A secure way to share locally hosted appllications with the internet, without port forwarding, public IPs, or manual SSL certificates. Using encrypted tunnels, you can make select services publicly available while keeping your network locked down
Why Use It
- Share confidently: Publish a portfolio, blog, or demo for clients or collaborators, no cloud hosting required.
- Access anywhere: Reach your homelab from a café in Lisbon or a co-working space in Bali, securely and instantly.
- Stay safe: Avoid the risks of traditional port forwarding, which leaves services exposed to scans and brute-force attacks.
Key Tools
- Tailscale Funnel (Free): Automatic HTTPS via *.ts.net, zero config, and seamless integration with your private tailnet. Ideal for personal projects.
- Cloudflare Tunnel: Zero-trust access with custom domains, identity policies, and enterprise-grade security. Great for semi-public tools.
- Ngrok (Free tier): Quick, temporary tunnels for testing, but not recommended for long-term or sensitive use.
đź’ˇ For digital nomads & homelabbers: Tailscale Funnel offers the best balance of simplicity, privacy, and reliability.
Sharing Your Local Stack
Alternatives to Tailscale Funnel: From Beginner to Expert
Sharing local applications usually requires a trade-off between simplicity and sovereignty. While "Turnkey" tunnels get you online in seconds, they often turn you into a Digital Tenant. For those seeking Absolute Ownership, manual tunneling through your own hardware is the gold standard.
| Solution | Level | Sovereignty | The Digital Tenant Risk |
|---|---|---|---|
| Cloudflare Tunnel | Beginner | Digital Tenant | Cloudflare terminates your SSL; they can technically "see" your unencrypted traffic. |
| Pinggy / Ngrok | Beginner | Digital Tenant | Reliance on third-party relay servers and restrictive bandwidth caps. |
| Pangolin.net (Cloud) | Intermediate | Owner (Hybrid) | Uses their dashboard for coordination/DNS, but you maintain the WireGuard keys. |
| NetBird | Intermediate | Owner | Peer-to-peer mesh. You own the data, but usually rely on their coordination cloud. |
| Headscale | Advanced | Absolute Owner | None. A self-hosted "brain" for Tailscale clients. You own the entire coordination. |
| FRP / Rathole | Expert | Absolute Owner | None. You own the entry point (VPS) and the tunnel. Total protocol freedom. |
The Sovereign Choice
The Tenant: Use Cloudflare or Pinggy if you need a quick public link for a demo or a temporary site. It is simplicity at the cost of a middleman.
The Owner: Use FRP or Rathole with a small VPS. This works across any network, bypasses restrictive firewalls, and ensures that no corporate entity ever holds the keys to your traffic.
Your choice defines your reality: data sovereignty, scalability, total cost, portability, maintainability, and the freedom to tinker.
| Feature | Tailscale Funnel | Cloudflare Tunnel | Ngrok |
|---|---|---|---|
| Cost | Free (with Tailscale account) | Free tier available; paid plans for advanced features | Free tier (limited); paid for custom domains & concurrency |
| HTTPS / SSL | ✅ Automatic: Let’s Encrypt, *.ts.net | ✅ Automatic: domain support | ✅ Free tier: *.ngrok.io |
| Custom Domain | ❌ No (only *.ts.net) | ✅ Yes (free with Cloudflare DNS) | ✅ Paid plans only |
| Authentication | ✅ Optional (Identity-aware proxy) | ✅ Advanced (Zero Trust, SSO, IP rules) | ⚠️ Basic auth in paid plans only |
| Setup Complexity | Easy (tailscale funnel 443 3000) | Moderate (Cloudflare account + CLI) | Easy (ngrok http 3000) |
| Long-Term Use | ✅ Designed for it | ✅ Enterprise-grade | ❌ Free URLs change on restart |
| Private Network | ✅ Built-in (part of Tailscale mesh) | ❌ No (public-only by design) | ❌ No |
| Best For | Digital nomads, homelabbers sharing personal apps | Teams, public-facing services with custom domains | Quick testing, demos, temporary sharing |
When Not to Go Public
Keep services private when they weren’t built for public access—even if sharing seems convenient.
💡 Rule of thumb: If it wasn’t designed for public use, don’t expose it, even “temporarily” !
Why It Matters
- Prevent leaks: Admin panels, logs, or databases can expose credentials or personal data.
- Reduce attack surface: Every public endpoint is a target. Minimize exposure.
- Avoid legal risk: Personal or client data may trigger GDPR or privacy laws if publicly reachable.
Never Expose These (Even Behind Passwords)
- Admin dashboards: Portainer, phpMyAdmin, router UIs
- Databases: MySQL, PostgreSQL, MongoDB (even with passwords)
- Databases: MySQL, PostgreSQL, MongoDB
- Internal tools: Vaultwarden, Nextcloud, dev/test environments with real data
If You Must Go Public: Do It Right
- Only expose apps designed for public use (e.g., portfolio sites, public APIs)
- Add strong auth: OAuth, Authentik, or 2FA—never rely on passwords alone
- Isolate public apps: Run them in a separate container/network with zero access to internal services
- Secure tunneling: Pangolin, Tailscale, Cloudflare Tunnel, or WireGuard, no open ports, no router changes
Better Than Public: Private Access for Trusted Users
For digital nomads, creators, or homelabbers managing sensitive or family data:
→ Use Pangolin, Tailscale or ZeroTier to share securely without a public IP.
→ Serve public content via read-only APIs (e.g., a portfolio pulling from a private CMS).
Best for: Those who value long-term security over short-term convenience—and understand that true control means choosing who gets access, not just how.
Trusted Resources
The external sites are not affiliated with us. We include them because they provide reliable, transparent, and community-driven information that aligns with our commitment to honest, open-source tooling.