The purpose of this list is to track and compare tunneling solutions. This is primarily targeted toward self-hosters and developers who want to do things like exposing a local webserver via a public domain name, with automatic HTTPS, even if behind a NAT or other restricted network.
NOTE: We're building a community around self-hosting, data ownership, and decentralization in general. Join us over at IndieBits.io.
I started this list because I'm looking for a simple tool/service that does the following:
- Allows me to register a domain name and automatically points the records at the server running the tunnels.
- Automatically sets up and manages HTTPS certificates (apex and subdomains) for the domain.
- Provides a client tool that tunnels HTTP/TCP connections through the server without requiring root on the client.
- Provides a simple GUI interface to allow me to map X domain/subdomain to Y port on Z client, and proxy all connections to that domain.
So far I haven't found a tool that does all of this. In particular, while some of them can do automatic certs through Lets's Encrypt, none of them integrate the domain registration and DNS management.
A lot of new tools have been developed since the list started, and many tools have been submitted for addition to the list. It's great to see so much interest in tunneling. That said, I want to make sure this remains a useful resource for not just listing all the possible options, but helping people pick one that will solve their problem. With that goal in mind, I've moved some of the items to a separate section at the bottom. This is dedicated to more complicated tools like overlay networks which can support tunneling and similar use cases, but aren't focused exclusively on tunneling. Please let me know if you think something is in the wrong section.
- For most people, I currently recommend CloudFlare Tunnel. Although it's closed source, this is the production-quality service that gets the closest to achieving the dream. It's also a loss-leader for CloudFlare's other products which means they can offer it for free. Note that it's technically against their ToS to host anything other than basic HTML pages on the free plan, including photos, audio, and video. In practice I'm not aware of many instances of this being enforced.
- If you want to self-host, there are many options. For something production ready frp is probably what you want. If you're a developer, I'd recommend starting with my own SirTunnel project and modifying it for your needs. For non-developers and those wanting more of a GUI experience, I created boringproxy. It's my take on a comprehensive tunnel proxy solution. It's in beta but currently solves almost everything I want. Once the server is running this is a very easy tool to use and has some nice features.
Open source (at least with a reasonably permissive license)
- Telebit - Written in JS. Code.
- pyjam.as - No custom client; uses WireGuard directly instead. Written in Python.
- SSH-J.com - Public SSH Jump & Port Forwarding server. No software, no registration, just an anonymous SSH server for forwarding. Users are encouraged to use it for SSH exposure only, to preserve end-to-end encryption. No public ports, only in-SSH connectivity. Run
ssh ssh-j.comand it will display usage information.
- frp - Comprehensive open alternative to ngrok. Supports UDP, and has a P2P mode. I believe it uses a custom TCP protocol for multiplexing, which can either run over a single TCP connection or a connection pool.
- ngrok 1.0 - Original version of ngrok. No longer developed in favor of the commercial 2.0 version.
- localtunnel - Written in node. Popular suggestion.
- sshuttle - Open source project originally from one of the founders of Tailscale. Server doesn't require root; client does. Explicitly designed to avoid TCP-over-TCP issues.
- chisel - SSH under the hood, but still uses a custom client binary. Supports auto certs from LetsEncrypt. Written in Go.
- bore - Minimal tunneling solution. MIT Licensed. Written in Rust.
- rathole - Similar to frp, including the config format, but with improved performance. Low resource consumption. Hot reload. Written in Rust.
- expose - ngrok alternative written in PHP.
- sish - Open source ngrok/serveo alternative. SSH-based but uses a custom server written in Go. Supports WebSocket tunneling.
- go-http-tunnel - Uses a single HTTP/2 connection for muxing. Need to manually generate certs for server and clients.
- tunnelto - Open source (MIT). Written in Rust.
- wstunnel - Proxies over WebSockets. Focus on proxying from behind networks that block certain protocols. Written in Haskell with executables provided.
- PageKite - Comprehensive open source solution with hosted options.
- boringproxy - Designed to be very easy to use. No config files. Clients can be remote-controlled through a simple WebUI and/or REST API on the server.
- Crowbar - Tunnels TCP connections over HTTP GET and POST requests.
- jprq - Proxies over WebSockets. Written in Python.
- tunneller - Open source. Written in Go.
- SirTunnel - Minimal, self-hosted, 0-config alternative to ngrok. Similar to sish but leverages Caddy+OpenSSH rather than custom server code.
- tunnel - This one is a Golang library, not a program you can just run. However, it looks easy to use for creating custom solutions. Uses a single TCP socket, and yamux for multiplexing.
- pgrok - Fork of ngrok 1.0, with more recent commits.
- docker-tunnel - Simple Docker-based nginx+SSH solution.
- remotemoe - SSH-based, with custom golang server. Does some cool unique things. Instead of just plain tunnels, it drops you into a basic CLI UI that offers several useful commands interactively, such as adding a custom hostname. Also allows end-to-end encryption for both HTTPS and upstream SSH. Doesn't appear to offer non-e2e HTTPS, ie no auto Let's Encrypt support.
- holepunch - Has nice hosted solution. Uses SSH for muxing.
- StaqLab Tunnel - SSH-based. Client is open source. Server doesn't appear to be.
- tnnlink - SSH-based. Golang. Not maintained.
- ngrok 2.0 - Probably the gold standard and most popular. Closed source. Lots of features, including TLS and TCP tunnels. Doesn't require root to run client.
- CloudFlare Tunnel - Excellent free option. Nicely integrates tunneling with the rest of Cloudflare's products, which include DNS and auto HTTPS. Client source code is Apache 2.0 licensed and written in Golang.
- Loophole - Offers end-to-end TLS encryption with the client automatically getting certs from Let's Encrypt. QR codes for URL sharing. Client is open source. Can serve a local directory over WebDAV. MIT License. Written in Go.
- localhost.run - Simple hosted SSH option. Supports custom domains for a cost.
- Packetriot - Comprehensive alternative to ngrok. HTTP Inspector, Let's Encrypt integration, doesn't require root and Linux repos for apt, yum and dnf. Enterprise licenses and self-hosted option.
- Hoppy - WireGuard-based. Provides static IPv4 and IPv6 addresses for your machines, which is a simple and useful level of abstraction. Targeted towards self-hosters and people behind NATs.
- gw.run - Specifically focusing on securely exposing internal web apps to a group of people; not for publicly facing apps. Share access via email address then allow users to log in with common login providers like Google.
- SSHReach.me - Paid SSH-based option. Uses a simple python script.
- KubeSail - Company offering tunneling, dynamic DNS, and other services for self-hosting with Kubernetes.
- inlets - Used to be open source; now focused on a polished commercial offering. Designed to work well with Kubernetes.
- LocalToNet - Supports UDP. Free for a single tunnel. Paid supports custom domains.
Overlay networks and other advanced tools
- Teleport - Comprehesive control plane tool, but also supports accessing apps behind NATs. Written in Go.
- Nebula - Peer-to-peer overlay network. Developed and used internally by Slack. Similar to Tailscale but completely open source. Doesn't use WireGuard. Written in Go.
- ZeroTier - Layer 2 overlay network. They take decentralization seriously, and like to say "decentralize until it hurts, then centralize until it works." Written in C++.
- Tailscale - Built on WireGuard. Easy to use. Doesn't include an HTTPS proxy on the public side, but could be combined with nginx/Caddy/etc. Control server is closed source. Client code available with a BSD3 license + separate patents file.
- headscale - Open source implementation of Tailscale control server. Can be used with Tailscale's official open source client. Written in Go.
- Netmaker - Layer 3 peer-to-peer overlay network and private DNS. Similar to Tailscale, but with a self-hosted server/admin UI. Runs kernel WireGuard so very fast. Not FOSS, but source is availabe. Written in Go.
- Pritunl - Seems quite comprehensive and complicated. OpenVPN, WireGuard, and IPSec support.
- NetBird - NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.
- OpenZiti - - Overlay network. The goal of OpenZiti is to extend zero trust all the way into your application, not just to your network. Apache 2.0 license. Written in Go.
- Ngrok-operator - Ngrok but integrated with Kubernetes, allows developers on private kubernetes to easily access their services via Ngrok.
- Roll your own Ngrok with Nginx, Letsencrypt, and SSH reverse tunnelling
- Poor man's ngrok with tcp proxy and ssh reverse tunnel
- How I built Ngrok Alternative (jprq)
- Great SO answer by AJ ONeal about how these things work
- Talk by AJ ONeal about tunneling tech
- ngrok alternative: localtunnel + Caddy + Lets Encrypt