How to Self-Host Portainer and Manage Docker Containers Remotely
Portainer gives you a clean web interface to manage Docker containers, images, volumes, networks, and stacks without touching the command line. This guide covers installing Portainer CE with Docker Compose, connecting it to your Docker environment, and making the dashboard securely accessible from any browser, anywhere, using a Localtonet tunnel.
📋 What's in this guide
What Is Portainer?
Portainer is an open-source container management platform that wraps Docker, Docker Swarm, and Kubernetes
in a web-based dashboard. Instead of memorizing docker ps, docker inspect,
and docker compose up flags, you manage everything through a browser start and stop containers,
pull images, browse logs, edit environment variables, deploy Compose stacks, and manage volumes and networks,
all with a few clicks.
It comes in two editions. Portainer CE (Community Edition) is completely free and covers everything a developer or homelab user needs. Portainer BE (Business Edition) adds RBAC, LDAP, and audit logs for teams and enterprises. This guide uses CE.
Install Portainer CE with Docker Compose
Portainer itself runs as a Docker container. The setup mounts the Docker socket into the container so Portainer can communicate with the Docker engine on the same host.
Create the project directory
mkdir portainer && cd portainerCreate the Docker Compose file
services:
portainer:
image: portainer/portainer-ce:sts
container_name: portainer
restart: always
ports:
- "127.0.0.1:9443:9443"
- "127.0.0.1:8000:8000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data
volumes:
portainer_data:
name: portainer_data
Port 9443 serves the Portainer web UI over HTTPS. Port 8000 is only needed
if you plan to use Edge Agent features to manage remote Docker hosts without a direct connection.
Binding both ports to 127.0.0.1 means they are only reachable locally, which is the right
default you will expose the UI securely through a Localtonet tunnel.
Start Portainer
docker compose up -d
docker compose ps
Portainer is now running. Open https://localhost:9443 in your browser on the same machine.
You will see a certificate warning because Portainer uses a self-signed certificate by default accept it to continue.
Initial Setup
Create the admin account
On first access, Portainer asks you to set a username and password for the administrator account.
Choose a strong password. You have a limited time window to complete this step before
Portainer locks down the setup screen for security reasons.
If you miss the window, restart the container with docker compose restart portainer.
Connect to the local Docker environment
After creating the admin account, Portainer asks which environment to manage. Select Docker and then Use the local Docker socket. Click Connect. Portainer detects all containers, images, and volumes already on the host and displays them in the dashboard immediately.
Explore the dashboard
Click on the local environment in the home screen to enter the management view. From here you can see all running containers, manage stacks, pull images, and inspect volumes.
Access Portainer Remotely with Localtonet
Portainer's web UI runs on port 9443 over HTTPS. With the 127.0.0.1 binding
in place, it is only reachable on the local machine. To access it from outside another device,
a remote office, or your phone create a Localtonet TCP tunnel for that port.
Portainer already serves HTTPS on port 9443. Using a Localtonet TCP tunnel preserves
the end-to-end TLS connection from your browser all the way to Portainer.
An HTTP tunnel would terminate TLS at the relay, which is unnecessary here since Portainer handles it directly.
Install and authenticate Localtonet on the host machine
curl -fsSL https://localtonet.com/install.sh | sh
localtonet --authtoken <YOUR_TOKEN>Create a TCP tunnel for port 9443
Log in to the Localtonet dashboard, go to Tunnels → New Tunnel,
select TCP, set local IP to 127.0.0.1 and port to 9443.
Click Create. The dashboard shows a relay address such as example.localto.net:33XX.
Open Portainer from any device
In your browser, go to https://example.localto.net:33XX.
Accept the self-signed certificate warning and log in with your admin credentials.
You now have full access to your Docker environment from any location.
Avoid the certificate warning with a custom domain
Optional
If you attach a custom domain to an HTTP tunnel pointing at port 9443,
Localtonet provides a valid Let's Encrypt certificate for that domain.
Your browser trusts the connection without any warning.
See the custom domain guide for setup steps.
Keep Everything Running After a Reboot
The Compose file uses restart: always on the Portainer container,
so Docker restarts it automatically on every boot. Register Localtonet as a systemd service
so the tunnel also comes back without any manual steps:
sudo localtonet --install-service --authtoken <YOUR_TOKEN>
sudo localtonet --start-service --authtoken <YOUR_TOKEN>Verify both services are active:
docker compose ps
systemctl status localtonetAfter this, your Portainer dashboard and its relay address come back automatically every time the host machine boots. You never need to reconnect or restart anything by hand.
Security Recommendations
⏱ Complete the initial setup immediately after installation
Portainer shows an unauthenticated setup screen on first access and gives you a short time window
to create the admin account. If anything can reach port 9443 before you do,
it could set the admin password. The 127.0.0.1 port binding in the Compose file
keeps the port off your network until you are ready.
🔑 Use a strong admin password
Portainer has full access to your Docker socket, which means full access to every container on the host. A compromised Portainer account is effectively full root access to the machine. Use a long, unique password and enable two-factor authentication under Account Settings → Two-factor authentication.
👤 Create non-admin accounts for teammates
If other people need access to Portainer, create individual user accounts for them under Settings → Users rather than sharing the admin credentials. Assign the minimum permission level each person needs read-only access is available for people who only need to browse container logs and status.
🔒 Keep port 9443 off the public internet
The 127.0.0.1 binding in the Compose file ensures port 9443
is never reachable from the network directly. Always access Portainer through the Localtonet tunnel,
not by opening the port in your firewall. This keeps the attack surface small.
📦 Keep Portainer updated
Pull the latest image and recreate the container regularly to stay current with security patches. The named volume keeps all your configuration and connected environments across updates.
docker compose pull
docker compose up -dFrequently Asked Questions
Can I manage containers on multiple servers from one Portainer instance?
Yes. Deploy the Portainer Agent on each additional server and connect it to your central Portainer instance. The agent runs as a lightweight container on the remote host and exposes port 9001 for the Portainer server to connect to. Once connected, all environments appear in the Portainer home screen and you can switch between them instantly.
Can I deploy Docker Compose stacks from the Portainer UI?
Yes. Go to Stacks → Add Stack. You can paste a Compose file directly, upload a file, or point Portainer at a Git repository. Portainer deploys and manages the stack and shows all containers belonging to it in a grouped view. You can edit the Compose definition and redeploy without touching the command line.
Will I lose my configuration if I update Portainer?
No. All configuration, user accounts, connected environments, and stack definitions are stored in the named Docker volume portainer_data. Pull the new image and recreate the container the volume persists. Always back up the volume before a major version upgrade just in case.
Can I run Portainer on a Raspberry Pi?
Yes. The official Portainer CE image supports ARM and ARM64 architectures. It runs well on a Raspberry Pi 3 or newer. Docker pulls the correct image variant automatically for your Pi's CPU.
Is Portainer CE really free?
Yes. Portainer CE is free and open source with no usage limits. It covers container management, stack deployment, image and volume management, user accounts, and multi-environment support via the Portainer Agent. Portainer BE adds enterprise features like LDAP/SSO integration, audit logs, and advanced RBAC, but none of those are required for personal or small team use.
Can I open a terminal inside a running container from Portainer?
Yes. Go to Containers, click on any running container, and open the Exec tab. Choose a shell (/bin/bash or /bin/sh) and click Connect. A terminal opens in your browser, running inside the container on the remote host. This works over the Localtonet tunnel without any additional setup.
Manage Your Docker Containers from Any Browser, Anywhere
Install Portainer with Docker Compose, create a Localtonet TCP tunnel, and your entire Docker environment is accessible from any device with a browser | No SSH, No command line, No VPN.
Create Free Localtonet Account →
