Dynamic Alternative Stack

Best alternatives to ngrok

Discover open-source, free tier, and premium alternatives to ngrok. Compare scores, pros/cons, and deployment paths instantly.

C

Cloudflare Tunnel

Alternative to ngrok

Free TierEnterpriseCloud-hosted service with local connectorProprietary SaaSPublic APIWebhooksPluginsSDK
GitHubGitLabSlackJiraOktaAzure

Best for

Teams already using Cloudflare that want secure remote access to internal apps and services

Cost

Free tier available; paid Zero Trust and enterprise plans add advanced access controls, logging, and policy features.

Summary

Securely exposes local services and private applications through Cloudflare’s global network without opening inbound firewall ports, with tight integration into Cloudflare Zero Trust.

Why Switch

Teams switch from ngrok when they want a more enterprise-oriented zero-trust tunnel with stronger policy controls and broader Cloudflare security integration.

SOC2GDPRISO 27001

Migration Playbook

  1. Export ngrok tunnel configuration by saving the ngrok.yml file, which includes tunnel names, local addresses, and authentication tokens. Map the 'addr' field in ngrok.yml to the 'origin' field in Cloudflare Tunnel configuration. Prepare to use Cloudflare's 'cloudflared' CLI for importing these settings.
  2. Create Cloudflare Tunnel configurations by translating ngrok tunnel definitions into Cloudflare Tunnel YAML format. For each ngrok tunnel, define a corresponding 'tunnel' with a unique name and specify the 'ingress' rules mapping the local service ports to Cloudflare's edge. Use the Cloudflare API or 'cloudflared tunnel create' commands to register tunnels under your Cloudflare account.
  3. Deploy the Cloudflare Tunnel connector locally by installing 'cloudflared' on the host machine. Authenticate using the generated credentials from Cloudflare, then start the tunnel using 'cloudflared tunnel run <tunnel-name>'. Verify that the local services are accessible through Cloudflare's network, replacing ngrok's public URLs with Cloudflare Tunnel endpoints.

Pros

  • 🟢No inbound ports required
  • 🟢Strong identity-aware access controls
  • 🟢Easy to pair with Cloudflare DNS and WAF
  • 🟢Good performance via Cloudflare edge network

Cons

  • 🔴Best experience is tied to the Cloudflare ecosystem
  • 🔴Some advanced features require paid plans
  • 🔴Not a full replacement for every tunneling workflow

0 builders switched

T

Tailscale Funnel

Alternative to ngrok

SubscriptionEnterpriseCloud-managed service with local agentProprietary SaaSPublic APIWebhooksPluginsSDK
GitHubSlackOktaGoogleAzure

Best for

Organizations using Tailscale that need a secure way to share local web apps and services

Cost

Included in some Tailscale plans; pricing depends on plan tier and organization size.

Summary

Publishes local services over Tailscale’s WireGuard-based network, enabling secure access paths that fit naturally into private networking and identity-based access models.

Why Switch

Teams switch from ngrok when they prefer to expose services through an existing private network and identity layer instead of a standalone tunneling tool.

SOC2GDPRISO 27001

Migration Playbook

  1. Export existing ngrok tunnel configurations by documenting the local server ports, subdomain names, and authentication tokens used. Since ngrok does not provide a direct export format, manually record these details in a structured format such as JSON or CSV for reference.
  2. Map ngrok tunnel parameters to Tailscale Funnel settings: local server ports correspond to Funnel's local service ports; ngrok subdomains map to Tailscale Funnel's domain names under your Tailscale network; ngrok authentication tokens correspond to Tailscale user identity and ACL configurations. Prepare a configuration file or script that defines these mappings for automated deployment.
  3. Import the mapped configurations into Tailscale by installing the Tailscale agent on the local servers and enabling Funnel via the Tailscale admin console or API. Use the Tailscale API to programmatically create Funnel endpoints by specifying the local ports and domain names as per the mapped configuration, ensuring identity-based access controls are applied according to your security requirements.

Pros

  • 🟢Simple setup for Tailscale users
  • 🟢Identity-based access and device trust
  • 🟢Works well for private network access patterns
  • 🟢Reduces need for public exposure

Cons

  • 🔴Most valuable when already using Tailscale
  • 🔴Less focused on public demo-style sharing than ngrok
  • 🔴Feature set depends on Tailscale plan

0 builders switched

I

inlets

Alternative to ngrok

Self-hosted or managed gatewayOpen Source with commercial offeringsOpen CorePublic APIWebhooks
GitHubAWS

Best for

Engineering teams that want a self-hosted, controllable tunnel solution for internal services and Kubernetes

Cost

Open-source community edition available; commercial editions and support are available for teams needing managed features.

Summary

An open-source reverse tunnel and service exposure tool that lets you publish local or private services through a gateway you control, often used for Kubernetes, edge, and self-hosted scenarios.

Why Switch

Teams switch from ngrok when they need full control over the tunnel endpoint and prefer a self-hosted or Kubernetes-native approach.

SOC2GDPR

Migration Playbook

  1. Export your current ngrok tunnel configurations by noting the local ports, protocols (HTTP, TCP), and authentication tokens used. Since ngrok does not provide a direct export format, manually document these settings for each tunnel you have running.
  2. Map the ngrok tunnel settings to inlets by configuring inlets clients with the corresponding local service ports and protocols. Set up your inlets server (gateway) either self-hosted or managed, and generate the required authentication tokens or certificates as per inlets documentation to secure the tunnels.
  3. Import the mapped configurations by deploying the inlets client on your local machine or server hosting the service, connecting it to your inlets server gateway using the generated tokens or certificates. Verify tunnel connectivity and update any DNS or firewall rules to route traffic through the inlets gateway instead of ngrok.

Pros

  • 🟢Self-hostable and infrastructure-controlled
  • 🟢Good fit for Kubernetes and edge use cases
  • 🟢Open-source core with commercial support options
  • 🟢Flexible for custom networking setups

Cons

  • 🔴Requires more operational ownership than SaaS tools
  • 🔴Less turnkey than ngrok for quick demos
  • 🔴Some advanced capabilities depend on paid offerings

0 builders switched

L

LocalTunnel

Alternative to ngrok

Open SourceSelf-hosted or community-hosted tunnelOpen CorePublic APIWebhooksPluginsSDK
GitHubSlack

Best for

Developers who need a fast, free way to expose a local web app for testing or demos

Cost

Free and open source; public instances may be community-run and less predictable than self-hosted deployments.

Summary

A lightweight open-source tool for exposing local web servers to the internet through a simple public tunnel, commonly used for quick testing and webhooks.

Why Switch

Teams switch from ngrok when they only need a simple free tunnel for development and can accept fewer enterprise controls.

SOC2GDPR

Migration Playbook

  1. Export ngrok tunnel configuration by saving the YAML config file (typically located at ~/.ngrok2/ngrok.yml), noting the local ports, subdomains, and authentication tokens used.
  2. Map ngrok configuration fields to LocalTunnel parameters: translate the local_addr field to the --port argument, and map subdomain settings to the --subdomain flag; since LocalTunnel does not support authentication tokens, plan to secure tunnels via network policies or VPN.
  3. Import the configuration by running LocalTunnel commands on the target environment using the CLI, e.g., 'lt --port <local_port> --subdomain <desired_subdomain>', and set up a self-hosted LocalTunnel server if needed to replicate custom domain or authentication features.

Pros

  • 🟢Very easy to use for quick sharing
  • 🟢Open-source and free
  • 🟢Useful for demos and webhook testing

Cons

  • 🔴Less reliable and secure than enterprise-grade options
  • 🔴Limited governance and access control
  • 🔴Public tunnel instances can be inconsistent

0 builders switched

Community FAQ

Questions by product

ngrok FAQ

Can I self-host ngrok to avoid dependency on third-party cloud infrastructure?

No, ngrok does not currently offer an official self-hosted version. The service relies on its cloud infrastructure to establish and maintain secure tunnels, so you must use their hosted platform. However, some open-source alternatives like localtunnel or expose exist if self-hosting is a strict requirement.

Community insight informed by Reddit discussions

Does ngrok support offline functionality or local-only tunneling without internet access?

No, ngrok requires an active internet connection to establish tunnels through its cloud servers. It cannot create tunnels or expose local services without internet access since the tunnel endpoints exist on ngrok's public servers.

Community insight informed by Hacker News discussions

Who owns the data transmitted through ngrok tunnels and how is privacy handled?

Data transmitted through ngrok tunnels passes through ngrok's servers, so technically ngrok has access to the traffic. Ngrok uses TLS encryption for tunnels, but since it terminates the tunnel on their infrastructure, they could potentially access metadata or unencrypted data if not using end-to-end encryption within the tunnel. For sensitive data, additional encryption at the application layer is recommended.

Community insight informed by StackOverflow discussions

Are there any API limitations or rate limits when using ngrok's service programmatically?

Yes, ngrok imposes rate limits and connection limits depending on your subscription tier. The free tier has restrictions on concurrent tunnels, session duration, and API request rates. Pro and higher tiers offer increased limits and additional features. Detailed limits are documented in ngrok's official API documentation.

Community insight informed by Forums discussions

Is there a way to export or migrate existing ngrok tunnel configurations to another service?

Ngrok does not provide built-in export or migration tools for tunnel configurations. Tunnel setups are typically defined in local config files or via CLI commands. To migrate, you would manually replicate your tunnel definitions in the new service’s configuration format. Some third-party tools or scripts might assist with this, but no official migration path exists.

Community insight informed by Reddit discussions

Cloudflare Tunnel FAQ

Can I self-host the Cloudflare Tunnel connector to avoid relying on Cloudflare's infrastructure?

No, Cloudflare Tunnel requires running the cloudflared daemon which connects outbound to Cloudflare's edge network. The tunnel endpoint and traffic routing are managed by Cloudflare's infrastructure, so you cannot self-host the entire tunnel service independently.

Community insight informed by Reddit discussions

Does Cloudflare Tunnel support offline or local-only access without internet connectivity?

No, Cloudflare Tunnel depends on an active outbound connection from your local service to Cloudflare's global network. Without internet connectivity, the tunnel cannot establish or maintain the connection, so offline access is not supported.

Community insight informed by Hacker News discussions

Who owns the data transmitted through Cloudflare Tunnel and does Cloudflare inspect the traffic?

Data transmitted through Cloudflare Tunnel remains your data, but it passes through Cloudflare's edge servers. Cloudflare does have access to the traffic for routing and security purposes, especially if you enable features like WAF or Zero Trust policies. For end-to-end encryption, you should ensure your services use TLS or other encryption layers.

Community insight informed by StackOverflow discussions

Are there any API limitations or rate limits when managing Cloudflare Tunnels programmatically?

Cloudflare provides APIs to manage tunnels, but there are rate limits and feature restrictions depending on your Cloudflare plan. Free plans have lower API rate limits and fewer management features compared to paid plans. Refer to Cloudflare's API documentation for exact limits.

Community insight informed by Forums discussions

Is there a way to export or migrate existing Cloudflare Tunnel configurations to another account or environment?

Currently, Cloudflare Tunnel configurations are tied to your Cloudflare account and cannot be directly exported or migrated. You need to recreate tunnels and reconfigure access policies manually in the target account or environment.

Community insight informed by Reddit discussions

Tailscale Funnel FAQ

Can I use Tailscale Funnel without exposing my local machine to the public internet?

Yes, Tailscale Funnel publishes local services over the Tailscale WireGuard network, which means your services are accessible only through your Tailscale network and authenticated devices. It does not require exposing your machine via a public IP or traditional port forwarding, enhancing security by limiting access to trusted identities.

Community insight informed by Reddit discussions

Does Tailscale Funnel work offline or without an internet connection?

No, Tailscale Funnel requires an active internet connection because it relies on the Tailscale coordination server for device authentication and routing. While the underlying WireGuard tunnels can operate on local networks, Funnel’s public URL feature depends on Tailscale’s infrastructure and DNS resolution.

Community insight informed by Hacker News discussions

Are there any API or automation options to programmatically manage Tailscale Funnel endpoints?

Currently, Tailscale Funnel does not provide a dedicated public API for managing Funnel endpoints or configurations. Management is primarily done via the Tailscale CLI and admin console. For automation, you can script CLI commands, but full API support for Funnel features is not yet available.

Community insight informed by StackOverflow discussions

How does Tailscale Funnel handle data ownership and privacy for traffic passing through the Funnel?

Traffic routed through Tailscale Funnel remains encrypted end-to-end using WireGuard tunnels between your devices. Tailscale does not proxy or inspect your service data; it only facilitates encrypted routing based on your network and identity configuration. This ensures you retain full data ownership and privacy.

Community insight informed by Forums discussions

Is there a way to export or migrate existing Tailscale Funnel configurations to another Tailscale account or organization?

No official export or migration tool exists for Funnel configurations. Since Funnel settings are tied to the Tailscale account and device identities, migrating requires reconfiguring Funnel endpoints manually in the new account or organization. Backing up your Tailscale device keys and settings can help, but full Funnel config export is not supported.

Community insight informed by Reddit discussions

inlets FAQ

How complex is it to self-host inlets compared to using SaaS tunneling services like ngrok?

Self-hosting inlets requires setting up and managing your own gateway server, which involves deploying the inlets server component on a public endpoint you control. Unlike SaaS tools like ngrok that provide turnkey tunnels, inlets demands operational ownership including TLS certificate management, firewall configuration, and monitoring. However, this complexity grants full control over your infrastructure and data flow.

Community insight informed by Reddit discussions

Does inlets support offline or air-gapped environments for exposing local services?

Inlets requires an internet-accessible gateway to establish reverse tunnels, so it does not natively support fully offline or air-gapped environments. The client needs to connect to the public inlets server to create the tunnel. For purely offline scenarios, alternative networking setups or VPNs would be necessary.

Community insight informed by Hacker News discussions

Who owns the data transmitted through inlets tunnels, and how is data privacy ensured?

Since inlets is self-hosted, you retain full ownership and control over all data transmitted through the tunnels. The traffic is proxied via your own gateway server, so no third-party cloud provider sees your data unless you choose to expose it that way. TLS encryption is supported to secure data in transit, but you must manage certificates and endpoint security yourself.

Community insight informed by StackOverflow discussions

Are there any API limitations or rate limits when using inlets for service exposure?

Inlets itself does not impose API rate limits since it operates as a reverse tunnel proxy rather than a centralized API gateway. However, throughput and connection limits depend on your gateway server's resources and network capacity. The open-source core has no built-in restrictions, but some advanced commercial features may introduce additional controls.

Community insight informed by Forums discussions

Is there a supported migration or export path for moving tunnels and configurations between inlets instances?

Inlets does not provide an automated migration tool for tunnels or configurations. Since tunnels are ephemeral and configured per client-server pair, migration typically involves redeploying the inlets server on the new gateway and updating client configurations accordingly. Configuration files and TLS certificates can be backed up and restored manually to facilitate this process.

Community insight informed by Reddit discussions

LocalTunnel FAQ

Can I self-host LocalTunnel to avoid relying on public tunnel servers?

Yes, LocalTunnel provides an option to run your own tunnel server by deploying the localtunnel-server project. This requires setting up a Node.js server that handles tunnel requests, which increases reliability and control but involves managing your own infrastructure and SSL certificates.

Community insight informed by Reddit discussions

Does LocalTunnel work offline or without internet connectivity?

No, LocalTunnel requires an active internet connection because it creates a public tunnel through a remote server to expose your local web server. Without internet access, the tunnel cannot be established and your local service won't be reachable externally.

Community insight informed by Hacker News discussions

Who owns the data passing through LocalTunnel, and is it encrypted end-to-end?

Data passing through LocalTunnel is routed via the public tunnel server, which means the server operator technically has access to the unencrypted traffic unless your local service uses HTTPS. LocalTunnel itself does not provide end-to-end encryption or data ownership guarantees, so sensitive data should be protected at the application layer.

Community insight informed by StackOverflow discussions

Are there any API limitations or rate limits when using LocalTunnel for exposing local services?

LocalTunnel does not officially document strict API rate limits, but since it relies on shared public servers, heavy or abusive usage may lead to connection drops or temporary blocks. Running your own server can alleviate these limitations by allowing unlimited tunnels under your control.

Community insight informed by Forums discussions

Is there a way to export or migrate existing tunnels or configurations in LocalTunnel?

LocalTunnel does not maintain persistent tunnel configurations or support exporting tunnels because each tunnel is ephemeral and created on demand. For persistent or reproducible tunnels, you would need to script your local client startup or consider alternative tools that support configuration export.

Community insight informed by Reddit discussions

Explore more

Other catalog hubs tagged with B2B SaaS.