List of ngrok/Cloudflare Tunnel alternatives and other tunneling software and services. Focus on self-hosting.
Go to file
2020-11-27 17:24:33 -07:00
README.md Update README.md 2020-11-27 17:24:33 -07:00

The purpose of this list is to track and compare tunneling solutions. This is primarily targeted toward self-hosters and developers who want to do things like exposing a local webserver via a public domain name, with automatic HTTPS, even if behind a NAT or other restricted network.

The dream

I started this list because I'm looking for a simple tool/service that does the following:

  • Allows me to register a domain name and automatically points the records at the server running the tunnels.
  • Automatically sets up and manages HTTPS certificates (apex and subdomains) for the domain.
  • Provides a client tool that tunnels HTTP/TCP connections through the server without requiring root on the client.
  • Provides a simple GUI interface to allow me to map X domain/subdomain to Y port on Z client, and proxy all connections to that domain.

So far I haven't found a tool that does all of this. In particular, while some of them can do automatic certs through Lets's Encrypt, none of them integrate the domain registration and DNS management.

UPDATE: boringproxy is my take on a solution to this problem. It's in beta but currently solves everything above except auto DNS management, and that's planned.

Open source (at least with a reasonably permissive license)

  • frp frp github stars badge - Seems to be a pretty comprehensive open alternative to ngrok.
  • ngrok 1.0 ngrok 1.0 github stars badge - Original version of ngrok. No longer developed in favor of the commercial 2.0 version.
  • localtunnel localtunnel github stars badge - Written in node. Popular suggestion.
  • inlets inlets github stars badge - Open source ngrok alternative. Has pro option.
  • sshuttle sshuttle github stars badge - Open source project originally from one of the founders of Tailscale. Server doesn't require root; client does. Explicitly designed to avoid TCP-over-TCP issues.
  • ZeroTier - zerotier github stars badge Layer 2 overlay network.
  • chisel chisel github stars badge - SSH under the hood, but still uses a custom client binary. Supports auto certs from LetsEncrypt.
  • expose expose github stars badge - ngrok alternative written in PHP.
  • Pritunl pritunl github stars badge - Seems quite comprehensive and complicated. OpenVPN, WireGuard, and IPSec support.
  • teleconsole teleconsole github stars badge - SSH-based, but uses special client script. Focused on forwarding SSH console sessions, but can also forward ports.
  • go-http-tunnel go-http-tunnel github stars badge - Uses a single HTTP/2 connection for muxing. Need to manually generate certs for server and clients.
  • sish sish github stars badge - Open source ngrok/serveo alternative. SSH-based but uses a custom server written in Go. Supports WebSocket tunneling.
  • tunnelto tunnelto github stars badge - Open core (MIT). Written in Rust.
  • PageKite pagekite github stars badge - Comprehensive open source solution with hosted options.
  • Crowbar crowbar github stars badge - Tunnels TCP connections over HTTP GET and POST requests.
  • tunneller tunneller github stars badge - Open source. Written in Go.
  • jprq jprq github stars badge - Another home-grown Golang solution. Proxies over WebSockets.
  • docker-tunnel docker-tunnel github stars badge - Simple Docker-based nginx+SSH solution.
  • boringproxy boringproxy github stars badge - Designed to be very easy to use. No config files. Clients can be remote-controlled through a simple WebUI and/or REST API on the server.
  • remotemoe remotemoe github stars badge - SSH-based, with custom golang server. Does some cool unique things. Instead of just plain tunnels, it drops you into a basic CLI UI that offers several useful commands interactively, such as adding a custom hostname. Also allows end-to-end encryption for both HTTPS and upstream SSH. Doesn't appear to offer non-e2e HTTPS, ie no auto Let's Encrypt support.
  • holepunch.io holepunch github stars badge - Has nice hosted solution. Uses SSH for muxing.
  • SirTunnel SirTunnel github stars badge - Minimal, self-hosted, 0-config alternative to ngrok. Similar to sish but leverages Caddy+OpenSSH rather than custom server code.
  • StaqLab Tunnel staqlab github stars badge - SSH-based. Client is open source. Server doesn't appear to be.
  • tnnlink tnnlink github stars badge - SSH-based. Golang. Not maintained.
  • Telebit - Written in JS. Code.

Commercial/Closed source

  • ngrok 2.0 - Probably the gold standard and most popular. Closed source. Lots of features, including TLS and TCP tunnels. Doesn't require root to run client.
  • Tailscale tailscale github stars badge - Built on WireGuard. Easy to use. Doesn't include an HTTPS proxy on the public side, but could be combined with nginx/Caddy/etc. Some code available, but I'm not sure what the implications of the custom license is.
  • Loophole - Offers end-to-end TLS encryption with the client automatically getting certs from Let's Encrypt. QR codes for URL sharing.
  • CloudFlare Argo Tunnel - $5/mo + $0.1/GB. Integrates with Argo smart routing. Client source code is available.
  • localhost.run - Simple hosted SSH option. Supports custom domains for a cost.
  • Packetriot - Comprehensive alternative to ngrok. HTTP Inspector, Let's Encrypt integration, doesn't require root and Linux repos for apt, yum and dnf. Enterprise licenses and self-hosted option.
  • Lynk - Advertises itself as a cheaper, faster, self-hostable (but not open source) alternative to ngrok. Blog post.
  • Hoppy - WireGuard-based. Provides static IPv4 and IPv6 addresses for your machines, which is a simple and useful level of abstraction. Targeted towards self-hosters and people behind NATs.
  • gw.run - Specifically focusing on securely exposing internal web apps to a group of people; not for publicly facing apps. Share access via email address then allow users to log in with common login providers like Google.
  • serveo - Mentioned quite a bit the last couple years, but appears to be down currently. Simply uses SSH for tunneling.

Blog posts

Discussions