Tunnl.gg

Posted by klipitkas 7 days ago

Comments

Comment by gnyman 7 days ago

This is nice and for those who's asking, it's different from ngrok and the others in that you don't need a separate client, (almost) everyone has ssh installed.

To the author, I wish you best of luck with this but be aware (if you aren't) this will attract all kind of bad and malicious users who want nothing more than a "clean" IP to funnel their badness through.

serveo.net [2] tried it 8 years ago, but when I wanted to use it I at some point I found it was no longer working, as I remember the author said there was too much abuse for him to maintain it as a free service

I ended up self-hosting sish https://docs.ssi.sh instead.

Even the the ones where you have to register like cloudflare tunnels and ngrok are full of malware, which is not a risk to you as a user but means they are often blocked.

Also a little rant, tailscale has their own one also called funnel. It has the benefit of being end-to-end encrypted (in theory) but the downside that you are announcing your service to the world through the certificate transparency logs. So your little dev project will have bots hammering on it (and trying to take your .git folder) within seconds from you activating the funnel. So make sure your little project is ready for the internet with auth and has nothing sensitive at guessable paths.

[2] https://news.ycombinator.com/item?id=14842951

Comment by apitman 7 days ago

A few other options as well: https://github.com/anderspitman/awesome-tunneling

Comment by kej 6 days ago

Just want to say that I appreciate you maintaining this list. It's one of those things I need to do every now and then, so having a place that gives me a current summary of the options is very handy.

Comment by klipitkas 7 days ago

Thanks for the kind words. I hope I won't have to close this service in a few days due to abuse but its a weird world we live in.

Comment by jjcm 7 days ago

As someone who has launched something free on HN before, the resulting signups were around 1/3rd valid users doing cool things and checking things out, and 2/3rds nefarious users.

Comment by tonymet 7 days ago

a bit better benevolent:malicious ratio than the real world

Comment by hrimfaxi 6 days ago

2/3rds of people in the world are malicious?

Comment by tonymet 6 days ago

2/3 of resources will typically be spent by malicious/nefarious/abusive users.

[edit] for clarity

Comment by ValdikSS 6 days ago

My service (which doesn't have public access, only via SSH as a client) was used by a ransomware gang, which involved the service in investigation from Dutch CERT and Dubai police.

It's still live though.

Comment by patricklorio 7 days ago

I run playit.gg. Abuse is a big problem on our free tier. I’d get https://github.com/projectdiscovery/nuclei setup to scan your online endpoints and autoban detections of c2 servers.

Comment by jborak 6 days ago

Thanks for sharing this. I run packetriot.com, another tunneling service and I ended up writing my own scanner for endpoints using keyword lists I gathered from various infosec resources.

I had done some account filtering for origins coming out of Tor, VPN networks, data centers, etc. but I recently dropped those and added an portal page for free accounts, similar to what ngrok does.

It was very effective at preventing abuse. I also added mechanism for reporting abuse on the safety page that's presented.

Comment by patricklorio 6 days ago

Have you found a way to detect xworm c2c servers?

Comment by jborak 3 days ago

Our services were used for C2 as well. I investigated it a bit but eventually decided to just drop TCP forwarding from our free-tier and that reduced our abuse/malware reports for C2 over TCP to zero essentially.

One path I looked at was to use the VirusTotal API to help identify C2's that other security organizations were identifying and leverage that to automatically take down malicious TCP endpoints. I wrote some POCs but did not deploy them. It's something I plan on taking up again at some point next year.

Comment by patricklorio 3 days ago

Want to chat on discord? Maybe we could combine efforts to try and stop people abusing our services :). We have a few vendors sending us automated reports, maybe I could open it up for multiple projects.

feel free to give me a ping on https://discord.gg/AXAbujx @patrick.

Comment by pcthrowaway 7 days ago

Do you have funding to cover the paying the bandwidth costs which will ultimately result from this? Or if you're running this from a home network, does anyone know if OP should be concerned of running into issues with their ISP?

Comment by klipitkas 7 days ago

I can cover hundreds of PB of bandwidth per month if needed without paying a fortune.

Comment by kilobaud 7 days ago

Can you share more details? I know Hetzner offers unlimited bandwidth in some cases but I thought it limited only to servers with the 1Gbs uplink

Comment by aamoscodes 7 days ago

Work closet /s

Comment by kilobaud 7 days ago

The tunnel host appears to be a Hetzner server, they are pretty generous with bandwidth but the interesting thing I learned about doing some scalability improvements at a similar company [0] is that for these proxy systems, each direction’s traffic is egress bandwidth. Good luck OP, the tool looks cool. Kinda like pinggy.

[0] https://localxpose.io

Comment by dlenski 7 days ago

Dare I ask how much bandwidth it is consuming?

Comment by klipitkas 7 days ago

Its around 700MB today so far.

Comment by sorz 5 days ago

Random thoughts: one can get user's ssh public keys from GitHub on the fly (from `https://github.com/<username>.keys`), so that it requires a valid GitHub account to use this service, without (extra) auth process.

Comment by resiros 7 days ago

It would be nice to have an open-source version that you can self-host. That would solve the abuse problem. Maybe with a service to create API keys.

Comment by klipitkas 7 days ago

Yeah, this is the next step. I first wanted to understand if this gets any traction. I think I will provide a dockerized version for the server part that you can just run with a simple command and maybe some interface to create api keys and distribute them to your users.

Comment by popalchemist 7 days ago

Fair enough from a business standpoint, but seeing as there are massive privacy/security risks involved in exposing your data to an opaque service, the open source component is probably a non-optional aspect of the value prop.

Comment by rgbrgb 7 days ago

how come? just because it's open source doesn't mean that they run that exact binary on their servers. ngrok does pretty well without open sourcing.

Comment by popalchemist 6 days ago

The locus of trust moves, if you have the source, and trust is a factor for you, because you can simply self-host and know what you're running.

Comment by PLG88 4 days ago

fwiw, ngrok started as open source

Comment by cyberax 7 days ago

We're using pgrok for that in our organization. A small EC2 instance serves as the public endpoint.

Comment by LelouBil 6 days ago

OpenSSH is preinstalled on Windows as well, so I think it's not a stretch to say everyone has ssh now.

Comment by stevekemp 7 days ago

If you keep this up you'll want to add yourself to the public suffix list:

https://publicsuffix.org/

You should also consider grouping your random hostnames under a dedicated subdomain. e.g. "xxx-xxx-xxx.users.tunnl.gg", that separates out cookies and suchlike.

Comment by qudat 7 days ago

I run a similar site (https://pico.sh) with public urls and thought the same thing for us. The public suffix has some fuzzy limits on usage size before they will add domains (e.g. on the scale of thousands of active users).

I don’t have tunnl.gg usage numbers but I’m going to guess they are no where near the threshold — we were also rejected.

Comment by phrotoma 7 days ago

I just want to say that I love pico.sh <3

Comment by qudat 7 days ago

much appreciated!

Comment by madethemcry 7 days ago

I used ngrok when it was the to-go answer for serving localhost (temporarily, not permanent) to the public, but the last time I searched for alternatives I stumbled upon the following jewel.

   > tailscale funnel 3000

   Available on the internet:

   https://some-device-name.tail12345.ts.net/
   |-- proxy http://127.0.0.1:3000

   Press Ctrl+C to exit.

I've tailscale installed on my machine anyway for some connected devices. But even without this would convince me using it, because it's part of the free tier, dead simple and with tailscale it's coming from kind of a trusted entity.

Comment by bomewish 7 days ago

Hey really recommend using a big long random string in that URL, because as you will have read above TAILNET NAMES ARE PUBLIC. You can find them here: https://crt.sh/?Identity=ts.net [warning, this will probably crash browser if you leave it open too long -- but you can see it's full of tailnet domains].

So anyway try it like:

tailscale funnel --set-path=/A8200B0F-6E0E-4FE2-9135-8A440DB9469D http://127.0.0.1:8001 or whatever

I use uuidgen and voila.

Comment by ftchd 5 days ago

so what exactly does this do?

Comment by bomewish 1 day ago

Gives you a randomised domain name for your service so it’s not exposed to the internet on the url that has already been publicly exposed.

Comment by klipitkas 7 days ago

I am also using tailscale for a few projects as well. Feel free to use whatever you trust more or works for you.

Comment by madethemcry 7 days ago

Hey, I didn't mean to sell another tool over yours! It's just an experience that popped into my mind and I wanted to share. I appreciate your work and contributing to the problem space of exposing a local service. Thank you.

Comment by 1vuio0pswjnm7 7 days ago

"We cooperate with law enforcement agencies when required by law. While we do not inspect traffic content, we will provide connection logs and IP address information in response to valid legal process (such as a subpoena or court order) to assist in investigations regarding illegal activity."

https://tunnl.gg/assets/index-Bjpn0hFX.js

If the requesting party knows it's possible they might ask for traffic to be logged

Comment by klipitkas 7 days ago

I can also deny, if I don't consider the case valid or shutdown the hosted service if I want to. I plan to open source it anyway within the next days.

Comment by gaws 5 days ago

> I can also deny if I don't consider the case valid

It wouldn't take much for law enforcement or a judge to force cooperation.

Comment by rany_ 7 days ago

This is a great idea but I'm a bit concerned about your bandwidth costs and illegal/malicious content being hosted used under your domain.

For the second point, you might want to implement some kind of browser warning similar to what Ngrok does.

Comment by klipitkas 7 days ago

Thats a fair point, there are some protections in place for abuse already. I will have a look at what ngrok does for browser warnings. Thanks a lot for the suggestions.

Comment by gnfargbl 7 days ago

Be aware of threat actors, too: you're giving them an easy data exfil route without the hassle and risk of them having to set up their own infrastructure.

Back in the day you could have stood up something like this and worried about abuse later. Unfortunately, now, a decent proportion early users of services like this do tend to be those looking to misuse it.

Comment by skrebbel 7 days ago

What's a "data exfil route"?

Comment by lionkor 7 days ago

I'm not who you asked, but essentially, when you write malware that infects someone's PC, that in itself doesn't really help you much. You usually want to get out passwords and other data that you might have stolen.

This is where an exfil (exfiltration) route is needed. You could just send the data to a server you own, but you have to make sure that there are fallbacks once that one gets taken down. You also need to ensure that your exfiltration won't be noticed by a firewall and blocked.

Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.

Comment by skrebbel 7 days ago

Thanks!

Though the public address is going to be random here so how will the hacker figure out which tunnl.gg subdomain to gobble up?

Comment by gnfargbl 7 days ago

That's actually a fair defence against this kind of abuse. If the attacker has to get some information (the tunnel ID) out of the victim's machine before they can abuse this service, then it is less useful to them because getting the tunnel ID out is about as hard as just getting the actual data out.

However, if "No signup required for random subdomains" implies that stable subdomains can be obtained with a signup, then the bad guys are just going to sign up.

Comment by rany_ 7 days ago

I've seen lots of weird tricks malware authors use, people are creative. My favorite is that they'd load up a text file with a modified base64 table from Dropbox which points to the URL to exfiltrate to. When you report it to Dropbox, they typically ignore the report because it just seems like random nonsense instead of being actually malicious.

Comment by ale42 7 days ago

> Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.

A permanent SSH connection is not exactly discreet, though...

Comment by tarasyarema 7 days ago

Is this any different from localtunnel? Nice thing about that one is that its oss, actually we forked it in my company to do some more custom stuff.

Any plan to make it oss?

https://github.com/desplega-ai/localtunnel-server

Comment by klipitkas 7 days ago

I am actually thinking about making it open source yes, probably after I adjust the code a little bit :D maybe today or in a couple of days.

Comment by bashy 7 days ago

Shell function;

``` tunnl() { if [ -z "$1" ]; then echo "Usage: tunnl <local-port>" return 1 fi

  ssh -t -R 80:localhost:"$1" proxy.tunnl.gg

} ```

There's also https://tunnelmole.com but requires binary or npm install

Comment by klipitkas 7 days ago

Built another localhost tunneling tool because I kept forgetting my ngrok auth token.

What it does:

- Expose localhost to the internet (HTTP/TCP/WebSockets) - Zero signup – just works immediately - Free

Nothing groundbreaking, just scratching my own itch for a no-friction tunnel service. Written in Go.

Link: https://tunnl.gg

Happy to answer questions or hear how you'd improve it.

Comment by koolala 7 days ago

Since it uses websockets you could host a website from inside a website? How will you handle pricing for this to keep the service running?

Comment by klipitkas 7 days ago

There is a maximum time limit for connections right now which is 24hr or 30min of inactivity.

Comment by koolala 6 days ago

Could a cacheing service let static sites be cached when offline? I'm not sure if caching sub-domains like this would work but if its a tiny fee to cache maybe that could be a paid feature if your designing those. Like $1 per month could give you a static domain and XX monthly cache updates? As opposed to uploading somewhere like Github Codespaces or a Cloud-Flare service.

Direct real-time connections could be a path like nl.gg/# or a private key that someone could change. Some way to have a public site thats hosted globally for 'nearly free' while also being able to locally host a private url to the dev version for sharing temporarily while your connected. Maybe even a totally different domain.

Comment by szemy2 7 days ago

How is it different to ngrok? Genuinely curious, I might switch.

Comment by klipitkas 7 days ago

Not really that different, besides any kind of time limitations or number of request limitations.

Comment by BinaryIgor 7 days ago

Interesting! How do you handle port conflicts? What ports for public exposure are available?

Comment by klipitkas 7 days ago

On the VPS we use: - 80 (standard http) - 443 (standard https) - 22 (obv for standard ssh) - 9090 (metrics / internal so I can have an idea of the generic usage like reqs/s and active connections)

Client-Side: The -R 80:localhost:8080 Explained The 80 in -R 80:localhost:8080 is not a real port on the server. It's a virtual bind port that tells the SSH client what port to "pretend" it's listening on.

No port conflicts - The server doesn't actually bind to port 80 per tunnel. Each tunnel gets an internal listener on 127.0.0.1:random (ephemeral port). The 80 is just metadata passed in the SSH forwarded-tcpip channel. All public traffic comes through single port 443 (HTTPS), routed by subdomain.

So What Ports Are "Available" to Users?

Any port - because it doesn't matter! Users can specify any port in -R: ssh -t -R 80:localhost:3000 proxy.tunnl.gg # Works ssh -t -R 8080:localhost:3000 proxy.tunnl.gg # Also works ssh -t -R 3000:localhost:3000 proxy.tunnl.gg # Also works ssh -t -R 1:localhost:3000 proxy.tunnl.gg # Even this works!

The number is just passed to the SSH client so it knows which forwarded-tcpip requests to accept. The actual routing is done by subdomain, not port.

Why Use 80 Convention?

It's just convention - many SSH clients expect port 80 for HTTP forwarding. But functionally, any number works because:

- Server extracts BindPort from the SSH request - Stores it in the tunnel struct - Sends it back in forwarded-tcpip channel payload - Client matches on this to forward to correct local port - The "magic" is that all 1000 possible tunnels share the same public ports (22, 80, 443) and are differentiated by subdomain.

Comment by BinaryIgor 7 days ago

Nicely done! Thanks for the detailed answer ;)

Comment by ritcgab 7 days ago

Curious about this as well.

Comment by tambre 7 days ago

Seemingly lacking IPv6 support?

Not that you'd usually need this if you have IPv6 but might still be useful to bypass firewalls or forward access for IPv4 clients from your newer IPv6-only resources.

Comment by klipitkas 7 days ago

Indeed there is no IPv6 support yet.

Comment by rishikeshs 7 days ago

How are you able to host it for free?

Comment by klipitkas 7 days ago

I am paying for it out of pocket. Its free for you to use, but not for me to host it :)

Comment by zarzavat 7 days ago

The question is, how is it sustainable? Nobody likes being rug pulled. Why not charge money for it?

I'd rather pay a few dollars for a service that will be around 5 years from now, than pay nothing and have to deal with churn.

Comment by klipitkas 7 days ago

I can't promise anything this is a pet project. I might turn it into an open source project, and I might also provide some kind of service for a few bucks if it gets traction.

Comment by shadows1 7 days ago

Good luck with your future mim data sniffing or selective takeovers, I guess? Not sure what the business model would be, unless you’re planning on injecting ads, which would be funny.

Comment by hashworks 7 days ago

Why does everything have to be a business model?

Comment by charlie-83 7 days ago

Unless the author is insanely rich, they probably don't want to spend increasingly large amounts on hosting unless they have a way to make money back (even if it's just to break even).

Comment by klipitkas 7 days ago

I am not rich and I don't need to be to keep this service up and running at least for the near future.

Comment by pcthrowaway 7 days ago

To keep this up and running for 2-3 years, you probably do need to be rich, or to find a way to monetize.

It's possible when it gets to be a drain, even charging pennies for the service could drive off the bad actors making it unsustainable though.

Comment by klipitkas 7 days ago

For the foreseeable future and unless there is massive abuse, which I am trying to contain, it will remain free.

Comment by Fokamul 7 days ago

...", Russian FSB manager, 2025

Comment by klipitkas 7 days ago

Thanks, but I don't have such plans, lol.

Comment by hugoromano 7 days ago

Love the approach, simplicity and concept. SPA works fine if entry point is / if /terms /privacy greated with 404.

Comment by klipitkas 7 days ago

Hey, thanks for the comment. I am having a look with my own apps and it seems to work with pages and nextjs middleware as well.

Comment by computer 7 days ago

You are mentioning it's encrypted end-to-end; please explain how your server is unable to read the contents of the stream?

Comment by klipitkas 7 days ago

That is wrong (and I need to update any docs that mention this), the traffic is not encrypted end to end, we do TLS termination on our side. From that point on traffic is forwarded back as plain HTTP. However I would in any case not suggest to host any production applications using this service. It is mostly for local dev testing.

Comment by Fokamul 7 days ago

Why not just buy trial or cheap VM? Are devs that lazy now? Or is this aimed on vibe "devs"? :D

Comment by Zambyte 7 days ago

To some people (students, people in low income countries) there are no cheap hosted VMs.

Comment by klipitkas 7 days ago

Agreed and even devs who have the money, most of the times don't have the time.

Comment by klipitkas 7 days ago

It's not my target audience. Also as a dev I hate spending more than a couple of seconds to do this. This service exists mainly to scratch my own itch.

Comment by oliviergg 7 days ago

It's bit less convenient, but I have access to a vps and a dns with a custom domain.

I can create any subdomain I want and tunnel the connexion to any port on my computer.

=> I can spinup a new subdomain in seconds, no data leakage, url that doesn't change, and it's cost nothing.

Comment by klipitkas 7 days ago

Whatever works for you best :)

Comment by ramon156 7 days ago

How does this compare to cloudflare or even a self-hosted tailscale tunnel?

Also do you collect any data? Privacy says

> We do not collect, store, or sell your personal data.

But I guess personal data is a bit ambiguous. You're at the very least collecting my IP (which is fine, I'm just curious)

Comment by klipitkas 7 days ago

Yes that is true (the IP is collected), what I meant is that we don't explicitly collect data on purpose.

Comment by d1sxeyes 7 days ago

If you’re in the EU or have users in the EU, that distinction matters, and you should be more precise. You likely have a solid legitimate use case for collecting IPs under the GDPR, but only if you’re fully transparent.

Comment by klipitkas 7 days ago

I updated the terms, thanks for the heads up.

Comment by ValdikSS 6 days ago

I'm running the similar but different, protocol-agnostic service: https:/ssh-j.com/

Only regular SSH to serve, regular SSH to connect. No public URLs though (it's not for web services).

Comment by fuzzy_biscuit 7 days ago

I love the concept, but I have one gripe: the subscription email is coming from a Gmail address, so I have no trust. I'd love to see it coming from the same domain. Also, it went to spam.

Comment by klipitkas 7 days ago

Hey, I updated this to be a tunnl.gg domain, thanks.

Comment by rohan_ 6 days ago

Does this just wrap cloudflare tunnels?

Comment by canopi 7 days ago

That's really cool. I guess this is an alternative to ngrok (which I like but hate due to having to sign in).

Comment by klipitkas 7 days ago

Yes, its free to use and does not require any clients (but you need to have ssh client installed)

Comment by keepamovin 7 days ago

Not many people know that you can use cloudflare tunnels without signing up.

Comment by frizlab 7 days ago

I sure did not! How would that work? Manually pointing the domain as a CNAME to the tunnel ID? But how would one get that ID without signing up?

Comment by keepamovin 7 days ago

I have a demo with working GitHub runner workflow code here: https://github.com/BrowserBox/ariadne

Specifically: https://github.com/BrowserBox/ariadne/blob/f07e3b0d445f5d4a8...

Comment by kilobaud 7 days ago

Hey if you are interested in re-using any of this GitHub Action, feel free to: https://github.com/LocalXpose/localxpose-action

Comment by keepamovin 7 days ago

Thank you bud, was not aware of local expose. There’s a bunch of these tunneling services out there, what makes yours uniquely cool?

Comment by kilobaud 6 days ago

Probably not an exciting answer but my work focused on stability and performance. There are indeed a lot of cool alternatives. I think Localxpose is for businesses who aren't interested in self-hosting and just need a service that will reliably handle production traffic. I don't know if that's unique (or cool, lol)

Comment by keepamovin 2 days ago

Alrighty, well I might through it into the BrowserBox mix. We are currently using a variety of tunnels for punching through network layers and providing networking flexibility.

Comment by rollingstone23 7 days ago

I have used serveo.net in the past for the same use case, this looks cool !

Comment by cush 7 days ago

How do the Certs work for https?

Comment by FrinkleFrankle 7 days ago

If you want to do this another way, Tailscale funnel can send public traffic into your tailnet Traefik supports pulling the Tailscale cert from its socket.

Comment by watermelon0 7 days ago

I'd assume it uses a single wildcard certificate.

Comment by klipitkas 7 days ago

Yes, thats exactly how it works for the multiple subdomains.

Comment by raggi 7 days ago

Periodic reminder that just because Go having an easy to use SSH package made these easy to write, connecting to SSH servers and doing TOFU all the time with the keys is far far less safe than webpki, and this service could be relatively easily mitm'd in key scenarios like people being tricked at conferences. It's not as terrifying as the coffee shop taking payments over SSH, but still, this isn't doing E2EE, it's terminating TLS upstream.

There's no SSHFP record (not that openssh uses it by default, and you'd need DNSSEC to make it actually useful), and no public keys documented anywhere to help people avoid MITM/TOFU events.

I get the UX, but it saddens me to see more SSH products that don't understand the SSH security model.