My startup — cybersecurity intelligence & big data with the world's largest fraud database
← Back to Blog
5 min read
March 31, 2026

OpenTunnel: Self-Hosted Tunnels With Custom Domains

I built OpenTunnel after getting tired of paying for custom subdomains on tunnel services. It's a self-hosted alternative that gives you full control, free WAF, and works with any domain you own.

OpenTunnel: Self-Hosted Tunnels With Custom Domains
Engineering

The Problem That Made Me Build This

Picture this: It's Friday night. You want to show your friends the Minecraft server you've been hosting on your Raspberry Pi. You try to share your IP... but it's a CG-NAT address. No port forwarding for you.

You spin up ngrok. Cool, you get a URL like https://random-string.ngrok-free.app. Works, but:

  • The URL changes every time you restart it
  • It's ugly and hard to remember
  • Custom subdomains? That's $20/month
  • Your friends get a scary warning because the certificate doesn't match your "brand"

You think: "This can't be that hard to solve."

You were right.

Why Custom Tunnels Cost Money (And Why They Shouldn't)

Services like ngrok charge premium prices for custom subdomains because... they can. The technology itself isn't complex:

  1. Someone registers *.ngrok.io
  2. They spin up proxy servers
  3. They route traffic based on subdomain
  4. They issue SSL certificates

The expensive part is maintaining infrastructure, scaling, and offering SLAs. But for personal use? You can do this on a $5/month VPS.

I wanted something that:

  • Let me use my own domain (mine.tunnel.op.yourdomain.com)
  • Configured nginx automatically
  • Had basic security (WAF, IP blocking)
  • Worked with free DNS like DuckDNS
  • Optionally used Cloudflare Tunnels or ngrok as fallback

So I built it.

Introducing OpenTunnel

OpenTunnel is a self-hosted tunnel system that gives you the best of all worlds:

  • Your own server - Full control, no monthly fees
  • Custom subdomains - Use any domain you own
  • Integrated WAF - Block malicious IPs, User-Agents, and bad actors
  • Multiple providers - Use Cloudflare Tunnels or ngrok from a single CLI
  • Auto-configured nginx - Because writing nginx configs by hand is 2024
  • Hybrid mode - Run everything on one machine (perfect for home labs)

Features That Actually Matter

MultiProvider Support

Why limit yourself to one tunnel provider? OpenTunnel abstracts them all:

Bash
# Use your own server
opentunnel quick 3000 -s yourdomain.com

# Or Cloudflare Tunnel (free, no account needed)
opentunnel http 3000 --cloudflare

# Or ngrok
opentunnel http 3000 --ngrok

# All from the same CLI

Built-In WAF (No Extra Setup)

Most tunnel services offer basic IP blocking. OpenTunnel goes further:

  • IP allowlist/denylist - Block entire ranges or specific IPs
  • User-Agent filtering - Stop known bad bots
  • Rate limiting - Prevent abuse
  • Cross-provider rules - Define rules once, apply everywhere

Streaming Support for Media

Standard HTTP tunnels buffer responses. That breaks video streams and large file transfers.

OpenTunnel's streaming mode streams byte-by-byte:

Bash
# 10-minute timeout (good for most video streams)
opentunnel http 8080 --streaming

# Custom timeout (e.g., 30 minutes)
opentunnel http 8080 --timeout 1800000

# No timeout (dangerous but sometimes necessary)
opentunnel http 8080 --timeout 0

AutoConfigured nginx

When you run in server mode, OpenTunnel:

  1. Generates nginx config for each subdomain
  2. Handles SSL certificates (Let's Encrypt or self-signed)
  3. Sets up HTTP→HTTPS redirect
  4. Reloads nginx automatically

No manual nginx wizardry required.

Real Use Cases

Sharing Your Homelab

I built this primarily to share my home server without exposing my home IP. My setup:

  • Raspberry Pi 4 running OpenTunnel server
  • Cloudflare handling DNS and free SSL
  • Domain: tunnel.op.mydomain.com
  • Friends get minecraft.tunnel.op.mydomain.com

No port forwarding on my router. No direct IP exposure. Clean URLs.

Quick Demos

Need to show a client a dev environment? One command:

Bash
opentunnel quick 3000 -s yourdomain.com -n client-project
# → https://client-project.tunnel.op.yourdomain.com

They get a branded URL. No explaining why it says "ngrok-free.app."

Production-Ready (With Caveats)

For production, you want:

  • A proper VPS (not your laptop)
  • Let's Encrypt certificates
  • Authentication tokens
  • Monitoring

OpenTunnel supports all of this. The difference from ngrok is you control the infrastructure.

Architecture: How It Works

Code
┌─────────────────────────────────────────┐
│              INTERNET                    │
│  Users → https://app.tunnel.op.example.com
└───────────────────┬─────────────────────┘
┌─────────────────────────────────────────┐
│         OpenTunnel Server                │
│   - Subdomain routing                   │
│   - nginx reverse proxy                 │
│   - WebSocket transport                 │
│   - WAF (IP/UA filtering)               │
└───────────────────┬─────────────────────┘
                    │ WebSocket
┌─────────────────────────────────────────┐
│         Your Computer/Home Lab           │
│   - Services behind NAT                  │
│   - Minecraft, web apps, APIs           │
└─────────────────────────────────────────┘

The server listens on port 443, your local service connects via WebSocket, and nginx routes based on subdomain. Simple, reliable, maintainable.

Getting Started

Quick Install

Bash
npm install -g opentunnel-cli
Bash
# Point *.tunnel.op.yourdomain.com to your VPS IP first
sudo opentunnel server -d --domain yourdomain.com --letsencrypt --email [email protected]

Connect a Local Service

Bash
opentunnel quick 3000 -s yourdomain.com -n myapp
# → https://myapp.tunnel.op.yourdomain.com

Or Use It Like ngrok (Without ngrok's Limits)

Bash
# With Cloudflare (free, no account)
opentunnel http 3000 --cloudflare

# With ngrok (but unified CLI)
opentunnel http 3000 --ngrok --token YOUR_TOKEN

DNS Setup

OpenTunnel uses tunnel.op as a reserved subdomain prefix. This keeps your main domain free for normal use.

Configure your DNS:

  • Add an A/AAAA record for tunnel.op.yourdomain.com pointing to your VPS IP
  • Or use a wildcard: *.tunnel.op.yourdomain.com

This separates tunnel traffic from your regular website.

What's Next?

OpenTunnel is production-ready for my use cases, but there's always more to build:

  • Web dashboard - Visual tunnel management
  • Traffic analytics - See who's hitting your tunnels
  • Team support - Shared tunnels with permissions
  • More providers - Tailscale, GitHub Tunnels, etc.

Check the GitHub repo for updates.

The Point

I got tired of paying monthly fees for a feature that's technically trivial. The real cost of services like ngrok isn't the technology—it's the convenience and infrastructure maintenance.

If you're comfortable with a VPS and want full control, OpenTunnel is for you. If you just need a quick tunnel and don't care about custom domains, ngrok's free tier is fine.

The point is: you have options. Building your own tools is always worth it, even if it's just to understand what you're actually paying for.

Live demo: https://github.com/FJRG2007/opentunnel

Try it. Break it. Tell me what's missing.

Author

Check my portfolio

Learn more about my work and projects!

Posts in:
Engineering
Version 2.4.7 — All rights reserved © Creative Commons Attribution - All Rights Reserves: CC BY-NC-ND 4.0 | TPEOficial LLC.