This is nice and for those who's asking, it's different from ngrok and the others in that you don't need a separate client, (almost) everyone has ssh installed.
To the author, I wish you best of luck with this but be aware (if you aren't) this will attract all kind of bad and malicious users who want nothing more than a "clean" IP to funnel their badness through.
serveo.net [2] tried it 8 years ago, but when I wanted to use it I at some point I found it was no longer working, as I remember the author said there was too much abuse for him to maintain it as a free service
Even the the ones where you have to register like cloudflare tunnels and ngrok are full of malware, which is not a risk to you as a user but means they are often blocked.
Also a little rant, tailscale has their own one also called funnel. It has the benefit of being end-to-end encrypted (in theory) but the downside that you are announcing your service to the world through the certificate transparency logs. So your little dev project will have bots hammering on it (and trying to take your .git folder) within seconds from you activating the funnel. So make sure your little project is ready for the internet with auth and has nothing sensitive at guessable paths.
Do you have funding to cover the paying the bandwidth costs which will ultimately result from this? Or if you're running this from a home network, does anyone know if OP should be concerned of running into issues with their ISP?
Yeah, this is the next step. I first wanted to understand if this gets any traction. I think I will provide a dockerized version for the server part that you can just run with a simple command and maybe some interface to create api keys and distribute them to your users.
You should also consider grouping your random hostnames under a dedicated subdomain. e.g. "xxx-xxx-xxx.users.tunnl.gg", that separates out cookies and suchlike.
I run a similar site (https://pico.sh) with public urls and thought the same thing for us. The public suffix has some fuzzy limits on usage size before they will add domains (e.g. on the scale of thousands of active users).
I don’t have tunnl.gg usage numbers but I’m going to guess they are no where near the threshold — we were also rejected.
Thats a fair point, there are some protections in place for abuse already. I will have a look at what ngrok does for browser warnings. Thanks a lot for the suggestions.
Be aware of threat actors, too: you're giving them an easy data exfil route without the hassle and risk of them having to set up their own infrastructure.
Back in the day you could have stood up something like this and worried about abuse later. Unfortunately, now, a decent proportion early users of services like this do tend to be those looking to misuse it.
I'm not who you asked, but essentially, when you write malware that infects someone's PC, that in itself doesn't really help you much. You usually want to get out passwords and other data that you might have stolen.
This is where an exfil (exfiltration) route is needed. You could just send the data to a server you own, but you have to make sure that there are fallbacks once that one gets taken down. You also need to ensure that your exfiltration won't be noticed by a firewall and blocked.
Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.
> Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.
A permanent SSH connection is not exactly discreet, though...
I've seen lots of weird tricks malware authors use, people are creative. My favorite is that they'd load up a text file with a modified base64 table from Dropbox which points to the URL to exfiltrate to. When you report it to Dropbox, they typically ignore the report because it just seems like random nonsense instead of being actually malicious.
I used ngrok when it was the to-go answer for serving localhost (temporarily, not permanent) to the public, but the last time I searched for alternatives I stumbled upon the following jewel.
> tailscale funnel 3000
Available on the internet:
https://some-device-name.tail12345.ts.net/
|-- proxy http://127.0.0.1:3000
Press Ctrl+C to exit.
I've tailscale installed on my machine anyway for some connected devices. But even without this would convince me using it, because it's part of the free tier, dead simple and with tailscale it's coming from kind of a trusted entity.
Hey, I didn't mean to sell another tool over yours! It's just an experience that popped into my mind and I wanted to share. I appreciate your work and contributing to the problem space of exposing a local service. Thank you.
Not that you'd usually need this if you have IPv6 but might still be useful to bypass firewalls or forward access for IPv4 clients from your newer IPv6-only resources.
I can't promise anything this is a pet project. I might turn it into an open source project, and I might also provide some kind of service for a few bucks if it gets traction.
Good luck with your future mim data sniffing or selective takeovers, I guess? Not sure what the business model would be, unless you’re planning on injecting ads, which would be funny.
Unless the author is insanely rich, they probably don't want to spend increasingly large amounts on hosting unless they have a way to make money back (even if it's just to break even).
That is wrong (and I need to update any docs that mention this), the traffic is not encrypted end to end, we do TLS termination on our side. From that point on traffic is forwarded back as plain HTTP. However I would in any case not suggest to host any production applications using this service. It is mostly for local dev testing.
If you’re in the EU or have users in the EU, that distinction matters, and you should be more precise. You likely have a solid legitimate use case for collecting IPs under the GDPR, but only if you’re fully transparent.
This is nice and for those who's asking, it's different from ngrok and the others in that you don't need a separate client, (almost) everyone has ssh installed.
To the author, I wish you best of luck with this but be aware (if you aren't) this will attract all kind of bad and malicious users who want nothing more than a "clean" IP to funnel their badness through.
serveo.net [2] tried it 8 years ago, but when I wanted to use it I at some point I found it was no longer working, as I remember the author said there was too much abuse for him to maintain it as a free service
I ended up self-hosting sish https://docs.ssi.sh instead.
Even the the ones where you have to register like cloudflare tunnels and ngrok are full of malware, which is not a risk to you as a user but means they are often blocked.
Also a little rant, tailscale has their own one also called funnel. It has the benefit of being end-to-end encrypted (in theory) but the downside that you are announcing your service to the world through the certificate transparency logs. So your little dev project will have bots hammering on it (and trying to take your .git folder) within seconds from you activating the funnel. So make sure your little project is ready for the internet with auth and has nothing sensitive at guessable paths.
[2] https://news.ycombinator.com/item?id=14842951
Thanks for the kind words. I hope I won't have to close this service in a few days due to abuse but its a weird world we live in.
Do you have funding to cover the paying the bandwidth costs which will ultimately result from this? Or if you're running this from a home network, does anyone know if OP should be concerned of running into issues with their ISP?
It would be nice to have an open-source version that you can self-host. That would solve the abuse problem. Maybe with a service to create API keys.
Yeah, this is the next step. I first wanted to understand if this gets any traction. I think I will provide a dockerized version for the server part that you can just run with a simple command and maybe some interface to create api keys and distribute them to your users.
If you keep this up you'll want to add yourself to the public suffix list:
https://publicsuffix.org/
You should also consider grouping your random hostnames under a dedicated subdomain. e.g. "xxx-xxx-xxx.users.tunnl.gg", that separates out cookies and suchlike.
I run a similar site (https://pico.sh) with public urls and thought the same thing for us. The public suffix has some fuzzy limits on usage size before they will add domains (e.g. on the scale of thousands of active users).
I don’t have tunnl.gg usage numbers but I’m going to guess they are no where near the threshold — we were also rejected.
I just want to say that I love pico.sh <3
much appreciated!
This is a great idea but I'm a bit concerned about your bandwidth costs and illegal/malicious content being hosted used under your domain.
For the second point, you might want to implement some kind of browser warning similar to what Ngrok does.
Thats a fair point, there are some protections in place for abuse already. I will have a look at what ngrok does for browser warnings. Thanks a lot for the suggestions.
Be aware of threat actors, too: you're giving them an easy data exfil route without the hassle and risk of them having to set up their own infrastructure.
Back in the day you could have stood up something like this and worried about abuse later. Unfortunately, now, a decent proportion early users of services like this do tend to be those looking to misuse it.
What's a "data exfil route"?
I'm not who you asked, but essentially, when you write malware that infects someone's PC, that in itself doesn't really help you much. You usually want to get out passwords and other data that you might have stolen.
This is where an exfil (exfiltration) route is needed. You could just send the data to a server you own, but you have to make sure that there are fallbacks once that one gets taken down. You also need to ensure that your exfiltration won't be noticed by a firewall and blocked.
Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.
> Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.
A permanent SSH connection is not exactly discreet, though...
Thanks!
Though the public address is going to be random here so how will the hacker figure out which tunnl.gg subdomain to gobble up?
I've seen lots of weird tricks malware authors use, people are creative. My favorite is that they'd load up a text file with a modified base64 table from Dropbox which points to the URL to exfiltrate to. When you report it to Dropbox, they typically ignore the report because it just seems like random nonsense instead of being actually malicious.
Is this any different from localtunnel? Nice thing about that one is that its oss, actually we forked it in my company to do some more custom stuff.
Any plan to make it oss?
https://github.com/desplega-ai/localtunnel-server
I am actually thinking about making it open source yes, probably after I adjust the code a little bit :D maybe today or in a couple of days.
Shell function;
``` tunnl() { if [ -z "$1" ]; then echo "Usage: tunnl <local-port>" return 1 fi
} ```There's also https://tunnelmole.com but requires binary or npm install
I used ngrok when it was the to-go answer for serving localhost (temporarily, not permanent) to the public, but the last time I searched for alternatives I stumbled upon the following jewel.
I've tailscale installed on my machine anyway for some connected devices. But even without this would convince me using it, because it's part of the free tier, dead simple and with tailscale it's coming from kind of a trusted entity.I am also using tailscale for a few projects as well. Feel free to use whatever you trust more or works for you.
Hey, I didn't mean to sell another tool over yours! It's just an experience that popped into my mind and I wanted to share. I appreciate your work and contributing to the problem space of exposing a local service. Thank you.
Seemingly lacking IPv6 support?
Not that you'd usually need this if you have IPv6 but might still be useful to bypass firewalls or forward access for IPv4 clients from your newer IPv6-only resources.
Indeed there is no IPv6 support yet.
How is it different to ngrok? Genuinely curious, I might switch.
Not really that different, besides any kind of time limitations or number of request limitations.
How are you able to host it for free?
I am paying for it out of pocket. Its free for you to use, but not for me to host it :)
The question is, how is it sustainable? Nobody likes being rug pulled. Why not charge money for it?
I'd rather pay a few dollars for a service that will be around 5 years from now, than pay nothing and have to deal with churn.
I can't promise anything this is a pet project. I might turn it into an open source project, and I might also provide some kind of service for a few bucks if it gets traction.
Good luck with your future mim data sniffing or selective takeovers, I guess? Not sure what the business model would be, unless you’re planning on injecting ads, which would be funny.
Why does everything have to be a business model?
Unless the author is insanely rich, they probably don't want to spend increasingly large amounts on hosting unless they have a way to make money back (even if it's just to break even).
I am not rich and I don't need to be to keep this service up and running at least for the near future.
To keep this up and running for 2-3 years, you probably do need to be rich, or to find a way to monetize.
It's possible when it gets to be a drain, even charging pennies for the service could drive off the bad actors making it unsustainable though.
...", Russian FSB manager, 2025
Thanks, but I don't have such plans, lol.
Built another localhost tunneling tool because I kept forgetting my ngrok auth token.
What it does:
- Expose localhost to the internet (HTTP/TCP/WebSockets) - Zero signup – just works immediately - Free
Nothing groundbreaking, just scratching my own itch for a no-friction tunnel service. Written in Go.
Link: https://tunnl.gg
Happy to answer questions or hear how you'd improve it.
You are mentioning it's encrypted end-to-end; please explain how your server is unable to read the contents of the stream?
That is wrong (and I need to update any docs that mention this), the traffic is not encrypted end to end, we do TLS termination on our side. From that point on traffic is forwarded back as plain HTTP. However I would in any case not suggest to host any production applications using this service. It is mostly for local dev testing.
Why not just buy trial or cheap VM? Are devs that lazy now? Or is this aimed on vibe "devs"? :D
Love the approach, simplicity and concept. SPA works fine if entry point is / if /terms /privacy greated with 404.
Hey, thanks for the comment. I am having a look with my own apps and it seems to work with pages and nextjs middleware as well.
It's bit less convenient, but I have access to a vps and a dns with a custom domain.
I can create any subdomain I want and tunnel the connexion to any port on my computer.
=> I can spinup a new subdomain in seconds, no data leakage, url that doesn't change, and it's cost nothing.
Whatever works for you best :)
Interesting! How do you handle port conflicts? What ports for public exposure are available?
Curious about this as well.
How does this compare to cloudflare or even a self-hosted tailscale tunnel?
Also do you collect any data? Privacy says
> We do not collect, store, or sell your personal data.
But I guess personal data is a bit ambiguous. You're at the very least collecting my IP (which is fine, I'm just curious)
Yes that is true (the IP is collected), what I meant is that we don't explicitly collect data on purpose.
If you’re in the EU or have users in the EU, that distinction matters, and you should be more precise. You likely have a solid legitimate use case for collecting IPs under the GDPR, but only if you’re fully transparent.
I updated the terms, thanks for the heads up.
That's really cool. I guess this is an alternative to ngrok (which I like but hate due to having to sign in).
Not many people know that you can use cloudflare tunnels without signing up.
I sure did not! How would that work? Manually pointing the domain as a CNAME to the tunnel ID? But how would one get that ID without signing up?
I have a demo with working GitHub runner workflow code here: https://github.com/BrowserBox/ariadne
Specifically: https://github.com/BrowserBox/ariadne/blob/f07e3b0d445f5d4a8...
Yes, its free to use and does not require any clients (but you need to have ssh client installed)