I'm not sure there's a single class of software that's been implemented more times than ngrok-style tunneling. I keep finding more and more.
Honestly it's a really fun exercise. Fairly challenging, but well within the reach of a single developer. I believe I'm currently working on my 5th incarnation.
I still haven’t found an ideal solution, despite a variety of options.
Cloudflare tunnels are good, but Cloudflare terminates TLS certificates, and scans the traffic. People host on premise for privacy, which is moot if using Cloudflare.
FRP is simple and works, but it takes inbound traffic from open Internet. A vulnerability in it could compromise your environment. The transport encryption is customized (probably using TLS). It’s not a VPN quality software, going through audits. It may need a reverse proxy in front of it.
The ones that make outbound connections seem better. Ngrok pricing is not good, particularly when using custom domains. Tailscale funnel seems to be for short lived lightweight connections, has bandwidth and speed limitations due use of relay servers, kills my CPU, and requires a tailnet.
SSH reverse tunnels require some scripting with autossh or similar to ensure persistent connections.
Can you clarify what you mean by inbound vs outbound? Pretty much all of these tools work the same way. You have a machine (usually a VPS) with a public IP address that runs the server, you connect to it with a client, and it tunnels traffic sent to the server to the client and other machines that would otherwise only be visible to the client.
There are several options on the list that do e2ee, including commercial services that likely have better pricing than ngrok. That said, I'm not aware of any that are marketed for high bandwidth usage such as video streaming. FWIW my 5th incarnation mentioned above will be such a service.
Yes, sorry, I was sloppy in my comment. I meant, say in the case of Cloudflare or Tailscale, I don’t need to open any ports, or operate any server. The server, its firewall and security are outsourced to those companies. They take care of configuring and securing the internet-facing component. The clients make outbound connections, and the company takes care of handling inbound.
This is similar to running your own VPN server, vs using what’s called zero trust network access with services provided by companies such as Cloudflare.
Cloudflare tunnels are simple, robust and include a range of features: various authentication options, a secure internet-facing webpage in Cloudflare Access, DDoS mitigation, IP hiding, DNS and domain setup, etc . If they don’t decrypt and scan the traffic, that’s how an ideal solution would look like.
Have you tried https://zrok.io/? Its open source so you can self-host with custom domains, has a free SaaS incl. reserved shares which give static, vanity URLs, and includes internet hardening/auth.
I have seen OpenZiti mentioned, and should probably try that and zrok.
I think self hosting internet facing servers is not a good idea for most people. That component should be outsourced to specialists, in a product that includes a range of features (see my comment on Cloudflare Access below).
> Tailscale funnel seems to be for short lived lightweight connections, has bandwidth and speed limitations due use of relay servers, kills my CPU, and requires a tailnet.
I'm a fan of their approach[0] though. No termination of TLS, SNI proxying(I presume) to backend machines, etc.
> I'm not sure there's a single class of software that's been implemented more times than ngrok-style tunneling. I keep finding more and more.
AFAIK ngrok was the first widespread implementation of it, and there was such a sheer lack of it before that everyone started working on their own implementations at once and now we have an abundance.
I think "widespread" in this case means "marketed better". There were open source implementations before ngrok, whose founder even worked with someone who'd written one of those. (ngrok back then was certainly better than a lot of those other options, though.)
Webhooks created the need for local tunneling software. Before ngrok, webhooks themselves were just starting to become more common. The need for local tunneling is much much greater than it was 15 years ago.
(Also consider that ngrok today is far more then a local tunnel proxy. They noticed the abundance of open source options years ago and have moved on from the basic concept.)
> I think "widespread" in this case means "marketed better".
No, widespread means widespread. As in tons of people started to use it, ngrok started pivoting into enterprise, moved from ngrok.io to ngrok.com, etc. I was there for all of it.
The landscape of software other than ngrok was a total wasteland. Maybe there was localtunnel or SSH, I guess. But both of them kind of sucked and were fragile. ngrok was a static Go binary you could run anywhere to open a tunnel and it was total magic, worked perfectly, and was exactly what the world needed. It was the original. It taught people how this stuff ought to work and once people learned the formula, just like the iPhone, everyone else started copying it and now there are tons of implementations.
It's an interesting market. Currently most (all?) offerings are targeted at the developer case, a la webhooks and request inspection. But I think in the future the more important use case (and much larger market) will be self hosting. That's going to require a lot more bandwidth.
I've been self-hosting https://github.com/fatedier/frp on my little box, and it feels insane to think of the times where I didn't have it set up. There are many choices in the space as others pointed out, but frp's capabilities and lightweight packaging blows all other setups out of the water. I placed mine behind nginx with Let's Encrypt for SSL support. Hella fresh!
One of the thing I found missing is a lot of ngrok alternative is a web interface for viewing HTTP requests/responses when tunneling in HTTP/HTTPS mode, so I made a kinda hacky solution to this using cloudflared + mitmproxy: https://gist.github.com/maple3142/e46ab5ce8697476db13b4d9dc0...
this is correct. Its simply logging the connection so I can see server load/usage stats. There is other code that logs the NodeJS version and OS, this is so I can make better decisions on which NodeJS version I should get TypeScript compile to. The second log can be turned off however, instructions are in the README.
> ... server source code contains a feature ... I would only use the self-hosted version.
You shouldn't assume that a server which is ostensibly running code you can see is actually running that code without modifications.
That said, there is a difference between someone claiming (explicitly or implicitly) that they're not doing something, versus not making a claim, versus admitting they are doing it.
I once had a PCI dialup modem back in the early day of the internet. No router involved, so the IP I got was exposed to the internet. To share a web server was simple, basically start it then http://<my-ip-address>.
I also ended up with several worms infecting the Windows version I was running, part of why I switched to Linux and haven't looked back since.
I’ve been wondering this too. My biggest hesitation is that I don’t want to compromise the security of my local network; especially because it’s not just me using it.
Do you know of any resources that cover how to do the security necessary for hosting at home?
Not sure what country you're in but in the US at least ISP options are rather limited in any given area. The two widest reaching (geographically) options, cell and Starlink, both use CGNAT as far as I know. Plus they're more limited in data usage.
Most of them require you upgrading to a business account, and are generally quite a bit more expensive than standard residential internet service plus a VPS.
Been obsessing the past fews days on ssh tunnels. Ran a local service for over a week using ssh -R which was pretty cool. Also tried out autossh. Was using Caddy on a 2$ VPS, mostly just worked. I love the idea of being able pay so little for a gateway onto an old laptop with a huge hard drive running all kinds of awesome stuff and instantly share a new container I run with a friend for a few hours and then take it down when we’re done.
I haven’t look at the code for the link above, but I think I am going to build a self hosted solution in Go and WireGuard with a simple GUI.
edit: one other cool thing to note was not only was this service behind a firewall, it was also behind my mullvad desktop client on Linux. Will probably run WireGuard connection to the VPS in a container to avoid conflicts with commercial VPN.
EDIT: And, actually, I don't think this is really an ngrok alternative. Unless I'm mistaken it looks like it only supports HTTP, whereas ngrok is a generic TCP proxy. (Albeit that ngrok does not support TCP half-close because it treats it like a full close).
TCP is something i'm thinking about. It is possible with sockets and different port numbers opening/closing on the server side, it will take some work however. Perhaps you might be interested in contributing?
I do that with a private server of my own, but it's quite fragile. The SSH tunnel connection drops sometimes, and it's just raw tunneling. What I love about ngrok is the web interface with logs showing the HTTP requests and responses with all the headers and payload. I'm hoping this has the same, will give it a try when I'm on my laptop.
One benefit of doing it on your own server is the static hostname you get with it. A new hostname every time you start up is not fun at all!
Building these types of tunneling systems are great projects. You learn a lot and can master skills in many different areas.
Packetriot has been operating for five years and the first few years was all spent on performance and stability of the core networking services. As the software and network matured, I spent more time on the operations and maintenance, and automating as much of that as possible.
Recently I've begun building tools to detect phishing and potential malicious behaviors. This is a common problem that operators of these tunnel networks have to deal with. It's an interesting and fun technical area and helps make the Internet a safer place :)
This one is pretty weird. All the docs about everything talk about privacy and security and Ockam Orchestrator. This last part seems to be a completely proprietary and undocumented cloud service. Why would anyone trust this?
The Portals for Mac app is an example of the type of thing you could build using the open source stack of protocols. The README (linked by parent) links out to all of the relevant parts of the protocol documentation to explain how these work together. The NAT Traversal (https://github.com/build-trust/ockam/blob/develop/examples/a...) part of the README is probably the best explanation of why the free relay you get via Ockam Orchestrator is a useful part of this demo.
As for why would anyone trust this: The protocols are designed so you absolutely don't have to trust the relay. Trust is pushed out to the edges that you control and so you're not susceptible to a MITM attack if something like a relay is compromised. The protocol design for all of this is open and documented, and was independently audited by (IMO) some of the best in the business, Trail of Bits: https://docs.ockam.io/reference/protocols.
Is there any stand-alone open source version of the VS Code port forwarder? That’s what I really want. Not so much public access, just local access to ports on the remote machine that I can easily manage. SSH port forwards don’t work inside docker dev environments (and docker containers have to be rebuilt to export new ports natively), so some extra software is needed.
I've got your list saved in my notes :) The main thing is many of these are, well, ngrok alternatives: put my localhost on the internet. I am looking for something that puts remote ports into my local machine, and in particular which don't require configuring network interfaces (insecure to do in Docker containers) and don't require a centralized control plane.
Devcontainers in Docker. With Docker, you cannot add a port forward to an existing container; you have to rebuild the container. With devcontainers, this at a minimum requires a few minutes of rebuilding time (an excessive price to pay for changing a port forward).
Yes, that's the gist, although to complicate things I actually have the devcontainer running on a remote machine. So to access it I use `ssh host docker exec -it container`, for example. This is a supported workflow for VSCode remote devcontainers, and I would like to see an open-source version of it.
A (potentially minor) problem with this use case for Tailscale is that we do actually want the forwarded services listening on localhost and not on a different IP address, because browsers treat these as secure contexts without having to fuss with https. I briefly checked the Tailscale userspace docs just now and it seems to expose a SOCKS proxy, meaning that we'd need an extra piece to listen on the desired localhost port and forward via Tailscale.
[edit] Removed an incorrect assumption. Tailscale does not require CAP_NET_ADMIN in userspace mode.
I made one too, https://webrelay.dev it’s a fun little project, I added TCP tunnels and a lightweight overlay network as well , basically you can start a port on a remote machine and map it to a local port instead of exposing it publicly.
I found this yesterday, as I exceeded the 1GB monthly free traffic of ngrok. I use it only for testing some bookmarklet in development for work, so I won't pay for that, unless my employer does (which doesn't). So tunnelmole works pretty well.
Tried zrok.io but couldn't figure out what to do, wanted the easiest route.
Many alternatives: SSH reverse tunnels, Cloudflare tunnels, various reverse proxies like FRP, Tailscale funnel (probably for short lived light connections), ngrok, etc
These can work but all take a bit more work however than running a single command, including Cloudflare tunnels which according to their docs, requires you to make a DNS record on your domain. I use SSH reverse tunnels for some things where I need tighter security.
I tried to test this out. But got blocked when I visited my Public URL by some security warning page around phishing? Which is fair enough, but it wasn't clear to me how I could remove that and get the URL to point to my local server like I wanted. Also, their GitHub project has not been maintained for some time.
My apologies - I faced this same issue and completely forgot about it. My use-case was to host a dev server that I can ssh into from anywhere, and host things when needed.
What I eventually ended up doing was:
1. Switched to Cloudflare to manage my DNS.
2. Added a subdomain and pointed my IP address to it.
It's worth noting that if Tunnelmole becomes popular enough, you will also likely end up with people using it for phishing attacks, and your users will start getting phishing warnings. I recommend getting tunnelmole.net added to the Public Suffix List[0] which may help with this.
IMO it's not worth running a free tunneling service.
All autossh does is try to keep open/restart an ssh connection as a daemon — I’m not sure there’s any benefit to it these days than just using a systemd service.
That being said, as an example `ssh user@host.com -R 8181:localhost:8080` will open port 8181 on the remote machine you’re connecting to, and forward traffic that’s addressed there to port 8181 on the machine you’re connecting from. That is, you’ll be able to open a browser to http://host.com:8181 to test something running on your dev machine at port 8080. Traffic gets forwarded along the ssh tunnel.
Autossh (or a systemd service supervising an `ssh` connection) will keep that tunnel open.
-M sets the control port for autossh which it uses to check if all is working right. The rest is standard SSH syntax; in this example, a loopback socket on port 8080 on host will get opened, and all requests to it are forwarded to localhost's port 80.
If you want it to be a "real" socket instead of just loopback, set "GatewayPorts clientspecified" in sshd_config.
The main purpose of services like Tunnelmole and ngrok is to basically provide this functionality and save you from having to run your own server. Its easy for people like us, I've used SSH for more than 20 years. Alot of devs however don't have good Linux/infra/ssh exposure. Others might have that exposure, but don't have the spare time or energy to run their own server.
In the early days there where several attempts to use Tunnelmole for phishing.
When you think about it, a service that hides your IP under a domain that is not yours means you can do whatever you want without risking your own server or domain being taken down for abuse, instead risking my server.
So I added code to forward an X-Forwarded-For header, which contains the real IP address of the client. Also random URLs have the ip address added to them.
PM from ngrok here. First, awesome project! Love to see new projects and ideas in the space. Fighting phishing (and other abuse) is a constant battle for us. As you may know, we do similar things to publish IP addresses, but we've had to add a bunch of other stuff to combat this over the years. I'm happy to share ideas and collaborate if you want to reach out. russ at ngrok dot com.
I know what the X-Forwarded-For is, but I'm confused by what you mean here. Can you go into a bit more detail as to what you implemented and how it prevents phishing?
It's a header that contains the IP address of the machine that ran the Tunnelmole client, which ensures it can't be used anonymously. My theory here is that phishers and other nefarious actors are attracted to this type of service so they can hide their origin server.
I haven't had alot of phishing issues since introducing that header and the IP address in random domains.
I'll see if I can get tunnelmole.net added to that public suffix list.
One reason tunnels go through tunnelmole.net instead of tunnelmole.com is to protect the reputation of the main domain.
Interesting. I see what you mean by the random domains now. Creative idea!
> One reason tunnels go through tunnelmole.net instead of tunnelmole.com is to protect the reputation of the main domain.
Definitely recommend you keep it that way. There's not saying what various orgs will do. I believe at one point Facebook messenger blocked links to .xyz TLD domains entirely. Maybe they still do.
(I'm no Node expert, so this might be flawed, but) presumably, because they hope that you'll use the app more than a few times, and so the one-time overhead of typing `sudo npm install -g` once will outweigh the repeated requirement to use `npx` every time you invoke it. Or, taking a less mechanistic and more usability-focused approach - because the intention is for it to be seen as a fundamental tool, just as accessible as grep or cat or less, rather than "hidden" behind npx.
I actually tried advertising the `npx tmole` / `npx tunnelmole` methods but not too many people picked them up, so I ended up not adding these methods to the docs.
https://github.com/anderspitman/awesome-tunneling
I'm not sure there's a single class of software that's been implemented more times than ngrok-style tunneling. I keep finding more and more.
Honestly it's a really fun exercise. Fairly challenging, but well within the reach of a single developer. I believe I'm currently working on my 5th incarnation.