awesome-tunneling
List of ngrok/Cloudflare Tunnel alternatives and other tunneling software and services. Focus on self-hosting.
Top Related Projects
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
A fast TCP/UDP tunnel over HTTP
A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.
Unified ingress for developers
Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)
Fast and secure tunnels over HTTP/2
Quick Overview
The "awesome-tunneling" repository is a curated list of tunneling software and services. It provides a comprehensive collection of tools and resources for creating network tunnels, which can be useful for various purposes such as remote access, bypassing firewalls, or securing communications.
Pros
- Extensive collection of tunneling tools and services
- Well-organized and categorized for easy navigation
- Regularly updated with new entries and information
- Includes both open-source and commercial solutions
Cons
- Lacks detailed comparisons between different tools
- Some listed projects may be outdated or no longer maintained
- Does not provide in-depth tutorials or usage instructions
- May overwhelm beginners with the large number of options
Note: As this is not a code library but rather a curated list of resources, there are no code examples or getting started instructions to provide.
Competitor Comparisons
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
Pros of sshuttle
- Provides a full VPN-like experience over SSH
- Supports transparent proxying of DNS queries
- Can route all traffic through the tunnel, not just specific ports
Cons of sshuttle
- Requires root access on the client machine
- More complex setup compared to simple port forwarding
- May have performance overhead due to its Python implementation
Code comparison
sshuttle:
sudo sshuttle -r username@sshserver 0/0 -x sshserver
awesome-tunneling (using SSH port forwarding):
ssh -L 8080:localhost:80 username@sshserver
Summary
sshuttle is a more comprehensive tunneling solution that provides VPN-like functionality, while awesome-tunneling is a curated list of various tunneling tools and techniques. sshuttle offers a broader range of features but requires more setup and privileges. awesome-tunneling provides a collection of simpler, more targeted solutions that may be easier to implement for specific use cases.
Both projects serve different purposes: sshuttle is a standalone tool, while awesome-tunneling is a resource for finding and comparing various tunneling options. The choice between them depends on the user's specific needs, technical expertise, and desired level of control over the tunneling process.
A fast TCP/UDP tunnel over HTTP
Pros of Chisel
- Standalone executable with no dependencies
- Supports both TCP and UDP tunneling
- Includes built-in HTTP and SOCKS5 proxies
Cons of Chisel
- Limited to a single tool, while Awesome Tunneling provides a curated list of various tunneling solutions
- May have a steeper learning curve for users unfamiliar with command-line tools
Code Comparison
Chisel:
# Server
chisel server -p 8080 --reverse
# Client
chisel client server.com:8080 R:3000:localhost:3000
Awesome Tunneling doesn't provide specific code examples, as it's a curated list of tunneling tools and resources. However, it offers links to various tools, each with its own usage instructions.
Summary
Chisel is a feature-rich, standalone tunneling tool that offers TCP and UDP tunneling along with built-in proxies. It's ideal for users who prefer a single, comprehensive solution. On the other hand, Awesome Tunneling is a curated list of various tunneling tools and resources, providing a broader overview of available options. While Chisel offers a more focused approach, Awesome Tunneling allows users to explore and choose from multiple tools based on their specific needs.
A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.
Pros of frp
- Actively developed and maintained project with frequent updates
- Comprehensive feature set including TCP/UDP forwarding, HTTP/HTTPS tunneling, and load balancing
- Built-in web interface for easy management and monitoring
Cons of frp
- Steeper learning curve due to more complex configuration options
- Requires both client and server components to be set up and configured
Code Comparison
frp configuration example:
[common]
server_addr = x.x.x.x
server_port = 7000
[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000
awesome-tunneling doesn't provide specific code examples as it's a curated list of tunneling tools and resources. However, it offers a wide range of options for various tunneling needs, allowing users to choose the most suitable tool for their specific use case.
Summary
frp is a feature-rich tunneling solution with active development, while awesome-tunneling serves as a comprehensive resource for discovering various tunneling tools. frp offers more advanced features but requires more setup, whereas awesome-tunneling provides a broader overview of available options without focusing on a single implementation.
Unified ingress for developers
Pros of ngrok
- Ready-to-use solution with a simple command-line interface
- Offers secure tunneling with TLS encryption out of the box
- Provides a user-friendly web interface for monitoring and managing tunnels
Cons of ngrok
- Limited free tier with restrictions on features and usage
- Closed-source, which may raise privacy and security concerns for some users
- Less flexibility compared to the variety of tools listed in awesome-tunneling
Code Comparison
ngrok:
ngrok http 8080
Example from awesome-tunneling (using localtunnel):
lt --port 8080
Summary
ngrok is a popular, user-friendly tunneling solution that offers a streamlined experience for creating secure tunnels. However, it comes with limitations in its free tier and lacks the openness of some alternatives.
awesome-tunneling, on the other hand, is a curated list of various tunneling tools and services. It provides users with a wide range of options, allowing them to choose the most suitable solution for their specific needs. This flexibility comes at the cost of requiring more research and setup time compared to the out-of-the-box experience offered by ngrok.
Ultimately, the choice between ngrok and the tools listed in awesome-tunneling depends on the user's requirements, technical expertise, and preference for simplicity versus flexibility.
Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)
Pros of sslh
- Focused, single-purpose tool for multiplexing SSL and SSH connections
- Actively maintained with regular updates and bug fixes
- Provides detailed documentation and configuration options
Cons of sslh
- Limited to specific protocols (SSL, SSH, OpenVPN, etc.)
- Requires more setup and configuration compared to some tunneling solutions
- May have higher resource usage for large-scale deployments
Code Comparison
sslh configuration example:
listen:
(
{ host: "0.0.0.0"; port: "443"; }
);
protocols:
(
{ name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; },
{ name: "ssl"; host: "localhost"; port: "443"; }
);
awesome-tunneling doesn't provide specific code examples, as it's a curated list of tunneling tools and resources.
Summary
sslh is a specialized tool for multiplexing SSL and SSH connections, offering active maintenance and detailed documentation. However, it's limited to specific protocols and may require more setup compared to some alternatives. awesome-tunneling, on the other hand, is a comprehensive list of various tunneling tools and resources, providing a broader overview of available options without focusing on a single solution.
Fast and secure tunnels over HTTP/2
Pros of go-http-tunnel
- Focused specifically on HTTP tunneling, providing a more specialized solution
- Written in Go, offering potential performance benefits and easy deployment
- Actively maintained with recent updates and contributions
Cons of go-http-tunnel
- Limited to HTTP tunneling, while awesome-tunneling covers a broader range of tunneling solutions
- Requires Go knowledge for customization and integration
- Less comprehensive documentation compared to awesome-tunneling's curated list
Code Comparison
go-http-tunnel example:
tunnel := tunnel.NewServer(&tunnel.ServerConfig{
Addr: ":8080",
})
tunnel.Start()
awesome-tunneling doesn't provide code examples directly, as it's a curated list of tunneling tools and resources. However, it offers links to various projects with their own implementation details.
Summary
go-http-tunnel is a specialized HTTP tunneling solution written in Go, offering potential performance benefits and active maintenance. However, it's limited to HTTP tunneling and requires Go knowledge. awesome-tunneling, on the other hand, is a comprehensive list of various tunneling tools and resources, providing a broader overview of available solutions but without direct implementation. The choice between the two depends on whether you need a specific HTTP tunneling tool or a general reference for tunneling options.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
The purpose of this list is to track and compare tunneling solutions. This is primarily targeted toward self-hosters and developers who want to do things like exposing a local webserver via a public domain name, with automatic HTTPS, even if behind a NAT or other restricted network.
NOTE: We're building a community around self-hosting, data ownership, and decentralization in general. Join us over at IndieBits.io.
The dream
I started this list because I'm looking for a simple tool/service that does the following:
- Allows me to register a domain name and automatically points the records at the server running the tunnels.
- Automatically sets up and manages HTTPS certificates (apex and subdomains) for the domain.
- Provides a client tool that tunnels HTTP/TCP connections through the server without requiring root on the client.
- Provides a simple GUI interface to allow me to map X domain/subdomain to Y port on Z client, and proxy all connections to that domain.
So far I haven't found a tool that does all of this. In particular, while some of them can do automatic certs through Let's Encrypt, none of them integrate the domain registration and DNS management in a simple way.
Recommendations
- For most people, I currently recommend Cloudflare Tunnel. Although it's closed source, this is the production-quality service that gets the closest to achieving the dream. It's also a loss-leader for Cloudflare's other products which means they can offer it for free.
- If you want to self-host, there are many options. For something production ready frp is probably what you want. If you're a developer, I'd recommend starting with my own SirTunnel project and modifying it for your needs. For non-developers and those wanting more of a GUI experience, I created boringproxy. It's my take on a comprehensive tunnel proxy solution. It's in beta but currently solves almost everything I want. Once the server is running this is a very easy tool to use and has some nice features.
Open source (at least with a reasonably permissive license)
- Telebit - Written in JS. Code.
- tunnel.pyjam.as - No custom client; uses WireGuard directly instead. Written in Python. source code
- SSH-J.com - Public SSH Jump & Port Forwarding server. No software, no registration, just an anonymous SSH server for forwarding. Users are encouraged to use it for SSH exposure only, to preserve end-to-end encryption. No public ports, only in-SSH connectivity. Run
ssh ssh-j.com
and it will display usage information. - frp - Comprehensive open alternative to ngrok. Supports UDP, and has a P2P mode. Supports multiplexing over TCP (single connection or pool), QUIC, and KCP.
- ngrok 1.0 - Original version of ngrok. No longer developed in favor of the commercial 2.0 version.
- localtunnel/localtunnel - Written in node. Popular suggestion.
- chisel - SSH under the hood, but still uses a custom client binary. Supports auto certs from LetsEncrypt. Written in Go.
- sshuttle - Open source project originally from one of the founders of Tailscale. Server doesn't require root; client does. Explicitly designed to avoid TCP-over-TCP issues.
- rathole - Similar to frp, including the config format, but with improved performance. Low resource consumption. Hot reload. Written in Rust.
- bore - Minimal tunneling solution. MIT Licensed. Written in Rust.
- expose - ngrok alternative written in PHP.
- sish - Open source ngrok/serveo alternative. SSH-based but uses a custom server written in Go. Supports WebSocket tunneling.
- wstunnel - Proxies over WebSockets. Focus on proxying from behind networks that block certain protocols. Written in Rust with executables provided.
- gost - Looks like a comprehensive option. TCP and UDP tunneling. TAP/TUN devices. Load balancing. Web API. Written in Go.
- progrium/localtunnel - As far as I know this is the first ever tool of this kind, predating ngrok and the other localtunnel. No longer maintained, but here for posterity. MIT License. Written in Go.
- go-http-tunnel - Uses a single HTTP/2 connection for muxing. Need to manually generate certs for server and clients.
- pgrok/pgrok - A multi-tenant HTTP reverse tunnel solution through SSH remote port forwarding.
- zrok - Aims for effortless sharing both publicly and privately. Supports multiple types of resources, including HTTP endpoints and files. Built on OpenZiti (see overlay section below). Apache 2 License. Written in Go.
- portr - Has a JavaScript/Python admin page and request inspection/replay features. AGPL-3.0 License. Tunneling implemented in Go.
- tunnelto - Open source (MIT). Written in Rust.
- piko - Piko is an open-source alternative to Ngrok, designed to serve production traffic and be simple to host (particularly on Kubernetes). MIT License. Written in Go.
- gsocket/Global Socket - The Global Socket Toolkit allows two users behind NAT/Firewall to establish a TCP connection with each other. Securely. Written in C.
- SirTunnel - Minimal, self-hosted, 0-config alternative to ngrok. Similar to sish but leverages Caddy+OpenSSH rather than custom server code.
- boringproxy - Designed to be very easy to use. No config files. Clients can be remote-controlled through a simple WebUI and/or REST API on the server.
- Tunnelmole - Open source and optionally self hostable. The client and server are both written in TypeScript.
- jprq - Proxies over WebSockets. Written in Go.
- Wiretap - Transparent tunneling over WireGuard (UDP) using userspace network stack. Root not required on server. Supports multiple clients and servers. Written in Go.
- PageKite - Comprehensive open source solution with hosted options.
- onionpipe - Onion addresses for anything.
onionpipe
forwards ports on the local host to remote Onion addresses as Tor hidden services and vice-versa. Written in Go. - Crowbar - Tunnels TCP connections over HTTP GET and POST requests.
- tunneller - Open source. Written in Go.
- tunnel - This one is a Golang library, not a program you can just run. However, it looks easy to use for creating custom solutions. Uses a single TCP socket, and yamux for multiplexing.
- jerson/pgrok - Fork of ngrok 1.0, with more recent commits. Archived.
- remotemoe - SSH-based, with custom golang server. Does some cool unique things. Instead of just plain tunnels, it drops you into a basic CLI UI that offers several useful commands interactively, such as adding a custom hostname. Also allows end-to-end encryption for both HTTPS and upstream SSH. Doesn't appear to offer non-e2e HTTPS, ie no auto Let's Encrypt support.
- docker-tunnel - Simple Docker-based nginx+SSH solution.
- hypertunnel - Public server appears to be down. MIT Licensed. Written in JavaScript.
- tunwg - Wireguard in userspace based. Offers end to end encrypted TLS with LetsEncrypt certificates generated automatically by clients, with support for custom domains. Server can be self-hosted and doesn't require storing any data.
- reverse-tunnel - Support TCP and UDP tunnels. Has docker images. Supports Let's Encrypt. MIT License. Written in Go.
- gt - Supports peer-to-peer direct connection (P2P) and Internet relay. Focus on performance. Written in Go.
- jkuri/bore - Reverse HTTP/TCP proxy via SSH. Written in Go.
- EXPOSE - SSH-based open source tool, with no configuration or installation, distributed worldwide, to expose your local services. Uses your GitHub username and public SSH keys to authenticate you and provide you with a short personalised URL. AGP-3.0 License. Written in Python.
- srv.us - SSH-based. Terminates TLS. Hostnames based on your key, optionally GitHub and/or GitLab username. 0BSD License. Written in Go.
- holepunch - Uses SSH for muxing. Domain has expired. AGP-3.0 Licensed. Written in Python.
- docker-wireguard-tunnel - Connect two or more Docker servers together sharing container ports between them via a WireGuard tunnel.
- cactus-tunnel - ðµ A charming TCP tunnel over WebSocket and Browser. Written in TypeScript.
- chiSSL - Lightweight version of Chisel that allows you to expose local servers running on your development machine to the internet with valid SSL certificates. MIT License. Written in Go.
- specter - Interesting approach utilizing a DHT. QUIC transport. MIT License. Written in Go.
- tnnlink - SSH-based. Golang. Not maintained.
- ngtor - Easily expose local services via Tor. Written in Java.
- Punchmole - Can be integrated directly into an existing Node.js project. Written in JavaScript.
- ephemeral-hidden-service - Create ephemeral Tor hidden services from the command line. Written in Python.
- netmask - A TCP/UDP self-hostable network tunneling solution that supports IPv4 and IPv6. Client has a GUI. MIT License. Written in Python.
- tunnelite - A self-hostable tunneling solution for TCP, HTTP and WS connections over websockets. CLI client. MIT License. Written in .NET.
Commercial/Closed source
- ngrok 2.0 - Probably the gold standard and most popular. Closed source. Lots of features, including TLS and TCP tunnels. Doesn't require root to run client.
- Cloudflare Tunnel - Excellent free option. Nicely integrates tunneling with the rest of Cloudflare's products, which include DNS and auto HTTPS. Client source code is Apache 2.0 licensed and written in Golang.
- Microsoft Dev Tunnels - Not as useful for self-hosting (no custom domains and it shows warnings when people visit the URLs), but a solid option for dev work.
- Livecycle Docker Extension - Offer much more than just tunneling. Have a collaboration layer (Dashboard) that allows you to bring collaborations, debug, and gather feedback from the people you are working with. Share HTTPS URLs.
- Beeceptor - Goes beyond tunneling. Rest API mocking and intercepting tool. You can view the live requests and send mocked responses. Written in JavaScript.
- Pinggy - SSH based single command HTTPS / TCP / TLS tunnels, no downloads required. Rich terminal interface and a web debugger. Free tier - 60 min timeout. The paid tier allows custom domains with built-in Let's Encrypt certificates.
- Loophole - Offers end-to-end TLS encryption with the client automatically getting certs from Let's Encrypt. QR codes for URL sharing. The client is open source. Can serve a local directory over WebDAV. MIT License. Written in Go.
- localhost.run - Simple hosted SSH option. Supports custom domains for a cost.
- Packetriot - Comprehensive alternative to ngrok. HTTP Inspector, Let's Encrypt integration, doesn't require root and Linux repos for apt, yum and dnf. Enterprise licenses and self-hosted option.
- Horizon Tunnel - Easy to use HTTP(S) and websocket tunneling aimed at development. Free tier available. Fixed URL is part of paid plans.
- Hoppy - WireGuard-based. Provides static IPv4 and IPv6 addresses for your machines, which is a simple and useful level of abstraction. Targeted towards self-hosters and people behind NATs.
- gw.run - Specifically focusing on securely exposing internal web apps to a group of people; not for publicly facing apps. Share access via email address then allow users to log in with common login providers like Google.
- SSHReach.me - Paid SSH-based option. Uses a simple Python script.
- KubeSail - Company offering tunneling, dynamic DNS, and other services for self-hosting with Kubernetes.
- inlets - Used to be open source; now focused on a polished commercial offering. Designed to work well with Kubernetes.
- LocalToNet - Supports UDP. Free for a single tunnel. Paid supports custom domains.
- LocalXpose - Looks like a solid paid option, with a limited free tier.
- playit.gg - Specifically marketed as tunneling for game servers. Client is open source. Server is not. Has a free tier. TCP and UDP supported. Custom domains and dedicated IPs available. Client written in Rust.
- Tabserve.dev - Web UI that runs entirely in the browser and uses a Cloudflare Worker for https.
- Serveo - SSH-based, signup optional, offering HTTP(S) and TCP tunneling and SSH jump host forwarding capabilities.
- Homeway - Secure and private remote access for Home Assistant. The free tier has a monthly data limit cap, but unlimited data is only $2.49/month.
- btunnel - Expose localhost and local tcp server to the internet. The free plan includes file server, custom http request and response headers, basic auth protection and 1 hour tunnel timeout.
- remote.it - Tunnels SSH, HTTP/S, TCP, Docker, popular database etc. allows mapping a local port to a remote port.
- StaqLab Tunnel - SSH-based. The client is open source. The server doesn't appear to be.
- LocalCan - MacOS app for exposing local apps, has custom domains with built-in Let's Encrypt certificates. It also can publish .local domains on the local network.
- Openport.io - Open-source client, written in Go. Supports HTTP(S) and TCP. REST Api. No account needed. Web dashboard. Also works on ESP32.
- Lokal.so HTTP/TCP/UDP Tunneling & Debugging, zero-config .local address with https, built-in S3 Server, AI Assistant, available as Desktop GUI, Web, REST API, and *CLI, available on Mac, Windows and Linux.
Overlay networks and other advanced tools
- headscale - Open source implementation of Tailscale control server. Can be used with Tailscale's official open source client. Written in Go.
- Tailscale - Built on WireGuard. Easy to use. Control server is closed source. Client code available with a BSD3 license + separate patents file.
- Teleport - Comprehensive control plane tool, but also supports accessing apps behind NATs. Written in Go.
- Nebula - Peer-to-peer overlay network. Developed and used internally by Slack. Similar to Tailscale but completely open source. Doesn't use WireGuard. Written in Go.
- ZeroTier - Layer 2 overlay network. They take decentralization seriously, and like to say "decentralize until it hurts, then centralize until it works." Written in C++.
- Netmaker - Layer 3 peer-to-peer overlay network and private DNS. Similar to Tailscale, but with a self-hosted server/admin UI. Runs kernel WireGuard so very fast. Apache 2.0 License. Written in Go.
- NetBird - NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.
- Firezone - Layer 3/4 overlay network. Runs on kernel WireGuard® and supports SSO using generic OIDC/SAML connectors. Distributed under Apache 2.0 license and written in Elixir/Rust.
- n2n - - Built on nodes and supernodes. GPL-3.0 license. Written in C.
- innernet - Similar to Netmaker, Nebula, and Tailscale. Takes advantage of existing networking concepts like CIDRs and the security properties of WireGuard to turn your computer's basic IP networking into more powerful ACL primitives. Written in Rust.
- Portals for Mac - A Mac app that uses the Ockam library to privately share a service on your Mac to anyone, anywhere. The service is shared securely over an end-to-end encrypted Ockam Portal. Apache 2.0 License. Written in Rust.
- Pritunl - Seems quite comprehensive and complicated. OpenVPN, WireGuard, and IPSec support.
- Tinc - Tinc is a peer-to-peer VPN daemon that supports VPNs with an arbitrary number of nodes. Instead of configuring tunnels, you give Tinc the location and public key of a few nodes in the VPN. After making the initial connections to those nodes, tinc will learn about all other nodes on the VPN, and will make connections automatically. When direct connections are not possible, data will be forwarded by intermediate nodes. Written in C.
- OpenZiti - - Overlay network. The goal of OpenZiti is to extend zero trust all the way into your application, not just to your network. Apache 2.0 license. Written in Go.
- weron - - Built on WebRTC. Can create Layer 2 and Layer 3 networks. NAT traversal via STUN and TURN. AGPL-3.0 license. Written in Go.
- bifrost - Bifrost is a peer-to-peer communications engine with pluggable transports. It supports dynamic configuration of transports, listeners, forwarding rules, and can tunnel other protocols over WebRTC and Quic. Apache 2.0 License. Written in Go.
- Ngrok-operator - Ngrok but integrated with Kubernetes, allows developers on private Kubernetes to easily access their services via Ngrok.
- chisel-operator - Kubernetes integration for Chisel. Similar functionality to inlets. MIT License. Written in Rust.
- frp-operator - Kubernetes integration for FRP. MIT License. Written in Go.
- Mycoria - Overlay network where the IPv6 address is the key: Easily share address + public key via a DNS AAAA record or map names locally. Secure by default (firewall included). BSD-3 license. Written in Go.
Reference
- Roll your own Ngrok with Nginx, Let's Encrypt, and SSH reverse tunnelling
- Poor man's ngrok with tcp proxy and ssh reverse tunnel
- How I built Ngrok Alternative (jprq)
- Great SO answer by AJ ONeal about how these things work
- Talk by AJ ONeal about tunneling tech
- ngrok alternative: localtunnel + Caddy + Lets Encrypt
- Can You Grok It - Another DIY tunnel blog post
Discussions
Top Related Projects
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
A fast TCP/UDP tunnel over HTTP
A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.
Unified ingress for developers
Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)
Fast and secure tunnels over HTTP/2
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot