[HN Gopher] Tunnelmole, an ngrok alternative (open source)
___________________________________________________________________
Tunnelmole, an ngrok alternative (open source)
Author : aussieguy1234
Score : 190 points
Date : 2024-03-19 11:46 UTC (3 days ago)
(HTM) web link (softwareengineeringstandard.com)
(TXT) w3m dump (softwareengineeringstandard.com)
| vishalontheline wrote:
| Also, Local Tunnel: https://localtunnel.github.io/www/
| aussieguy1234 wrote:
| I tried to test this out. But got blocked when I visited my
| Public URL by some security warning page around phishing? Which
| is fair enough, but it wasn't clear to me how I could remove
| that and get the URL to point to my local server like I wanted.
| Also, their GitHub project has not been maintained for some
| time.
| apitman wrote:
| It's worth noting that if Tunnelmole becomes popular enough,
| you will also likely end up with people using it for phishing
| attacks, and your users will start getting phishing warnings.
| I recommend getting tunnelmole.net added to the Public Suffix
| List[0] which may help with this.
|
| IMO it's not worth running a free tunneling service.
|
| [0]: https://publicsuffix.org/
|
| EDIT: I see in another thread that you've already gotten hit
| with phishing. I have some follow up questions I'll ask in
| that thread.
| vishalontheline wrote:
| Ah that's right!
|
| My apologies - I faced this same issue and completely forgot
| about it. My use-case was to host a dev server that I can ssh
| into from anywhere, and host things when needed.
|
| What I eventually ended up doing was:
|
| 1. Switched to Cloudflare to manage my DNS.
|
| 2. Added a subdomain and pointed my IP address to it.
|
| 3. Ran a Cron job that checks my ip address, and if it has
| changed, I update Cloudflare with the new ip address using
| the following script: https://gist.github.com/vishaldpatel/fc
| 25ebfc236af43f8453b90...
| jstanley wrote:
| It's not mentioned anywhere in this blog post, but the project
| has a website at https://tunnelmole.com/ and a github repo at
| https://github.com/robbie-cahill/tunnelmole-client
|
| EDIT: And, actually, I don't think this is really an ngrok
| alternative. Unless I'm mistaken it looks like it only supports
| HTTP, whereas ngrok is a generic TCP proxy. (Albeit that ngrok
| does not support TCP half-close because it treats it like a full
| close).
| aussieguy1234 wrote:
| TCP is something i'm thinking about. It is possible with
| sockets and different port numbers opening/closing on the
| server side, it will take some work however. Perhaps you might
| be interested in contributing?
| mavili wrote:
| If 99% of ngrok users use it for HTTP, it IS an alternative
| isn't it?
| llmblockchain wrote:
| If you have a web server you control, it's pretty easy to use an
| ssh tunnel to do this and you control the entire thing.
| mavili wrote:
| I do that with a private server of my own, but it's quite
| fragile. The SSH tunnel connection drops sometimes, and it's
| just raw tunneling. What I love about ngrok is the web
| interface with logs showing the HTTP requests and responses
| with all the headers and payload. I'm hoping this has the same,
| will give it a try when I'm on my laptop.
|
| One benefit of doing it on your own server is the static
| hostname you get with it. A new hostname every time you start
| up is not fun at all!
| vorticalbox wrote:
| > sudo npm install -g tunnelmole
|
| Why not simply use npx?
|
| npx tunnelmole
| scubbo wrote:
| (I'm no Node expert, so this might be flawed, but) presumably,
| because they hope that you'll use the app more than a few
| times, and so the one-time overhead of typing `sudo npm install
| -g` once will outweigh the repeated requirement to use `npx`
| every time you invoke it. Or, taking a less mechanistic and
| more usability-focused approach - because the intention is for
| it to be seen as a fundamental tool, just as accessible as grep
| or cat or less, rather than "hidden" behind npx.
| aussieguy1234 wrote:
| I actually tried advertising the `npx tmole` / `npx
| tunnelmole` methods but not too many people picked them up,
| so I ended up not adding these methods to the docs.
| aussieguy1234 wrote:
| You can do that, also `npx tmole` works because of the wrapper
| package I added to NPM.
| aborsy wrote:
| Many alternatives: SSH reverse tunnels, Cloudflare tunnels,
| various reverse proxies like FRP, Tailscale funnel (probably for
| short lived light connections), ngrok, etc
| PLG88 wrote:
| also https://zrok.io/. Its open source, and has a free SaaS.
| Its also more comprehensive than Tunnelmore, e.g., supporting
| TCP or UDP tunnels.
| qudat wrote:
| Also https://ssi.sh with a managed service at https://tuns.sh
| aussieguy1234 wrote:
| These can work but all take a bit more work however than
| running a single command, including Cloudflare tunnels which
| according to their docs, requires you to make a DNS record on
| your domain. I use SSH reverse tunnels for some things where I
| need tighter security.
| sophacles wrote:
| Cloudflare offers quick tunnels too, for when you dont have
| (or want) a domain.
| https://developers.cloudflare.com/cloudflare-
| one/connections...
| aussieguy1234 wrote:
| I see, for random subdomains. I guess a custom subdomain
| would still need that DNS record added to your domain.
| apitman wrote:
| I maintain a list of similar tools here:
|
| https://github.com/anderspitman/awesome-tunneling
|
| I'm not sure there's a single class of software that's been
| implemented more times than ngrok-style tunneling. I keep finding
| more and more.
|
| Honestly it's a really fun exercise. Fairly challenging, but well
| within the reach of a single developer. I believe I'm currently
| working on my 5th incarnation.
| LoganDark wrote:
| > I'm not sure there's a single class of software that's been
| implemented more times than ngrok-style tunneling. I keep
| finding more and more.
|
| AFAIK ngrok was the first widespread implementation of it, and
| there was such a sheer lack of it before that everyone started
| working on their own implementations at once and now we have an
| abundance.
|
| (At least that's my personal theory.)
| kelnos wrote:
| I think "widespread" in this case means "marketed better".
| There were open source implementations before ngrok, whose
| founder even worked with someone who'd written one of those.
| (ngrok back then was certainly better than a lot of those
| other options, though.)
|
| Webhooks created the need for local tunneling software.
| Before ngrok, webhooks themselves were just starting to
| become more common. The need for local tunneling is much much
| greater than it was 15 years ago.
|
| (Also consider that ngrok today is far more then a local
| tunnel proxy. They noticed the abundance of open source
| options years ago and have moved on from the basic concept.)
| apitman wrote:
| It's an interesting market. Currently most (all?) offerings
| are targeted at the developer case, a la webhooks and
| request inspection. But I think in the future the more
| important use case (and much larger market) will be self
| hosting. That's going to require a lot more bandwidth.
| LoganDark wrote:
| > I think "widespread" in this case means "marketed
| better".
|
| No, widespread means _widespread_. As in tons of people
| started to use it, ngrok started pivoting into enterprise,
| moved from ngrok.io to ngrok.com, etc. I was there for all
| of it.
|
| The landscape of software other than ngrok was a total
| wasteland. Maybe there was localtunnel or SSH, I guess. But
| both of them kind of sucked and were fragile. ngrok was a
| static Go binary you could run anywhere to open a tunnel
| and it was total magic, worked perfectly, and was exactly
| what the world needed. It was the original. It taught
| people how this stuff ought to work and once people learned
| the formula, just like the iPhone, everyone else started
| copying it and now there are tons of implementations.
| CoffeeOnWrite wrote:
| Before ngrok we set it up in 15 minutes by configuring ssh
| and nginx a la https://gist.github.com/gdamjan/4586758
| aborsy wrote:
| I still haven't found an ideal solution, despite a variety of
| options.
|
| Cloudflare tunnels are good, but Cloudflare terminates TLS
| certificates, and scans the traffic. People host on premise for
| privacy, which is moot if using Cloudflare.
|
| FRP is simple and works, but it takes inbound traffic from open
| Internet. A vulnerability in it could compromise your
| environment. The transport encryption is customized (probably
| using TLS). It's not a VPN quality software, going through
| audits. It may need a reverse proxy in front of it.
|
| The ones that make outbound connections seem better. Ngrok
| pricing is not good, particularly when using custom domains.
| Tailscale funnel seems to be for short lived lightweight
| connections, has bandwidth and speed limitations due use of
| relay servers, kills my CPU, and requires a tailnet.
|
| SSH reverse tunnels require some scripting with autossh or
| similar to ensure persistent connections.
| d-z-m wrote:
| > Tailscale funnel seems to be for short lived lightweight
| connections, has bandwidth and speed limitations due use of
| relay servers, kills my CPU, and requires a tailnet.
|
| I'm a fan of their approach[0] though. No termination of TLS,
| SNI proxying(I presume) to backend machines, etc.
|
| [0]: https://tailscale.com/kb/1223/funnel
| apitman wrote:
| Can you clarify what you mean by inbound vs outbound? Pretty
| much all of these tools work the same way. You have a machine
| (usually a VPS) with a public IP address that runs the
| server, you connect to it with a client, and it tunnels
| traffic sent to the server to the client and other machines
| that would otherwise only be visible to the client.
|
| There are several options on the list that do e2ee, including
| commercial services that likely have better pricing than
| ngrok. That said, I'm not aware of any that are marketed for
| high bandwidth usage such as video streaming. FWIW my 5th
| incarnation mentioned above will be such a service.
| aborsy wrote:
| Yes, sorry, I was sloppy in my comment. I meant, say in the
| case of Cloudflare or Tailscale, I don't need to open any
| ports, or operate any server. The server, its firewall and
| security are outsourced to those companies. They take care
| of configuring and securing the internet-facing component.
| The clients make outbound connections, and the company
| takes care of handling inbound.
|
| This is similar to running your own VPN server, vs using
| what's called zero trust network access with services
| provided by companies such as Cloudflare.
|
| Cloudflare tunnels are simple, robust and include a range
| of features: various authentication options, a secure
| internet-facing webpage in Cloudflare Access, DDoS
| mitigation, IP hiding, DNS and domain setup, etc . If they
| don't decrypt and scan the traffic, that's how an ideal
| solution would look like.
| PLG88 wrote:
| Have you tried https://zrok.io/? Its open source so you can
| self-host with custom domains, has a free SaaS incl. reserved
| shares which give static, vanity URLs, and includes internet
| hardening/auth.
| aborsy wrote:
| I have seen OpenZiti mentioned, and should probably try
| that and zrok.
|
| I think self hosting internet facing servers is not a good
| idea for most people. That component should be outsourced
| to specialists, in a product that includes a range of
| features (see my comment on Cloudflare Access below).
| PLG88 wrote:
| Sure, I hear that argument. That is why zrok (zrok.io)
| and OpenZiti (CloudZiti) have SaaS services so that the
| hosting is outsourced to specialists.
| jszymborski wrote:
| I used your list recently, thanks! Ended up using boringproxy
| for my case.
| apitman wrote:
| Glad you found it useful. boringproxy fills a pretty nice
| niche, but it has some rough edges. I'm working on its
| successor now.
| lxe wrote:
| Does it have the same spam prevention policies as ngrok?
| aussieguy1234 wrote:
| In the early days there where several attempts to use
| Tunnelmole for phishing.
|
| When you think about it, a service that hides your IP under a
| domain that is not yours means you can do whatever you want
| without risking your own server or domain being taken down for
| abuse, instead risking my server.
|
| So I added code to forward an X-Forwarded-For header, which
| contains the real IP address of the client. Also random URLs
| have the ip address added to them.
| apitman wrote:
| I know what the X-Forwarded-For is, but I'm confused by what
| you mean here. Can you go into a bit more detail as to what
| you implemented and how it prevents phishing?
| aussieguy1234 wrote:
| It's a header that contains the IP address of the machine
| that ran the Tunnelmole client, which ensures it can't be
| used anonymously. My theory here is that phishers and other
| nefarious actors are attracted to this type of service so
| they can hide their origin server.
|
| I haven't had alot of phishing issues since introducing
| that header and the IP address in random domains.
|
| I'll see if I can get tunnelmole.net added to that public
| suffix list.
|
| One reason tunnels go through tunnelmole.net instead of
| tunnelmole.com is to protect the reputation of the main
| domain.
| apitman wrote:
| Interesting. I see what you mean by the random domains
| now. Creative idea!
|
| > One reason tunnels go through tunnelmole.net instead of
| tunnelmole.com is to protect the reputation of the main
| domain.
|
| Definitely recommend you keep it that way. There's not
| saying what various orgs will do. I believe at one point
| Facebook messenger blocked links to .xyz TLD domains
| entirely. Maybe they still do.
| russorat wrote:
| PM from ngrok here. First, awesome project! Love to see new
| projects and ideas in the space. Fighting phishing (and other
| abuse) is a constant battle for us. As you may know, we do
| similar things to publish IP addresses, but we've had to add
| a bunch of other stuff to combat this over the years. I'm
| happy to share ideas and collaborate if you want to reach
| out. russ at ngrok dot com.
|
| Again, super awesome project and great work!
| evrimoztamur wrote:
| I've been self-hosting https://github.com/fatedier/frp on my
| little box, and it feels insane to think of the times where I
| didn't have it set up. There are many choices in the space as
| others pointed out, but frp's capabilities and lightweight
| packaging blows all other setups out of the water. I placed mine
| behind nginx with Let's Encrypt for SSL support. Hella fresh!
| hellovue wrote:
| Note that server source code contains a feature to capture all
| traffic that you send over it: https://github.com/robbie-
| cahill/tunnelmole-service/blob/c58...
|
| I would only use the self-hosted version.
| ihumanable wrote:
| In the commit you linked this function is only ever called once
| and seems to just capture that a connection was initialized
| from a clientId to a hostname https://github.com/robbie-
| cahill/tunnelmole-service/blob/c58...
| aussieguy1234 wrote:
| this is correct. Its simply logging the connection so I can
| see server load/usage stats. There is other code that logs
| the NodeJS version and OS, this is so I can make better
| decisions on which NodeJS version I should get TypeScript
| compile to. The second log can be turned off however,
| instructions are in the README.
| Cyphase wrote:
| > ... server source code contains a feature ... I would only
| use the self-hosted version.
|
| You shouldn't assume that a server which is ostensibly running
| code you can see is actually running that code without
| modifications.
|
| That said, there is a difference between someone claiming
| (explicitly or implicitly) that they're not doing something,
| versus not making a claim, versus admitting they are doing it.
| zilti wrote:
| Or, y'know, just open a reverse tunnel using autossh.
| aussieguy1234 wrote:
| could you give more details? what steps are involved in this?
| zilti wrote:
| Basically: autossh -M 20000 -N -R host:8080:localhost:80
| user@host
|
| -M sets the control port for autossh which it uses to check
| if all is working right. The rest is standard SSH syntax; in
| this example, a loopback socket on port 8080 on host will get
| opened, and all requests to it are forwarded to localhost's
| port 80.
|
| If you want it to be a "real" socket instead of just
| loopback, set "GatewayPorts clientspecified" in sshd_config.
| aussieguy1234 wrote:
| is the `host` part here a server that you run yourself?
| em-bee wrote:
| yes
| aussieguy1234 wrote:
| The main purpose of services like Tunnelmole and ngrok is
| to basically provide this functionality and save you from
| having to run your own server. Its easy for people like
| us, I've used SSH for more than 20 years. Alot of devs
| however don't have good Linux/infra/ssh exposure. Others
| might have that exposure, but don't have the spare time
| or energy to run their own server.
| brirec wrote:
| All autossh does is try to keep open/restart an ssh
| connection as a daemon -- I'm not sure there's any benefit to
| it these days than just using a systemd service.
|
| That being said, as an example `ssh user@host.com -R
| 8181:localhost:8080` will open port 8181 on the remote
| machine you're connecting to, and forward traffic that's
| addressed there to port 8181 on the machine you're connecting
| from. That is, you'll be able to open a browser to
| http://host.com:8181 to test something running on your dev
| machine at port 8080. Traffic gets forwarded along the ssh
| tunnel.
|
| Autossh (or a systemd service supervising an `ssh`
| connection) will keep that tunnel open.
| qudat wrote:
| sish uses ssh tunneling that you can read about in their
| docs: https://docs.ssi.sh/
| mattgreg wrote:
| Another free + open source alt (for Mac)
| https://github.com/build-trust/ockam/blob/develop/examples/a...
| CGamesPlay wrote:
| This one is pretty weird. All the docs about everything talk
| about privacy and security and Ockam Orchestrator. This last
| part seems to be a completely proprietary and undocumented
| cloud service. Why would anyone trust this?
| glenngillen wrote:
| disclosure: I work at Ockam.
|
| The Portals for Mac app is an example of the type of thing
| you could build using the open source stack of protocols. The
| README (linked by parent) links out to all of the relevant
| parts of the protocol documentation to explain how these work
| together. The NAT Traversal (https://github.com/build-
| trust/ockam/blob/develop/examples/a...) part of the README is
| probably the best explanation of why the free relay you get
| via Ockam Orchestrator is a useful part of this demo.
|
| As for why would anyone trust this: The protocols are
| designed so you absolutely don't have to trust the relay.
| Trust is pushed out to the edges that you control and so
| you're not susceptible to a MITM attack if something like a
| relay is compromised. The protocol design for all of this is
| open and documented, and was independently audited by (IMO)
| some of the best in the business, Trail of Bits:
| https://docs.ockam.io/reference/protocols.
| ctrw wrote:
| Or hire a static ip and expose whatever ports you feel like.
|
| Its amazing how far we've fallen from the internet of the 90s
| when you could get this done on most ISPs with all of a phone
| call.
| Banditoz wrote:
| Dynamic DNS is a good alternative. A free one I like is
| https://www.duckdns.org/
| ctrw wrote:
| Or just doing a bit of research on which ISP provides static
| ips with the ability to serve continent. Not everything has
| to be Google scale.
| apitman wrote:
| Not sure what country you're in but in the US at least ISP
| options are rather limited in any given area. The two
| widest reaching (geographically) options, cell and
| Starlink, both use CGNAT as far as I know. Plus they're
| more limited in data usage.
| pavon wrote:
| Most of them require you upgrading to a business account,
| and are generally quite a bit more expensive than standard
| residential internet service plus a VPS.
| aussieguy1234 wrote:
| I used to do this. It requires configuring your router to set
| up port forwarding. That's assuming you have access to your
| router.
| aussieguy1234 wrote:
| I once had a PCI dialup modem back in the early day of the
| internet. No router involved, so the IP I got was exposed to
| the internet. To share a web server was simple, basically start
| it then http://<my-ip-address>.
|
| I also ended up with several worms infecting the Windows
| version I was running, part of why I switched to Linux and
| haven't looked back since.
| CGamesPlay wrote:
| Is there any stand-alone open source version of the VS Code port
| forwarder? That's what I really want. Not so much public access,
| just local access to ports on the remote machine that I can
| easily manage. SSH port forwards don't work inside docker dev
| environments (and docker containers have to be rebuilt to export
| new ports natively), so some extra software is needed.
| SparkyMcUnicorn wrote:
| Using tailscale can solve this problem, and that's what I've
| opted to do since I was using tailscale already.
| CGamesPlay wrote:
| A (potentially minor) problem with this use case for
| Tailscale is that we do actually want the forwarded services
| listening on localhost and not on a different IP address,
| because browsers treat these as secure contexts without
| having to fuss with https. I briefly checked the Tailscale
| userspace docs just now and it seems to expose a SOCKS proxy,
| meaning that we'd need an extra piece to listen on the
| desired localhost port and forward via Tailscale.
|
| [edit] Removed an incorrect assumption. Tailscale does not
| require CAP_NET_ADMIN in userspace mode.
| apitman wrote:
| I haven't tried vscode forwarding. What features does it have
| that are missing from most of the options on the list[0]?
|
| If you want a nice GUI for remote managing maybe check out one
| of my tools, boringproxy
|
| [0]: https://github.com/anderspitman/awesome-tunneling
| CGamesPlay wrote:
| I've got your list saved in my notes :) The main thing is
| many of these are, well, ngrok alternatives: put my localhost
| on the internet. I am looking for something that puts remote
| ports into my local machine, and in particular which don't
| require configuring network interfaces (insecure to do in
| Docker containers) and don't require a centralized control
| plane.
| apitman wrote:
| Ah interesting. What's a typical use case for something
| like this? I could probably thing of a couple but I'm
| curious what people actually use it for.
| CGamesPlay wrote:
| Devcontainers in Docker. With Docker, you cannot add a
| port forward to an existing container; you have to
| rebuild the container. With devcontainers, this at a
| minimum requires a few minutes of rebuilding time (an
| excessive price to pay for changing a port forward).
| apitman wrote:
| So you have a devcontainer running on your local machine,
| and you start up a service inside it and want to access
| it from outside?
| CGamesPlay wrote:
| Yes, that's the gist, although to complicate things I
| actually have the devcontainer running on a remote
| machine. So to access it I use `ssh host docker exec -it
| container`, for example. This is a supported workflow for
| VSCode remote devcontainers, and I would like to see an
| open-source version of it.
| rematis wrote:
| Been obsessing the past fews days on ssh tunnels. Ran a local
| service for over a week using ssh -R which was pretty cool. Also
| tried out autossh. Was using Caddy on a 2$ VPS, mostly just
| worked. I love the idea of being able pay so little for a gateway
| onto an old laptop with a huge hard drive running all kinds of
| awesome stuff and instantly share a new container I run with a
| friend for a few hours and then take it down when we're done.
|
| I haven't look at the code for the link above, but I think I am
| going to build a self hosted solution in Go and WireGuard with a
| simple GUI.
|
| edit: one other cool thing to note was not only was this service
| behind a firewall, it was also behind my mullvad desktop client
| on Linux. Will probably run WireGuard connection to the VPS in a
| container to avoid conflicts with commercial VPN.
| maple3142 wrote:
| One of the thing I found missing is a lot of ngrok alternative is
| a web interface for viewing HTTP requests/responses when
| tunneling in HTTP/HTTPS mode, so I made a kinda hacky solution to
| this using cloudflared + mitmproxy:
| https://gist.github.com/maple3142/e46ab5ce8697476db13b4d9dc0...
| tarasglek wrote:
| Pretty interesting idea. Wonder if this approach works for
| mitming mobile apps. Wonder what percentage of them verify ssl
| certs
| krowek wrote:
| I found this yesterday, as I exceeded the 1GB monthly free
| traffic of ngrok. I use it only for testing some bookmarklet in
| development for work, so I won't pay for that, unless my employer
| does (which doesn't). So tunnelmole works pretty well.
|
| Tried zrok.io but couldn't figure out what to do, wanted the
| easiest route.
| gerwim wrote:
| Cool!
|
| There seem to be a lot of projects in this space -- including my
| own tool (https://github.com/gerwim/tunnlr). Still working on it
| though! ;-)
| winash83 wrote:
| I made one too, https://webrelay.dev it's a fun little project, I
| added TCP tunnels and a lightweight overlay network as well ,
| basically you can start a port on a remote machine and map it to
| a local port instead of exposing it publicly.
| damacio20 wrote:
| Random closed-sourced binary from the Internet that you install
| on your server to communicate through unspecified online
| servers? Hard pass.
| jborak wrote:
| I built a similar service as well called Packetriot:
| https://packetriot.com
|
| Building these types of tunneling systems are great projects. You
| learn a lot and can master skills in many different areas.
|
| Packetriot has been operating for five years and the first few
| years was all spent on performance and stability of the core
| networking services. As the software and network matured, I spent
| more time on the operations and maintenance, and automating as
| much of that as possible.
|
| Recently I've begun building tools to detect phishing and
| potential malicious behaviors. This is a common problem that
| operators of these tunnel networks have to deal with. It's an
| interesting and fun technical area and helps make the Internet a
| safer place :)
___________________________________________________________________
(page generated 2024-03-22 23:02 UTC)