Installation - FrankoonG/hy2scale GitHub Wiki
π English | δΈζ | νκ΅μ΄
HY2 SCALE runs as a single Docker container. All configuration is managed through the web UI β no config files to edit.
- Docker (any Linux host with Docker support)
-
NET_ADMINcapability (for VPN protocols and routing rules) -
--network host(required for L2TP/IPsec and IKEv2)
docker run -d --name hy2scale \
--network host --privileged \
-v hy2scale-data:/data \
--restart unless-stopped \
frankoong/hy2scale:latestOpen http://<host>:5565/scale/ β default login: admin / admin.
Warning: Change the default password immediately via Settings β System.
When --network host is unavailable, run with explicit port mapping. L2TP / IKEv2 / WireGuard all work via compat mode, only the Rules engine is unavailable.
docker run -d --name hy2scale \
--cap-add NET_ADMIN --cap-add NET_RAW \
-p 5565:5565/tcp -p 5565:5565/udp \
-p 500:500/udp -p 4500:4500/udp -p 1701:1701/udp -p 51820:51820/udp \
-v hy2scale-data:/data \
--restart unless-stopped \
frankoong/hy2scale:latestThe version badge in the sidebar shows the auto-detected runtime mode: Normal, Bridge, Compat, or Limited β see Settings.
services:
hy2scale:
image: frankoong/hy2scale:latest
container_name: hy2scale
restart: unless-stopped
network_mode: host
privileged: true
volumes:
- hy2scale-data:/data
volumes:
hy2scale-data:For bridge mode:
services:
hy2scale:
image: frankoong/hy2scale:latest
container_name: hy2scale
restart: unless-stopped
cap_add: [NET_ADMIN, NET_RAW]
devices: ["/dev/net/tun"]
ports:
- "5565:5565/tcp"
- "5565:5565/udp"
- "500:500/udp"
- "4500:4500/udp"
- "1701:1701/udp"
- "51820:51820/udp"
volumes:
- hy2scale-data:/data
volumes:
hy2scale-data:| Port | Protocol | Service |
|---|---|---|
| 5565 | TCP + UDP | Hysteria 2 server + Web UI |
| 1701 | UDP | L2TP |
| 500 | UDP | IKEv2/IPsec (IKE) |
| 4500 | UDP | IKEv2/IPsec (NAT-T) |
| 51820 | UDP | WireGuard (configurable) |
With --network host, all ports are automatically available. With port mapping, map each port individually:
docker run -d --name hy2scale \
--cap-add NET_ADMIN \
-p 5565:5565/tcp -p 5565:5565/udp \
-p 1701:1701/udp \
-p 500:500/udp -p 4500:4500/udp \
-p 51820:51820/udp \
-v hy2scale-data:/data \
frankoong/hy2scale:latestNote: L2TP and IKEv2 require
--network hostto function. Port mapping alone is not sufficient because IPsec ESP packets cannot be NATed by Docker.
| Variable | Default | Description |
|---|---|---|
DEBUG |
false |
Enable verbose logging (iptables detection, capability checks, packet flow, strongSwan verbosity) |
No other environment variables are needed. All configuration is managed via the web UI and persisted in /data/config.yaml.
All state persists to the /data volume:
/data/
βββ node-id # Unique node identifier (8-char hex)
βββ config.yaml # Configuration (auto-generated, atomic writes)
βββ tls/ # TLS certificates (PEM format)
βββ default.crt
βββ default.key
βββ default.name
Note: A self-signed TLS certificate is auto-generated on first startup.
The binary accepts these flags (usually not needed when running via Docker):
| Flag | Default | Description |
|---|---|---|
-api |
0.0.0.0:5565 |
API/UI listen address |
-base-path |
/scale |
URL base path |
-data |
/data |
Persistent data directory |
git clone https://github.com/FrankoonG/hy2scale.git
cd hy2scale
docker build -t hy2scale .The image (~73MB) includes:
- Go binary (statically compiled)
- strongSwan 5.8.4 (compiled from source)
- xl2tpd, pppd, iptables-legacy
- Alpine 3.19 base
docker pull frankoong/hy2scale:latest
docker stop hy2scale
docker rm hy2scale
# Re-run with the same docker run commandYour configuration is preserved in the data volume.
| Feature | --network host |
Port mapping |
|---|---|---|
| Mesh relay | β | β |
| Web UI | β | β |
| SOCKS5 | β | β |
| Shadowsocks | β | β |
| WireGuard | β | β |
| L2TP/IPsec | β | β (compat mode) |
| IKEv2/IPsec | β | β (compat mode) |
| Routing Rules | β | β |
| Runtime badge | Normal | Bridge / Compat / Limited |