This is nice and for those who's asking, it's different from ngrok and the others in that you don't need a separate client, (almost) everyone has ssh installed.
To the author, I wish you best of luck with this but be aware (if you aren't) this will attract all kind of bad and malicious users who want nothing more than a "clean" IP to funnel their badness through.
serveo.net [2] tried it 8 years ago, but when I wanted to use it I at some point I found it was no longer working, as I remember the author said there was too much abuse for him to maintain it as a free service
Even the the ones where you have to register like cloudflare tunnels and ngrok are full of malware, which is not a risk to you as a user but means they are often blocked.
Also a little rant, tailscale has their own one also called funnel. It has the benefit of being end-to-end encrypted (in theory) but the downside that you are announcing your service to the world through the certificate transparency logs. So your little dev project will have bots hammering on it (and trying to take your .git folder) within seconds from you activating the funnel. So make sure your little project is ready for the internet with auth and has nothing sensitive at guessable paths.
Just want to say that I appreciate you maintaining this list. It's one of those things I need to do every now and then, so having a place that gives me a current summary of the options is very handy.
As someone who has launched something free on HN before, the resulting signups were around 1/3rd valid users doing cool things and checking things out, and 2/3rds nefarious users.
My service (which doesn't have public access, only via SSH as a client) was used by a ransomware gang, which involved the service in investigation from Dutch CERT and Dubai police.
I run playit.gg. Abuse is a big problem on our free tier. I’d get https://github.com/projectdiscovery/nuclei setup to scan your online endpoints and autoban detections of c2 servers.
Thanks for sharing this. I run packetriot.com, another tunneling service and I ended up writing my own scanner for endpoints using keyword lists I gathered from various infosec resources.
I had done some account filtering for origins coming out of Tor, VPN networks, data centers, etc. but I recently dropped those and added an portal page for free accounts, similar to what ngrok does.
It was very effective at preventing abuse. I also added mechanism for reporting abuse on the safety page that's presented.
Our services were used for C2 as well. I investigated it a bit but eventually decided to just drop TCP forwarding from our free-tier and that reduced our abuse/malware reports for C2 over TCP to zero essentially.
One path I looked at was to use the VirusTotal API to help identify C2's that other security organizations were identifying and leverage that to automatically take down malicious TCP endpoints. I wrote some POCs but did not deploy them. It's something I plan on taking up again at some point next year.
Want to chat on discord? Maybe we could combine efforts to try and stop people abusing our services :). We have a few vendors sending us automated reports, maybe I could open it up for multiple projects.
Do you have funding to cover the paying the bandwidth costs which will ultimately result from this? Or if you're running this from a home network, does anyone know if OP should be concerned of running into issues with their ISP?
The tunnel host appears to be a Hetzner server, they are pretty generous with bandwidth but the interesting thing I learned about doing some scalability improvements at a similar company [0] is that for these proxy systems, each direction’s traffic is egress bandwidth. Good luck OP, the tool looks cool. Kinda like pinggy.
Random thoughts: one can get user's ssh public keys from GitHub on the fly (from `https://github.com/<username>.keys`), so that it requires a valid GitHub account to use this service, without (extra) auth process.
Yeah, this is the next step. I first wanted to understand if this gets any traction. I think I will provide a dockerized version for the server part that you can just run with a simple command and maybe some interface to create api keys and distribute them to your users.
Fair enough from a business standpoint, but seeing as there are massive privacy/security risks involved in exposing your data to an opaque service, the open source component is probably a non-optional aspect of the value prop.
To the author, I wish you best of luck with this but be aware (if you aren't) this will attract all kind of bad and malicious users who want nothing more than a "clean" IP to funnel their badness through.
serveo.net [2] tried it 8 years ago, but when I wanted to use it I at some point I found it was no longer working, as I remember the author said there was too much abuse for him to maintain it as a free service
I ended up self-hosting sish https://docs.ssi.sh instead.
Even the the ones where you have to register like cloudflare tunnels and ngrok are full of malware, which is not a risk to you as a user but means they are often blocked.
Also a little rant, tailscale has their own one also called funnel. It has the benefit of being end-to-end encrypted (in theory) but the downside that you are announcing your service to the world through the certificate transparency logs. So your little dev project will have bots hammering on it (and trying to take your .git folder) within seconds from you activating the funnel. So make sure your little project is ready for the internet with auth and has nothing sensitive at guessable paths.
[2] https://news.ycombinator.com/item?id=14842951