OPEN SOURCE · RUST · MIT

Public URL to localhost.
Without the account wall.

One binary on your VPS, one on your laptop. You get a real HTTPS URL on your own subdomain, pointing straight at whatever you're running on localhost.

Quickstart GitHub
farkhad@mbp · ~/work/api
connected
$ nowhere 3000 --subdomain api connecting to nowhere.example.com:7000 ... control channel up, token ok assigned https://api.nowhere.example.com forwarding to localhost:3000   09:41:02 GET / 200 12ms 24.73 KB 09:41:04 POST /api/auth 200 38ms 412 B 09:41:06 GET /api/users/42 200 11ms 1.09 KB 09:41:09 GET /missing 404 2ms 118 B   requests: 47 · in-flight: 0 · uptime: 00:12:34
v0.9.2 · Apr 2026

Built for people who already have a server.

If you pay for a VPS and own a domain, you already have everything a tunnel service charges you to unlock.

With ngrok
  • Random subdomain on every launch.
  • Account wall, email verification, upsells.
  • Paying to unlock a domain and TLS cert you already own.
With nowhere
  • Your own permanent subdomain, pinned or random.
  • No accounts. A shared token and a systemd unit.
  • Your VPS, your wildcard cert, your traffic, your rules.
HOW IT WORKS

One control channel. Two binaries. That's it.

The client opens one long-lived TCP connection to your server's control port and authenticates with a shared token. Your server allocates a subdomain and replies. Public traffic hits :443 on your VPS, the host header gets parsed, and the request is framed over that control channel to the matching client. Your laptop dials localhost, forwards the request, and streams the response back.

FEATURES

Nothing flashy. Just the things you'd expect.

HTTPS with your own cert

Point certbot DNS-01 at your wildcard. Your server terminates TLS. No shared edge.

Custom or random subdomains

Pin api.nowhere.example.com or let the server hand you a fresh one.

Live TUI dashboard

Run with --tui for a ratatui view of requests, status codes, and latency.

Token auth, rotated on demand

Shared secrets in a TOML file on the server. Revoke by removing a line, reload the unit.

One static binary per platform

Built with Rust and Tokio. Drop it on the server, drop it on your laptop. No runtime.

Zero telemetry, zero analytics

No phone-home, no SDK, no beacon. Your traffic belongs to your server and no one else's.

QUICKSTART

Two binaries. Two commands.

On your VPS, once. Wildcard DNS and a cert first.

cargo install --path .
sudo cp deploy/nowhere-server.toml /etc/nowhere/server.toml
# edit domain and token
sudo cp deploy/systemd.service /etc/systemd/system/nowhere.service
sudo systemctl enable --now nowhere

On your laptop. One login, then one command per session.

cargo install --path .
nowhere login nowhere.example.com:7000 --token <token>

nowhere 3000
nowhere 3000 --subdomain api
nowhere 3000 --tui
COMPARISON

How it stacks up.

  nowhere ngrok bore cloudflared
Self-hostedYesNoYesNo
HTTPS on public sideYesYesNoYes
HTTP host routingYesYesNoYes
Custom subdomainsYesPaidNoYes
Account requiredNoYesNoYes
Ads / interstitialNoneYesNoneNone
Open sourceMITNoMITPartial
BACKSTORY

Why I built this.

I've been running my own servers since I was 17. By early 2024 I was tired of bouncing through ngrok just to show a friend a local dev build. Random subdomain on every restart, an account wall I didn't want, and an interstitial page in front of a project I was paying a VPS to host anyway.

So I wrote the smallest thing that would replace it: one Rust binary for the server, one for the laptop, a control channel, and a host-header router. It lives on a $6 box and does exactly what I need. If you already own a VPS and a domain, it'll probably do what you need too.

— Farkhad

copied to clipboard