Self-Hosted Cloudflare Tunnel Alternatives

Hiddify is a cross-platform proxy client designed to manage secure network connections and traffic routing across desktop and mobile operating systems. It functions as a unified proxy manager, providing a centralized interface to configure and control various network proxy protocols for encrypted and private internet access. The application distinguishes itself by integrating local loopback interception, which configures the operating system network stack to route traffic through a local port for granular filtering. It also serves as a self-hosted infrastructure tool, enabling users to automate the deployment of private proxy servers on remote infrastructure through simplified command-line initialization. The system maintains consistency across environments by synchronizing remote server states through declarative configuration files and utilizing an event-driven daemon to monitor proxy health and network state changes. It employs a shared bridge layer to interact with native system APIs and firewall rules, while bundling all necessary dependencies into a singular, self-contained executable package.

This project is a GitOps infrastructure framework designed for managing bare metal servers, container clusters, and networking. It serves as a declarative system for orchestrating the deployment and lifecycle of self-hosted services, using Git as the source of truth to synchronize the desired state of the environment. The framework differentiates itself through a comprehensive automation suite that covers the entire hardware-to-service pipeline. It includes a PXE-based bare metal provisioner for network booting and operating system installation, alongside a lightweight container orchestration layer for managing clusters. Secure service exposure is handled via encrypted tunnels and automated SSL certificate issuance using the ACME protocol. The project's capability surface extends to distributed block storage for resilient data access and centralized identity management for single sign-on across all hosted services. It also provides integrated secret management for secure credential distribution and tools for continuous integration, system monitoring, and automated volume backups. The environment can be provisioned and managed via a command-line interface, which supports executing workflows across multiple nodes and simulating deployments in local sandboxes.

XX-Net is a cross-platform desktop application that functions as a local proxy server and network traffic router. It intercepts outgoing network requests from a local machine and redirects them through encrypted tunnels to a distributed mesh of cloud-based nodes, facilitating secure and reliable access to external resources. The software distinguishes itself by providing a centralized management interface for coordinating complex proxy infrastructure. It employs rule-based traffic routing, allowing users to define custom logic based on destination addresses and protocols to determine the optimal path for data packets. This approach enables the circumvention of regional or institutional network restrictions while maintaining consistent connection stability. The application includes a comprehensive suite of tools for managing tunnel connections, listening ports, and remote server configurations. Users can adjust system settings, update schedules, and security credentials through a dashboard that supports dynamic configuration changes without requiring a full application restart.

all-in-one is a containerized deployment system designed to install and manage a complete suite of productivity and collaboration services. It functions as a cloud suite deployer that orchestrates the installation of a self-hosted content platform, incorporating necessary dependencies via Docker or Kubernetes. The project distinguishes itself by providing a web-based dashboard for orchestrating, updating, and monitoring the lifecycle of service containers. It also serves as a local AI inference server, enabling the execution of generative text models, image diffusion, and speech processing on private hardware. The platform covers a broad range of capabilities, including self-hosted cloud storage with S3 compatible gateway support, private data governance for encryption and retention, and collaborative knowledge management for shared workspaces. It further integrates automated workflow orchestration through webhooks and background jobs. Administrative operations can be performed through a command-line interface or the integrated web management UI.

Minikube is a command-line tool designed for local Kubernetes development, enabling users to provision and manage full-featured container clusters directly on a workstation. It serves as a local orchestrator that automates the lifecycle of isolated environments, allowing developers to start, stop, pause, and delete clusters to support testing and integration workflows. The project distinguishes itself through its flexible architecture, which supports multiple virtualization drivers and container runtimes to accommodate diverse host environments. It provides deep integration between the host and the cluster, including bidirectional filesystem mounting, service tunneling for local access, and the ability to build or load container images directly into the cluster runtime. Furthermore, it supports multi-node cluster management and profile-based configuration, allowing users to maintain separate, isolated environments for different projects. Beyond core orchestration, the tool covers a broad range of operational capabilities including dynamic storage provisioning, network policy enforcement, and hardware acceleration for specialized workloads like artificial intelligence. It also includes administrative features such as audit logging, secure authentication, and a web-based dashboard for monitoring cluster health and resource status. The project is distributed as a command-line utility that provides versioning to ensure compatibility between the management interface and the running cluster.

Shadowsocks-Windows is a desktop proxy manager that provides a graphical interface for configuring system-wide network routing. It functions as a local SOCKS5 or HTTP proxy server, intercepting outbound traffic through system-level injection to route requests through secure, encrypted remote tunnels. The application distinguishes itself through a modular architecture that supports plugin-based transport extensibility, allowing users to integrate external binaries for custom traffic obfuscation and specialized cryptographic protocols. It also enables high-availability networking by automatically rotating between multiple proxy servers based on real-time performance metrics, and supports multi-instance orchestration to manage independent proxy states and configurations simultaneously. Users can exercise granular control over network traffic through custom rule management, including the use of JavaScript-based auto-configuration files and geographic filtering to determine which requests bypass or traverse the proxy. The software further extends its utility by encapsulating connectionless datagrams into stream-oriented tunnels, ensuring that applications requiring UDP can function within the proxy environment.

Rathole is a high-performance reverse proxy and NAT traversal tool written in Rust. It functions as a secure tunneling server and client architecture designed to expose local services to the internet by forwarding traffic from a public IP to a private device behind a firewall. The system establishes encrypted tunnels between a public server and a private host to ensure private communication. It utilizes token-based authentication to validate identities between the server and client for each individual service. The project provides TCP and UDP port forwarding and manages private tunnels to facilitate remote service exposure. It includes capabilities for multiplexing multiple local services over a single network tunnel and supports dynamic configuration reloading to update active services without restarting the process.

Shadowsocks is a secure network tunneling tool designed for censorship circumvention and private internet connectivity. It functions as a proxy system that routes traffic through encrypted tunnels, allowing users to bypass regional network restrictions and protect data from interception across public infrastructures. The project utilizes a lightweight, custom proxy protocol that incorporates stream-based cipher encryption to obfuscate payload content and prevent deep packet inspection. By employing an asynchronous, event-driven networking model, the system manages concurrent connections efficiently. It establishes secure communication through a structured client-server handshake and authentication process, ensuring that all data transmission adheres to defined encryption requirements. The framework provides a modular approach to building and deploying custom proxy infrastructure, featuring a cross-platform socket abstraction layer that ensures consistent traffic routing across different operating systems. This implementation allows for the configuration of specialized connection handlers to manage data flow between local clients and remote server endpoints.

Rathole is a reverse proxy tunneling tool designed to expose local services behind firewalls and network address translation to the public internet. It functions as a secure tunneling infrastructure that enables remote access to private network resources without requiring manual router port forwarding configurations. The system utilizes a client-server architecture where a public-facing gateway coordinates with a private-network agent. It distinguishes itself by multiplexing multiple logical service connections through a single persistent TCP stream, which reduces the overhead of maintaining individual connections. To ensure security, the platform employs a dedicated control plane that manages service registration and verifies agent identity through token-based authentication before establishing any tunnels. The software handles high-concurrency traffic by utilizing non-blocking input and output operations within an asynchronous event loop. Data transmission is optimized through zero-copy buffer forwarding, which relays packets between network endpoints using shared memory to minimize processing requirements.

Clash Meta for Android is a system-level network utility that functions as a rule-based proxy engine for mobile devices. It operates by intercepting system-wide network traffic through a virtual interface, allowing it to route data packets through configurable tunnels based on domain, IP, and geo-location patterns. By acting as a transparent proxy, the application manages connectivity and enhances privacy for all installed software on the device. The project distinguishes itself by utilizing a high-performance, cross-compiled proxy kernel that handles concurrent connections and protocol translation directly on mobile hardware. It supports advanced proxy management, including the ability to handle multiple protocols and load balancing, while providing dynamic configuration hot-reloading to update routing rules and server endpoints in real-time without interrupting the networking service. Beyond core routing, the application provides content filtering and blocking capabilities to restrict unwanted network requests at the device level. It facilitates secure mobile connectivity by encapsulating outgoing data within encrypted tunnels, ensuring privacy when operating across various network environments. The software is distributed as an Android application, utilizing a low-overhead interface to bridge the native user interface with the underlying networking kernel.

Gatus is a service health monitoring tool and automated status page that tracks the availability and performance of endpoints. It functions as a multi-protocol uptime monitor, validating service health through response conditions, certificate expiration checks, and multi-step workflow executions. The system distinguishes itself by supporting a wide range of communication standards including HTTP, TCP, UDP, WebSocket, gRPC, and DNS. It enables the creation of developer-oriented dashboards that display real-time uptime, publish incident announcements, and generate dynamic uptime badges for external documentation. The platform covers infrastructure alerting through health alerts and custom webhooks, as well as synthetic transaction monitoring to validate complex multi-step processes. It provides a read-only JSON API for programmatic status retrieval and allows the aggregation of health data from multiple remote instances into a unified view. The application can be deployed and managed on Kubernetes using Helm charts.

Sing-box is a universal proxy engine and traffic router designed to manage complex network connectivity across multiple operating systems. It functions as a configuration-driven core that intercepts system-level traffic, allowing for transparent proxying through encrypted tunnels. By normalizing diverse network protocols into a unified interface, the engine enables consistent traffic forwarding and protocol translation regardless of the underlying environment. The project distinguishes itself through a declarative configuration pipeline that validates and merges modular settings into a unified internal state before execution. It employs a rule-based traffic dispatcher that evaluates incoming packets against hierarchical criteria to determine optimal routing paths dynamically. This is complemented by an asynchronous domain name resolution pipeline, which provides granular control over how network requests are mapped and filtered, ensuring that traffic handling remains both accurate and performant. Beyond its core routing capabilities, the platform includes a comprehensive security layer for managing encrypted connections, including support for advanced handshake options and certificate validation. It also provides tools for monitoring real-time traffic and connection status, alongside flexible management of routing rule sets that can be sourced from local or remote locations. The software is designed to be installed as a background service, providing a stable and scalable infrastructure for controlled network communication.

This project is an Android device farm management platform and mobile device testing lab. It provides a web-based interface for remotely controlling, debugging, and managing fleets of physical Android devices. The platform enables remote hardware access through an ADB remote control system, allowing for remote shell execution, application installation via drag-and-drop, and real-time screen interaction through a browser. It includes tools for mapping remote device connections to local ports, enabling the use of integrated development environments for debugging. The system covers hardware inventory tracking and attribute-based device search to monitor battery health and specifications across a fleet. It also provides remote system log management, a visual file system browser, and utilities for the scheduled allocation of device groups to users.

Nginx Proxy Manager is a containerized gateway controller that provides a graphical interface for managing web server routing, security certificates, and access control lists. It functions as a centralized dashboard for directing incoming web traffic to internal services, allowing users to map domain names to specific network ports without manual configuration file edits. The project distinguishes itself by automating the lifecycle of SSL certificates through integrated certificate authority clients and ACME challenges. It utilizes a dynamic routing engine based on high-performance web server platforms to modify traffic rules in real time, while an event-driven system monitors database changes to trigger configuration reloads without interrupting active connections. Beyond core routing, the platform supports network access control by implementing authentication layers and IP filtering directly at the gateway level. It maintains persistent state for proxy host definitions and security metadata using a lightweight relational database, ensuring consistent management of infrastructure across isolated backend containers.

Gost is a Go-based network tunnel and multi-protocol proxy server. It functions as a gateway for routing TCP and UDP traffic, creating secure network tunnels between remote endpoints, and acting as a DNS proxy server to resolve domain name queries. The project is distinguished by its ability to implement multi-hop proxy chaining, which links multiple network nodes in a sequence to route traffic through specific paths. It also provides transparent proxying by integrating with virtual network interfaces to intercept system-level traffic without requiring manual client configuration. The system covers broad capabilities in secure tunneling infrastructure, multi-protocol port forwarding, and traffic management. Security is handled through TLS traffic encryption, client authentication, and connection access filtering. It further includes operational tools for bandwidth rate limiting, network performance metrics, and a web API for dynamic configuration management.

This project provides a remote development platform that enables users to access a full-featured integrated development environment through a standard web browser. By decoupling the user interface from the server-side filesystem, it allows for persistent coding workspaces to be hosted on remote servers, virtual machines, or cloud-native infrastructure, ensuring a consistent development experience from any device. The platform distinguishes itself through a secure gateway architecture that manages traffic, authentication, and encryption at the edge. It utilizes persistent WebSocket connections to synchronize editor state and terminal input-output between the remote server and the browser. Furthermore, it includes built-in service proxying capabilities that allow developers to expose locally running web applications via secure subdomains or subpaths, complete with integrated identity verification and traffic management. To support diverse infrastructure requirements, the system offers flexible deployment options including containerized environments and automated provisioning workflows. It maintains state continuity through filesystem-mounted persistence, ensuring that configurations and project data remain intact across restarts. The platform also enforces network security by managing TLS certificates for HTTPS traffic and providing integration layers for external authentication providers. Installation is supported across various host architectures through shell scripts, package managers, or standalone archives, with built-in utilities for managing the application lifecycle.

This project is a multi-protocol proxy server and network tunneling tool designed to manage traffic across heterogeneous infrastructure. It functions as a traffic management gateway, providing the core infrastructure to route, filter, and secure network connections through a unified interface. The software distinguishes itself through its support for cascading proxy chaining and dynamic upstream load balancing, which allow for the creation of complex, multi-hop network paths. It provides granular control over traffic flow by normalizing diverse protocols, enabling transparent port forwarding, and facilitating intranet penetration through multiplexed, secure tunnels. The platform includes a broad suite of capabilities for infrastructure management, including independent DNS resolution, traffic compression, and layered encryption transport. It enforces security and compliance through access control lists, proxy authentication, and bandwidth throttling. Operational settings are managed via command-line arguments, which also support background process lifecycle management to ensure continuous service availability.

v2rayN is a cross-platform graphical management suite designed to centralize the configuration and execution of multiple network proxy protocols. It functions as a unified control plane that abstracts heterogeneous proxy backends, allowing users to manage diverse network routing engines through a single interface. The platform distinguishes itself by providing a consistent management experience across Windows, Linux, and macOS, while orchestrating the lifecycle of independent proxy processes as child services. It supports specific configuration ecosystems, enabling users to organize and switch between different proxy standards while maintaining structured routing rules. Beyond basic connectivity, the software includes tools for defining complex routing logic and granular traffic steering. By utilizing local geographic database assets, it enables precise filtering and regional access control based on destination metadata. The system also coordinates auxiliary utilities and manages the translation of user-defined rules into the specific schema requirements of various underlying proxy engines.

Dokploy is a self-hosted platform-as-a-service designed to simplify the deployment and management of containerized applications and databases. It provides a centralized control plane that decouples administrative management from application workloads, allowing users to oversee infrastructure across multiple server nodes through a unified web interface or a command-line tool. The platform distinguishes itself through an extensive library of pre-configured application templates, enabling the rapid deployment of databases, identity providers, and various productivity or development tools. It supports complex orchestration by allowing users to define multi-container services using standard configuration files, which can be managed through automated build pipelines, Git integration, and real-time performance monitoring. Beyond core deployment, the system includes robust infrastructure management capabilities such as automated backups to external object storage, horizontal and vertical scaling, and granular access control. It also provides secure configuration management, including environment variable synchronization, HTTPS certificate handling, and zero-downtime deployment strategies to ensure application stability and security. The platform is designed for ease of use, offering an interactive API documentation interface and instructional resources to guide users through installation and configuration. It supports a wide range of modern web frameworks and runtimes, providing a flexible environment for hosting and maintaining services on private server hardware.

Mitmproxy is an interactive, programmable network proxy engine designed for traffic analysis and protocol manipulation. It functions as a gateway that intercepts, inspects, and modifies network traffic in real-time, supporting HTTP, HTTPS, WebSocket, DNS, and generic TCP or UDP streams. By acting as a trusted certificate authority, the proxy can dynamically generate and sign certificates to decrypt and analyze secure TLS-encrypted connections. The project distinguishes itself through a highly extensible, event-driven architecture that allows users to automate traffic transformation using custom scripts. It provides a unified command-based interface for manual interaction, enabling users to define custom key bindings, content views, and command-line tools. The engine supports multiple operational modes, including explicit, transparent, reverse, and SOCKS proxying, as well as a userspace WireGuard VPN mode for capturing traffic without requiring client-side configuration changes. Beyond basic interception, the platform includes comprehensive tools for recording and replaying network conversations to simulate complex interactions or automate repetitive tasks. It offers advanced capabilities such as request blocking, header and body modification, and local resource mapping. The system also provides robust support for debugging and performance analysis, including integration with external tools through secret logging and structured data representation. The software is designed for rapid iteration, featuring live script reloading that updates custom logic without restarting the proxy process. It includes extensive documentation for managing certificates, configuring proxy modes, and implementing custom addons through a well-defined programmatic interface.