edge stays end-to-end encrypted between the client and the gateway — the edge forwards bytes it cannot read, exactly like a hosted relay.
The burrowee-edge command
Install it with the one-line installer, then drive it with these subcommands (burrowee edge … and burrowee-edge … are interchangeable — the dispatcher forwards one to the other):
| Command | What it does |
|---|---|
bootstrap <blob> <pin> | Enroll this machine against the console, then stand up the nginx front and offer to install the service. See Setup. |
run | Serve in the foreground. |
doctor | Health checks: identity, console reachability, the nginx front. --fix remediates (--yes runs it unattended). See Operations. |
status | Enrollment state and the served configuration (tenant, domains, gateways). |
service install|status | Install or inspect the managed launchd/systemd service. |
restart | Restart the managed service. |
nginx | Generate and apply the nginx front. See nginx front. |
uninstall | Remove the service and back up (or --purge) config and state. |
update [--dry] [--force] | Install the latest release, then restart the service. --dry reports the version gap + changelog only; --force re-installs when already current. |
version | Print the version. |
In this guide
- Setup — mint, bootstrap, approve.
- LAN & frontier modes — the two serving topologies and how the edge picks one.
- nginx front — the
nginxsubcommand, the stream snippet, the pinned LAN certificate. - Custom domains — attach
app.example.comto a target through your edge. - Operations — doctor, status, service, logs, uninstall.