Userspace Networking
Run Twingate without root privileges using HTTP Proxy Mode
Summary
Twingate’s Linux client now supports a new userspace (non-root) networking mode. This feature allows the Twingate Client to run in restricted environments such as containers, CI/CD pipelines, and managed workstations without requiring elevated privileges.
Traditionally, the Linux client used a TUN (network tunnel) interface that required root access. With the new HTTP Proxy Mode, users can securely connect to Twingate-protected resources using standard HTTP and HTTPS traffic, even when administrative access isn’t available.
This update makes it easier to integrate Twingate into automated, headless, or sandbox environments, such as:
- CI/CD pipelines or build systems
- Docker or Kubernetes workloads
- Developer workstations without sudo access
- Cloud-native or multi-tenant systems
Reminder
Peer-to-peer connections help you to provide a better experience for your users and to stay within the Fair Use Policy for bandwidth consumption. Learn how to support peer-to-peer connections.
Available Network Modes
| Mode | Description | Root Required | Default |
|---|---|---|---|
| TUN Mode | Full-network tunneling for all protocols | ✅ Yes | ✅ Enabled |
| HTTP Proxy Mode | HTTP/HTTPS traffic only, ideal for userspace environments | ❌ No | Disabled |
| TUN + HTTP Proxy Mode | Hybrid mode supporting both methods | ✅ Yes | Disabled |
Why It Matters
1. Run Without Root
Many developer and automation environments restrict root access. HTTP Proxy Mode provides secure connectivity under these conditions without compromising access to protected resources.
2. Simpler Integration for Containers
Run Twingate as part of Docker or Kubernetes workflows without modifying host networking or running privileged containers.
3. Safer Defaults for Automation
Adopt a least-privilege model while maintaining secure access for non-interactive or headless jobs. For more least-privilege policy information take a look at our auto lock and just in time access features.
How It Works
In HTTP Proxy Mode, the Twingate Client acts as a local HTTP/HTTPS proxy. Applications or scripts connect through it just like any standard proxy server. This enables userspace connectivity without kernel-level network changes.
Prerequisites
Before using HTTP Proxy Mode, ensure one of the following authentication methods is configured:
- Interactive setup: Configure the client via
twingate setupfor desktop/interactive use - Headless mode: Place a service key at
/etc/twingate/service_key.jsonfor automated deployments
Note
Service accounts are available for Business and Enterprise plan customers and provide the easiest way to integrate Twingate into automated workflows. Learn more about Service Accounts.
Configuration Examples
HTTP Proxy Only (No Root Required)
For environments where root access is not available:
twingated --http-proxy 0.0.0.0:9999 --tun offEnable Both TUN and Proxy (Hybrid Mode)
For environments where root access is available and you want both networking modes:
sudo twingated --http-proxy 0.0.0.0:9999 --tun onUsing Environment Variables
Set environment variables for consistent configuration across deployments:
export TWINGATE_HTTP_PROXY=0.0.0.0:9999export TWINGATE_TUN=offtwingatedUsing a Config File
Create a persistent configuration file for system-wide settings:
echo '{"http-proxy": "0.0.0.0:9999", "tun": "off"}' | sudo tee /etc/twingate/network-config.jsontwingatedInteractive CLI Helpers
# Show current networking configtwingate config networking
# Enable HTTP proxy only (explicitly disable TUN)twingate config networking --http-proxy 0.0.0.0:9999 --tun off
# Enable HTTP proxy and leave TUN on (implicit)twingate config networking --http-proxy 0.0.0.0:9999
# Enable HTTP proxy and TUN explicitlytwingate config networking --http-proxy 0.0.0.0:9999 --tun onContainer Deployments
Kubernetes
Example configuration for deploying the Twingate Client in a Kubernetes cluster:
apiVersion: apps/v1kind: Deploymentmetadata: name: twingate-headlessspec: template: spec: containers: - name: twingate-headless imagePullPolicy: IfNotPresent image: ${TWINGATE_IMAGE} command: ["/usr/sbin/twingated", "--http-proxy", "0.0.0.0:9999", "--tun", "off"] ports: - containerPort: 9999 protocol: TCP volumeMounts: - mountPath: "/etc/twingate/service_key.json" name: twingate-service-key subPath: twingate-service-keyDocker Compose
Example Docker Compose configuration for running the Twingate Client in a container:
services: twingate-client: image: ${TWINGATE_IMAGE:-client-arm64} platform: ${TWINGATE_PLATFORM:-linux/arm64} command: --http-proxy 0.0.0.0:9999 --tun off volumes: - ${SERVICE_KEY_PATH}:/etc/twingate/service_key.jsonLast updated 13 minutes ago