Sandhole

Expose HTTP/SSH/TCP services through SSH port forwarding. A self-hosted ngrok / Cloudflare Tunnels / localhost.run alternative.

Check out the Sandhole book for a full guide.

Features

• Reverse proxy that just works with an OpenSSH client. No extra software required to beat NAT!
• Automatic HTTPS support (with Agnos and ACME), including HTTP/2 support.
• Easily load-balance by pointing multiple services to the same domain/port.
• Bring your own custom domains and authorize them via DNS records for specific SSH keys.
• Random subdomain assignment by default, with options for deterministic assignment.
• Option to connect with SSH via the HTTPS port, if your network blocks outbound connections to SSH ports.
• Security and performance features like quotas, rate limiting, timeouts, IP filtering, and more.
• Many other configurable options, including toggling off whole modules.
• A terminal-based admin interface to view and manage current connections.
• Written in Rust, with comprehensive testing of most features.

Try it!

To expose a local HTTP service running on port 4321:

ssh -i path/to/key -R 80:localhost:4321 demo.sandhole.com.br

Status

Sandhole is mostly feature-complete, but still receives occasional updates and fixes. Contributions are welcome, but try it in production at your own risk.

Some alternatives

• sish - Main inspiration for this project. Written in Golang.
• rlt - Uses localtunnel's protocol instead of SSH. Written in Rust.
• wstunnel - Uses its WebSocket-based protocol instead of SSH. Written in Rust.
• rathole - A highly configurable reverse proxy with NAT traversal and a great name. Written in Rust.
• sshuttle - A smart proxy service, also based on SSH, that only needs Python in the server. Written in Python.