The purpose of this list is to track and compare tunneling solutions. This is primarily targeted toward self-hosters and developers who want to do things like exposing a local webserver via a public domain name, with automatic HTTPS, even if behind a NAT or other restricted network.

The dream

I started this list because I'm looking for a simple tool/service that does the following:

• Allows me to register a domain name and automatically points the records at the server running the tunnels.
• Automatically sets up and manages HTTPS certificates (apex and subdomains) for the domain.
• Provides a client tool that tunnels HTTP/TCP connections through the server without requiring root on the client.
• Provides a simple GUI interface to allow me to map X domain/subdomain to Y port on Z client, and proxy all connections to that domain.

So far I haven't found a tool that does all of this. In particular, while some of them can do automatic certs through Lets's Encrypt, none of them integrate the domain registration and DNS management.

UPDATE: Since starting this list I found most of the other solutions to be either too complicated or making different tradeoffs than I would want. I have two of my own projects in this space:

1. SirTunnel is I believe the minimal way of getting auto-HTTPS tunneled through to a private network. It's just a 50-line Python script that leverages Caddy and OpenSSH, but you need to understand how it works to use it. This one is good for developers.

2. boringproxy is my take on a comprehensive tunnel proxy solution. It's in beta but currently solves almost everything I want except auto DNS management, and that's planned. Once the server is running this is a very easy tool to use, and is targeted at non-developers.

Open source (at least with a reasonably permissive license)

• frp - Seems to be a pretty comprehensive open alternative to ngrok.
• ngrok 1.0 - Original version of ngrok. No longer developed in favor of the commercial 2.0 version.
• localtunnel - Written in node. Popular suggestion.
• inlets - Open source ngrok alternative. Has pro option.
• sshuttle - Open source project originally from one of the founders of Tailscale. Server doesn't require root; client does. Explicitly designed to avoid TCP-over-TCP issues.
• ZeroTier - Layer 2 overlay network.
• chisel - SSH under the hood, but still uses a custom client binary. Supports auto certs from LetsEncrypt.
• expose - ngrok alternative written in PHP.
• Pritunl - Seems quite comprehensive and complicated. OpenVPN, WireGuard, and IPSec support.
• teleconsole - SSH-based, but uses special client script. Focused on forwarding SSH console sessions, but can also forward ports.
• go-http-tunnel - Uses a single HTTP/2 connection for muxing. Need to manually generate certs for server and clients.
• sish - Open source ngrok/serveo alternative. SSH-based but uses a custom server written in Go. Supports WebSocket tunneling.
• tunnelto - Open core (MIT). Written in Rust.
• wstunnel - Proxies over WebSockets. Focus on proxying from behind networks that block certain protocols. Written in Haskell with executables provided.
• PageKite - Comprehensive open source solution with hosted options.
• Crowbar - Tunnels TCP connections over HTTP GET and POST requests.
• tunneller - Open source. Written in Go.
• jprq - Proxies over WebSockets. Written in Python.
• boringproxy - Designed to be very easy to use. No config files. Clients can be remote-controlled through a simple WebUI and/or REST API on the server.
• docker-tunnel - Simple Docker-based nginx+SSH solution.
• pgrok - Fork of ngrok 1.0, with more recent commits.
• remotemoe - SSH-based, with custom golang server. Does some cool unique things. Instead of just plain tunnels, it drops you into a basic CLI UI that offers several useful commands interactively, such as adding a custom hostname. Also allows end-to-end encryption for both HTTPS and upstream SSH. Doesn't appear to offer non-e2e HTTPS, ie no auto Let's Encrypt support.
• SirTunnel - Minimal, self-hosted, 0-config alternative to ngrok. Similar to sish but leverages Caddy+OpenSSH rather than custom server code.
• holepunch.io - Has nice hosted solution. Uses SSH for muxing.
• StaqLab Tunnel - SSH-based. Client is open source. Server doesn't appear to be.
• tnnlink - SSH-based. Golang. Not maintained.
• Telebit - Written in JS. Code.
• SSH-J.com - Public SSH Jump & Port Forwarding server. No software, no registration, just an anonymous SSH server for forwarding. Users are encouraged to use it for SSH exposure only, to preserve end-to-end encryption. No public ports, only in-SSH connectivity. Run ssh ssh-j.com and it will display usage information.

Commercial/Closed source

• ngrok 2.0 - Probably the gold standard and most popular. Closed source. Lots of features, including TLS and TCP tunnels. Doesn't require root to run client.
• Tailscale - Built on WireGuard. Easy to use. Doesn't include an HTTPS proxy on the public side, but could be combined with nginx/Caddy/etc. Client code available with a BSD3 license + separate patents file.
• Loophole - Offers end-to-end TLS encryption with the client automatically getting certs from Let's Encrypt. QR codes for URL sharing.
• CloudFlare Argo Tunnel - Free usage available. $5/mo + $0.1/GB. Integrates with Argo smart routing. Client source code is available.
• localhost.run - Simple hosted SSH option. Supports custom domains for a cost.
• Packetriot - Comprehensive alternative to ngrok. HTTP Inspector, Let's Encrypt integration, doesn't require root and Linux repos for apt, yum and dnf. Enterprise licenses and self-hosted option.
• Lynk - Advertises itself as a cheaper, faster, self-hostable (but not open source) alternative to ngrok. Blog post.
• Hoppy - WireGuard-based. Provides static IPv4 and IPv6 addresses for your machines, which is a simple and useful level of abstraction. Targeted towards self-hosters and people behind NATs.
• gw.run - Specifically focusing on securely exposing internal web apps to a group of people; not for publicly facing apps. Share access via email address then allow users to log in with common login providers like Google.
• SSHReach.me - Paid SSH-based option. Uses a simple python script.
• KubeSail - Company offering tunneling, dynamic DNS, and other services for self-hosting with Kubernetes.
• serveo - Mentioned quite a bit the last couple years, but appears to be down currently. Simply uses SSH for tunneling.

Reference

• Roll your own Ngrok with Nginx, Letsencrypt, and SSH reverse tunnelling
• Poor man's ngrok with tcp proxy and ssh reverse tunnel
• How I built Ngrok Alternative (jprq)
• Great SO answer by AJ ONeal about how these things work
• Talk by AJ ONeal about tunneling tech

Discussions

• HN comment about needing Namecheap + CloudFlare + ngrok.