For many years I have honed a little homelab which I accessed it via standard Wireguard VPN connection. Some months ago, I had this idea that my homelab should have zero listening ports on the public internet, for the fact that my router was not being kept up to date with all latest patches. I navigated through headscale/tailscale, cloudflare, etc, however I wanted something incredibly lightweight, that could run on my OpenWrt router.So I built a CLI tool that reverses the connection direction of the hosting server, primarily to create an outbound connection, requiring no listening ports on my homelab gateway. These connection (the server and all clients) needed a rendezvous point where their outbound connections would be tied. I also wanted to avoid issues like complex TLS termination, authentication and possible DDoS attacks on the relay, so it was decided to use WebSockets rather than UDP connections. This provided the possibility to host the relay on the web behind reverse proxies, offloading all other complexities to the battle hardened nginx, while keeping my codebase tiny. Hence BastionRoute was born.BastionRoute tries to solve one thing and one thing only. To provide a means for a UDP server to initiated outbound connections towards a Websocket relay. In doing so, BastionRoute remains payload agnostic, as long as UDP traffic is flowing, it does not care if its Wireguard traffic or any other software. BastionRoute does not require Wireguard keys to operate, in fact for a Wireguard perspective, only the connection configuration changes, nothing else. Wireguard encryption remains end-to-end. In doing so the relay becomes a blind transport broker.I loved working on this project and I wanted to share it with the community. Any feedback is much appreciated.