9 Cloudflare Tunnels Alternatives for Self-Hosters

I’ve been using Cloudflare Tunnel for over a year, and while it’s great for hosting static HTML content securely, it has its limitations.

For instance, if you’re running something like Jellyfin, you might run into issues with bandwidth limits, which can lead to account bans due to their terms of service.

Cloudflare Tunnel is designed with lightweight use cases in mind, but what if you need something more robust and self-hosted?

Let me introduce you to some fantastic open-source alternatives that can give you the freedom to host your services without restrictions.

1. ngrok (OSS Edition)

ngrok is a globally distributed reverse proxy designed to secure, protect, and accelerate your applications and network services, regardless of where they are hosted.

Acting as the front door to your applications, ngrok integrates a reverse proxy, firewall, API gateway, and global load balancing into one seamless solution.

Although the original open-source version of ngrok (v1) is no longer maintained, the platform continues to contribute to the open-source ecosystem with tools like Kubernetes operators and SDKs for popular programming languages such as Python, JavaScript, Go, Rust, and Java.

Key features:

• Securely connect APIs and databases across networks without complex configurations.
• Expose local applications to the internet for demos and testing without deployment.
• Simplify development by inspecting and replaying HTTP callback requests.
• Implement advanced traffic policies like rate limiting and authentication with a global gateway-as-a-service.
• Control device APIs securely from the cloud using ngrok on IoT devices.
• Capture, inspect, and replay traffic to debug and optimize web services.
• Includes SDKs and integrations for popular programming languages to streamline workflows.

2. frp (Fast Reverse Proxy)

frp (Fast Reverse Proxy) is a high-performance tool designed to expose local servers located behind NAT or firewalls to the internet.

Supporting protocols like TCP, UDP, HTTP, and HTTPS, frp enables seamless request forwarding to internal services via custom domain names.

It also includes a peer-to-peer (P2P) connection mode for direct communication, making it a versatile solution for developers and system administrators.

Key features:

• Expose local servers securely, even behind NAT or firewalls, using TCP, UDP, HTTP, or HTTPS protocols.
• Provide token and OIDC authentication for secure connections.
• Support advanced configurations such as encryption, compression, and TLS for enhanced security.
• Enable efficient traffic handling with features like TCP stream multiplexing, QUIC protocol support, and connection pooling.
• Facilitate monitoring and management through a server dashboard, client admin UI, and Prometheus integration.
• Offer flexible routing options, including URL routing, custom subdomains, and HTTP header rewriting.
• Implement load balancing and service health checks for reliable performance.
• Allow for port reuse, port range mapping, and bandwidth limits for granular control.
• Simplify SSH tunneling with a built-in SSH Tunnel Gateway.

3. localtunnel

Localtunnel is an open-source, self-hosted tool that simplifies the process of exposing local web services to the internet.

By creating a secure tunnel, Localtunnel allows developers to share their local resources without needing to configure DNS or firewall settings.

It’s built on Node.js and can be easily installed using npm.

While Localtunnel is straightforward and effective, the project hasn't seen active maintenance since 2022, and the default Localtunnel.me server's long-term reliability is uncertain.

However, you can host your own Localtunnel server for better control and scalability.

Key features

• Secure HTTPS for all tunnels, ensuring safe connections.
• Share your local development environment with a unique, publicly accessible URL.
• Test webhooks and external API callbacks with ease.
• Integrate with cloud-based browser testing tools for UI testing.
• Restart your local server seamlessly, as Localtunnel automatically reconnects.
• Request a custom subdomain or proxy to a hostname other than localhost for added flexibility.

4. boringproxy

boringproxy is a reverse proxy and tunnel manager designed to simplify the process of securely exposing self-hosted web services to the internet.

Whether you're running a personal website, Nextcloud, Jellyfin, or other services behind a NAT or firewall, boringproxy handles all the complexities, including HTTPS certificate management and NAT traversal, without requiring port forwarding or extensive configuration.

It’s built with self-hosters in mind, offering a simple, fast, and secure solution for remote access.

Key features

• 100% free and open source under the MIT license, ensuring transparency and flexibility.
• No configuration files required—boringproxy works with sensible defaults and simple CLI parameters for easy adjustments.
• No need for port forwarding, NAT traversal, or firewall rule configuration, as boringproxy handles it all.
• End-to-end encryption with optional TLS termination at the server, client, or application, integrated seamlessly with Let's Encrypt.
• Fast web GUI for managing tunnels, which works great on both desktop and mobile browsers.
• Fully configurable through an HTTP API, allowing for automation and integration with other tools.
• Cross-platform support on Linux, Windows, Mac, and ARM devices (e.g., Raspberry Pi and Android).
• SSH support for those who prefer using a standard SSH client for tunnel management.

5. zrok

zrok is a next-generation, peer-to-peer sharing platform built on OpenZiti, a programmable zero-trust network overlay.

It enables users to share resources securely, both publicly and privately, without altering firewall or network configurations.

Designed for technical users, zrok provides frictionless sharing of HTTP, TCP, and UDP resources, along with files and custom content.

• Share resources with non-zrok users over the public internet or directly with other zrok users in a peer-to-peer manner.
• Works seamlessly on Windows, macOS, and Linux systems.
• Start sharing within minutes using the zrok.io service. Download the binary, create an account, enable your environment, and share with a single command.
• Easily expose local resources like localhost:8080 to public users without compromising security.
• Share "network drives" publicly or privately and mount them on end-user systems for easy access.
• Integrate zrok’s sharing capabilities into your applications with the Go SDK, which supports net.Conn and net.Listener for familiar development workflows.
• Deploy zrok on a Raspberry Pi or scale it for large service instances. The single binary contains everything needed to operate your own zrok environment.
• Leverages OpenZiti’s zero-trust principles for secure and programmable network overlays.

6. Pagekite

PageKite is a veteran in the tunneling space, providing HTTP(S) and TCP tunnels for more than 14 years. It offers features like IP whitelisting, password authentication, and supports custom domains.

While the project is completely open-source and written in Python, the public service imposes limits, such as bandwidth caps, to prevent abuse.

Users can unlock additional features and higher bandwidth through affordable payment plans.

The free tier provides 2 GB of monthly transfer quota and supports custom domains, making it accessible for personal and small-scale use.

Key features

• Enables any computer, such as a Raspberry Pi, laptop, or even old cell phones, to act as a server for hosting services like WordPress, Nextcloud, or Mastodon while keeping your home IP hidden.
• Provides simplified SSH access to mobile or virtual machines and ensures privacy by keeping firewall ports closed.
• Supports embedded developers with features like naming and accessing devices in the field, secure communications via TLS, and scaling solutions for both lightweight and large-scale deployments.
• Offers web developers the ability to test and debug work remotely, interact with secure APIs, and run webhooks, API servers, or Git repositories directly from their systems.
• Utilizes a global relay network to ensure low latency, high availability, and redundancy, with infrastructure managed since 2010.
• Ensures privacy by routing all traffic through its relays, hiding your IP address, and supporting both end-to-end and wildcard TLS encryption.

7. Chisel

Chisel is a fast and efficient TCP/UDP tunneling tool transported over HTTP and secured using SSH.

Written in Go (Golang), Chisel is designed to bypass firewalls and provide a secure endpoint into your network.

It is distributed as a single executable that functions as both client and server, making it easy to set up and use.

Key features

• Offers a simple setup process with a single executable for both client and server functionality.
• Secures connections using SSH encryption and supports authenticated client and server connections through user configuration files and fingerprint matching.
• Automatically reconnects clients with exponential backoff, ensuring reliability in unstable networks.
• Allows clients to create multiple tunnel endpoints over a single TCP connection, reducing overhead and complexity.
• Supports reverse port forwarding, enabling connections to pass through the server and exit via the client.
• Provides optional SOCKS5 support for both clients and servers, offering additional flexibility in routing traffic.
• Enables tunneling through SOCKS or HTTP CONNECT proxies and supports SSH over HTTP using ssh -o ProxyCommand.
• Performs efficiently, making it suitable for high-performance requirements.

8. Telebit

Telebit has quickly become one of my favorite tunneling tools, and it’s easy to see why. It's still fairly new but does a great job of getting things done.

By installing Telebit Remote on any device, be it your laptop, Raspberry Pi, or another device, you can easily access it from anywhere.

The magic happens thanks to a relay system that allows multiplexed incoming connections on any external port, making remote access a breeze.

Not only that, but it also lets you share files and configure it like a VPN.

Key features

• Share files securely between devices
• Access your Raspberry Pi or other devices from behind a firewall
• Use it like a VPN for additional privacy and control
• SSH over HTTPS, even on networks with restricted ports
• Simple setup with clear documentation and an installer script that handles everything

9. tunnel.pyjam.as

As a web developer, one of my favorite tools for quickly sharing projects with clients is tunnel.pyjam.as.

It allows you to set up SSL-terminated, ephemeral HTTP tunnels to your local machine without needing to install any custom software, thanks to Wireguard.

It’s perfect for when you want to quickly show someone a project you’re working on without the hassle of complex configurations.

Key features

• No software installation required, thanks to Wireguard
• Quickly set up a reverse proxy to share your local services
• SSL-terminated tunnels for secure connections
• Simple to use with just a curl command to start and stop tunnels
• Ideal for quick demos or temporary access to local projects

Final thoughts

When it comes to tunneling tools, there’s no shortage of options and each of the projects we’ve discussed here offers something unique.

Personally, I’m too deeply invested in Cloudflare Tunnel to stop using it anytime soon. It’s become a key part of my workflow, and I rely on it for many of my use cases.

However, that doesn’t mean I won’t continue exploring these open-source alternatives. I’m always excited to see how they evolve.

For instance, with tunnel.pyjam.as, I find it incredibly time-saving to simply edit the tunnel.conf file and run its WireGuard instance to quickly share my projects with clients.

I’d love to hear what you think! Have you tried any of these open-source tunneling tools, or do you have your own favorites? Let me know in the comments.