Best Self Hosted Alternatives to Cloudflare Tunnel

Caddy is a modern, extensible web server platform commonly used as an HTTPS server and reverse proxy. It automates TLS certificate provisioning and renewal by default and supports HTTP/1.1, HTTP/2, and HTTP/3.

Key Features

• Automatic HTTPS with certificate issuance and renewal (ACME)
• HTTP/1.1, HTTP/2, and HTTP/3 support
• Reverse proxy with load balancing, health checks, retries, and pluggable transports
• Native JSON configuration with an admin REST API for dynamic, online config changes
• Caddyfile configuration format plus config adapters for other formats
• Built-in support for internal PKI use cases (local CA, internal names and IPs)
• Modular, plugin-based architecture with statically compiled extensions

Use Cases

• Securely serve static websites and web applications with minimal TLS setup
• Act as an edge reverse proxy for microservices with health checks and load balancing
• Automate certificate management for multi-tenant and customer-domain SaaS deployments

Limitations and Considerations

• Advanced deployments (dynamic config, clustering, custom modules) may require JSON config/API familiarity
• Some capabilities depend on selecting/building the appropriate modules for your environment

Caddy is a strong fit when you want a production-grade server that simplifies HTTPS and scales to many sites. Its configuration API and modular architecture make it suitable for both simple single-host setups and automated, large-scale environments.

Pangolin is an identity-based remote access platform built on WireGuard that securely routes traffic to private and public resources across multiple networks. It combines VPN-style connectivity with browser-based reverse proxy access to applications, using zero-trust access controls.

Key Features

• WireGuard-based tunnels to connect remote networks (“sites”) without exposing ports or requiring public IPs
• Browser-based access to web applications via identity- and context-aware tunneled reverse proxy
• Client-based access to private resources (for example SSH, databases, RDP, and network ranges)
• Granular zero-trust access controls so users only reach explicitly allowed resources
• SSO and OIDC support, plus additional authentication options such as PIN and passwords
• Centralized dashboard to manage applications across networks, with access logging and policy enforcement
• Automatic TLS/SSL certificate handling for proxied apps

Use Cases

• Provide secure access to internal tools (Grafana, Bitwarden, admin panels) across offices, cloud VPCs, and edge locations
• Replace or complement traditional VPNs with per-application access and stronger identity enforcement
• Publish self-hosted web apps safely without directly exposing the underlying network

Limitations and Considerations

• Dual-licensed: Community Edition under AGPL-3, with separate enterprise/commercial licensing terms

Pangolin is well-suited for teams and homelabs that need identity-aware access to distributed networks and apps. It emphasizes minimizing network exposure while still enabling convenient browser and client access to protected resources.

Cloudflared is the Cloudflare Tunnel client used to create and manage tunnels that expose local or private services to the Internet through Cloudflare's edge network.

It authenticates to your Cloudflare account and routes traffic from the Cloudflare network to your origin with TLS, providing an added layer of security and control.

Key Features

• Easy-to-install agent with low performance overhead
• Command-line configuration
• Built-in DDoS protection
• Load balancing across origin pools with Cloudflare Load Balancer
• Encrypted tunnels with TLS (origin-side certificates)
• Application and protocol-level error logging

Use Cases

• Provide secure remote access to internal applications via Cloudflare Access (Zero Trust)
• Quickly expose local development environments for previews using Quick Tunnels
• Improve remote performance and reliability with Argo Smart Routing across the Cloudflare network

iodine is a tunnel application that transports IPv4 traffic through DNS, using a client and server to create a virtual network interface and route IP packets over DNS queries and replies. It is commonly used in constrained networks where direct internet access is blocked but DNS is still permitted.

Key Features

• Client/server IP-over-DNS tunnel using a TUN/TAP virtual interface
• Works across multiple platforms (Linux, BSDs, macOS, and Windows)
• Supports multiple DNS record types for transport, with autodetection for best throughput
• Automatic probing of fragment/packet sizes to optimize performance
• Challenge-response login and basic peer filtering to reduce unauthorized injection
• Can fall back to raw UDP tunneling when direct UDP to port 53 is possible

Use Cases

• Remote connectivity from restricted networks that only allow DNS traffic
• Creating a temporary backchannel for administration and troubleshooting
• Running a second-layer VPN or SSH-over-tunnel for more secure transport

Limitations and Considerations

• Carries IPv4 payload only; tunneled traffic is not encrypted by default
• Throughput is constrained and often asymmetric, depending on DNS relays and policies
• Client and server typically need matching versions due to protocol compatibility

iodine is a pragmatic tool for establishing connectivity over DNS when other protocols are blocked, offering portability and performance-focused DNS transport choices. For security-sensitive scenarios, it is best used as a transport for an encrypted layer such as VPN or SSH.

Cosmos Cloud is a self-hosting platform designed to run and secure home servers, NAS devices, and small business deployments. It combines an application gateway, app management, and built-in security controls to protect services that may not be hardened by default.

Key Features

• App store for installing and managing self-hosted applications, plus support for importing Docker Compose stacks
• Reverse proxy for routing to containers or external services, with automatic HTTPS certificate provisioning
• Built-in authentication server with SSO (OpenID Connect) and multi-factor authentication
• SmartShield protections including anti-bot and anti-DDoS features, plus security-focused access controls
• Container management and updates, with security auditing for managed apps
• Built-in VPN for secure remote access without exposing services directly to the internet
• Backup system with incremental, encrypted backups and support for remote targets (using restic)
• Monitoring with historical metrics, real-time status, and customizable alerts/notifications
• User management and identity-provider style features (invites, account recovery workflows)

Use Cases

• Securely publish multiple homelab services behind a single gateway with SSO and HTTPS
• Provide a private “personal cloud” experience for families with centralized access and user accounts
• Deploy and operate internal web apps for small organizations with tighter access controls

Limitations and Considerations

• License is “available source” (Commons Clause), which may not meet some organizations’ open-source requirements

Cosmos Cloud is best suited for users who want an integrated control plane for apps, networking, and security rather than assembling separate components. It aims to simplify deployment while adding protective layers for commonly self-hosted services.

Zoraxy is a general-purpose HTTP reverse-proxy and forwarding gateway designed for homelab and self-hosted services. It provides a web UI for configuring proxies, TLS, routing and runtime utilities so users can expose and manage services from a single gateway. (github.com)

Key Features

• HTTP reverse proxy supporting virtual directories, alias hostnames and custom headers. (github.com)
• Automatic WebSocket proxying and stream proxy support for TCP/UDP forwarding.
• TLS/SSL management with ACME (Let's Encrypt) support, auto-renew and SNI/SAN certificate handling; includes DNS challenge integrations. (github.com)
• Load balancing, basic auth, redirection rules and blacklist/whitelist controls (IP/CIDR/country). (github.com)
• Real-time analytics and uptime monitoring with instant network/visitor statistics and no-reload access control. (zoraxy.aroz.org)
• Plugin system and built-in utilities (mDNS scanner, Wake-on-LAN, IP/port scanners, debug forward proxy). (github.com)
• Web-based SSH terminal for in-browser administration. (github.com)

Use Cases

• Expose and route multiple self-hosted web apps (home server, NAS, media servers) behind a single, manageable reverse proxy. (github.com)
• Provide TLS/ACME certificate automation and DNS-challenge workflows for services without manual cert management. (github.com)
• Monitor service availability and traffic in real time, and run network utilities (scans, WOL) from the gateway UI. (zoraxy.aroz.org)

Limitations and Considerations

• Some advanced modules are community-maintained or seeking maintainers (notably ACME integration improvements and an extended logging/analysis module), which may affect feature completeness for large-scale deployments. (github.com)

Zoraxy is lightweight and targeted at homelab users and small deployments that need a single gateway for routing, TLS and basic observability. It is distributed with prebuilt binaries and Docker artifacts and can be built from source with Go, making it suitable for ARM/SBC and x86 environments. (zoraxy.aroz.org)

sish is an open-source tunneling server that lets you securely expose services running on localhost to remote users using only SSH. It supports reverse tunnels for web traffic and raw TCP, making it a lightweight alternative to services like Serveo or ngrok.

Key Features

• Expose local HTTP and HTTPS services through an SSH reverse tunnel
• Support for WebSocket (WS/WSS) tunneling
• Raw TCP port tunneling via SSH remote port forwarding
• Centralized server you can run on your own domain and infrastructure
• Works with standard SSH clients (no custom agent required)

Use Cases

• Sharing a local development web server for reviews or debugging
• Providing temporary access to internal tools without opening firewall ports
• Exposing non-HTTP services (TCP) for testing and remote connectivity

sish is a practical choice when you want a simple, SSH-native tunneling workflow and full control over the tunneling endpoint by running your own server.

SWAG (Secure Web Application Gateway) is a LinuxServer.io-maintained container image that provides an Nginx web server and reverse proxy with automated TLS certificate issuance and renewal via an embedded ACME client. It is commonly used as a front door for self-hosted applications, handling HTTPS termination and reusable proxy configurations.

Key Features

• Nginx web server and reverse proxy for routing multiple apps behind one domain
• Automated certificate issuance and renewal using Certbot (ACME) with Let’s Encrypt or ZeroSSL
• Supports HTTP and DNS-based validation, including wildcard certificates (via DNS plugins)
• Includes preset reverse proxy configuration templates for many popular services
• Optional PHP support for serving dynamic web content
• Built-in fail2ban for intrusion prevention (with optional firewall rule integration)

Use Cases

• Expose multiple self-hosted services securely over HTTPS with subdomains
• Terminate TLS centrally and share generated certificates with other containers
• Host a small web site or landing page alongside reverse-proxied applications

Limitations and Considerations

• Certificate issuance depends on correct inbound port forwarding (HTTP validation) or supported DNS provider credentials (DNS validation)
• Some Certbot DNS plugins may require additional packages/mods if not included in the base image

SWAG is a practical choice when you want a repeatable, containerized Nginx reverse proxy setup with integrated ACME automation and extra security tooling. It fits especially well in Docker-based homelabs that rely on subdomains and standardized proxy templates.

GoDoxy is a high-performance reverse proxy and lightweight container orchestrator designed for self-hosters. It automatically discovers containerized services, creates routes, and exposes a Web UI for configuration, monitoring and logs.

Key Features

• Automatic route discovery from Docker/Podman containers and container labels
• Idle-sleep: stop idle containers and wake them on incoming traffic
• Connection- and request-level access control (IP/CIDR/GeoIP-based rules)
• Built-in server monitoring and system metrics (uptime, CPU, memory, disk)
• Access logging and periodic access summary notifications
• Automated TLS certificate management using DNS-01 (Let's Encrypt)
• HTTP reverse proxy and TCP/UDP port forwarding with rule-based routing
• Authentication integrations: OpenID Connect, ForwardAuth, CAPTCHA middleware
• Web UI with app dashboard, config editor, Docker logs viewer and metrics

Use Cases

• Host and route multiple self-hosted web apps on a single server with automatic Docker label-based routing
• Reduce resource use by putting little-used services to sleep and auto-waking them on demand
• Provide centralized access control, TLS automation and monitoring for home or small lab infrastructures

Limitations and Considerations

• GoDoxy is designed to run in host network mode; changing network mode is not supported and may break routing
• GeoIP-based ACL features require a MaxMind account and GeoIP database configuration to function fully
• Official builds target linux/amd64 and linux/arm64; other OS/architectures are not supported out of the box
• Some application patterns (e.g., containers exposing multiple unrelated ports) may not be handled automatically and require manual routing configuration

GoDoxy combines reverse-proxy features with lightweight container orchestration and an integrated Web UI to simplify routing, access control and monitoring for self-hosted environments. It is intended for users who want automatic container-aware routing, TLS automation and resource-saving idle-sleep capabilities.

GoDoxy is a lightweight, performance-focused reverse proxy designed for self-hosters, with automatic routing based on container metadata and a built-in Web UI. It can manage HTTPS certificates, apply access controls, and proxy traffic to services across single or multiple nodes.

Key Features

• Reverse proxy for HTTP services plus TCP/UDP port forwarding
• Automatic route discovery from Docker/Podman containers via labels, with hot-reload on changes
• Web UI with app dashboard, configuration editor, uptime and system metrics, and container log viewing
• Automatic TLS certificate management with Let's Encrypt (including DNS-01 challenge support)
• Access control lists (ACL) with request/connection level rules (for example IP/CIDR)
• SSO options via OpenID Connect and ForwardAuth integration
• Optional idle-sleep behavior to stop and wake workloads based on traffic (including support for Docker containers and Proxmox LXCs)

Use Cases

• Publish and secure multiple self-hosted web apps behind a single gateway with automated HTTPS
• Centralize routing and basic access control for homelab services using container labels
• Reduce resource usage by auto-sleeping seldom-used services and waking them on demand

Limitations and Considerations

• Some ACL features rely on MaxMind configuration for geo/timezone-based rules
• Designed to run in host network mode, which may constrain certain deployment patterns

GoDoxy fits well in homelab and small-server environments where container-driven routing, a convenient UI, and automated TLS are priorities. It combines reverse proxying, basic orchestration-like automation, and authentication integration to simplify operating self-hosted services.

Defguard is an enterprise-grade zero-trust access management platform centered on WireGuard VPN with multi-factor authentication enforced at the VPN protocol level. It also provides integrated identity and SSO capabilities, designed for auditable, private deployments without relying on third-party cloud services.

Key Features

• WireGuard VPN with true connection-level 2FA/MFA (TOTP/email tokens, pre-shared keys) rather than web-only MFA
• Built-in OpenID Connect identity provider for SSO, plus support for external OIDC providers
• LDAP/Active Directory integration with synchronization for users and groups
• User, device, and group management with policy controls (RBAC-style administration)
• Remote user enrollment and onboarding flows, including client configuration distribution
• Forward-auth support for protecting applications behind reverse proxies
• Audit-focused operations with logs and visibility into connected users/devices

Use Cases

• Secure remote workforce access to private networks using WireGuard with enforced MFA
• Replace or complement an existing IdP by acting as an OIDC provider for internal apps
• Centralize user/device onboarding and access policies for multi-site VPN deployments

Defguard fits organizations that need a modern WireGuard-based VPN with strong identity and access controls, while keeping authentication and configuration fully under their own infrastructure.

DockFlare is a self-hosted ingress controller for Cloudflare that automates Cloudflare Tunnel configuration from Docker container labels. It centralizes DNS and Cloudflare Zero Trust Access management, and includes a web UI for manual definitions and policy overrides.

Key Features

• Automatic Cloudflare Tunnel and DNS record management driven by Docker labels
• Web UI for creating services, applying overrides, and managing reusable Access Groups/Policies
• Built-in Identity Provider management for OAuth/OIDC (including generic OIDC)
• Public vs authenticated access modes mapped to Cloudflare Access decisions
• Multi-server “master/agent” architecture for managing workloads across multiple hosts
• Redis-backed coordination for caching and cross-process signaling
• Backup and restore of DockFlare instance data (including encrypted credentials)

Use Cases

• Publish internal services securely without manually configuring Cloudflare dashboards
• Standardize Cloudflare Access policies across many apps using reusable groups
• Orchestrate tunnels and access controls across a homelab or multi-host environment

Limitations and Considerations

• Requires a Cloudflare account and API token permissions to manage tunnels, DNS, and Access resources
• Primarily designed around Docker event/label workflows; non-Docker services may require manual definitions

DockFlare is well-suited for operators who want Cloudflare Tunnel-based ingress with centralized, repeatable policy management. It reduces configuration drift by syncing desired state from labels and UI-managed rules while supporting multi-host environments through agents.

Self-Hosted Gateway automates provisioning of Reverse Proxy-over-VPN (RPoVPN) WireGuard tunnels to expose local Docker Compose services to the public Internet. It combines Caddy, Nginx and WireGuard to provide per-link tunnels, automatic TLS and a minimal docker-compose workflow.

Key Features

• Automates provisioning of WireGuard-based RPoVPN tunnels that forward traffic from a public gateway to local docker-compose projects. (github.com)
• Uses Caddy on the client side and NGINX on the gateway to handle HTTPS termination, proxying and automatic TLS certificate provisioning. (github.com)
• Docker-native workflow: generate a small "link" docker-compose snippet and run a client container that establishes the tunnel and exposes specified services. (github.com)
• Per-link network isolation via Docker Compose private networks and dedicated WireGuard tunnels, reducing cross-service exposure. (github.com)
• Supports passing remote client IPs to local containers via proxy protocol, basic-auth via env variables, and proxying generic TCP/UDP traffic (socat). (github.com)

Use Cases

• Expose self-hosted web apps, dashboards or development services running in docker-compose to the public Internet without manual port forwarding. (github.com)
• Enable remote access to services from behind CGNAT or double-NAT by terminating traffic on a public VPS gateway and routing it over WireGuard tunnels. (github.com)
• Provide isolated, per-service tunnels for teams who want reproducible, auditable exposure of containerized services. (github.com)

Limitations and Considerations

• Requires a publicly addressable Linux gateway (VPS) with SSH and open ports 80/443 and an open UDP port range; a domain with A records is needed for TLS. (github.com)
• Installation and operation expect familiarity with Docker, docker-compose, Makefiles and basic Linux network/SSH administration; not a turnkey SaaS. (github.com)
• Relies on third-party components (WireGuard, Caddy, NGINX); diagnosis may require troubleshooting across those layers. (github.com)

Self-Hosted Gateway is focused on a reproducible, self-managed pattern for exposing containerized services using reverse-proxy-over-VPN. It is intended for operators comfortable with Docker and VPS administration who want an open-source alternative to commercial tunneling services. (github.com)

Wiredoor is a self-hosted ingress-as-a-service platform for securely exposing applications and services running in private networks to the public internet. It creates reverse VPN tunnels using WireGuard and routes inbound traffic through a built-in NGINX reverse proxy.

Key Features

• Reverse VPN tunneling powered by WireGuard for connecting private nodes to a public entrypoint
• Built-in NGINX reverse proxy to publish HTTP services and route traffic by domain
• Expose both HTTP and TCP services, including support for WebSocket connections
• Automatic TLS certificates via Let’s Encrypt, with self-signed fallback for internal/local domains
• Web UI to manage nodes, domains, and exposed services
• CLI-driven setup for registering nodes and creating/revoking exposures
• Optional OAuth2-based authentication per domain/service via an OAuth2 proxy
• Designed to work across environments (Kubernetes, Docker/Compose, VMs, legacy servers, and IoT)

Use Cases

• Publish internal dashboards (for example monitoring tools) without opening inbound firewall ports
• Provide temporary external access to a private service for support, maintenance, or demos
• Expose services running inside Kubernetes clusters, Docker hosts, or on-prem networks through a single public gateway

Wiredoor fits teams and homelabs that want cloud-like ingress control while keeping networking and access fully under their own infrastructure. It provides a consistent way to connect private nodes, map domains, and expose services securely with minimal operational overhead.

NetGoat is a self-hostable reverse proxy engine and traffic manager designed to provide Cloudflare-like controls for routing, security, and performance. It aims to help homelabs and teams manage inbound web traffic with an integrated UI and rule-based behavior.

Key Features

• Reverse proxy for HTTP traffic, including WebSocket support
• TLS termination with automated certificate handling
• WAF-style request filtering and anti-abuse protections
• Rate limiting and request queuing to protect APIs and apps
• Load balancing and failover for multi-node routing
• Per-domain configuration with wildcard/regex support
• Dynamic rules engine for custom routing and filtering logic
• Metrics dashboard for traffic and error visibility
• Optional integration targeting Cloudflare workflows (such as tunnels)

Use Cases

• Fronting multiple self-hosted services with a single security and routing layer
• Adding rate limiting and basic WAF protections to APIs and web apps
• Managing multi-service homelab ingress with per-domain policies and monitoring

Limitations and Considerations

• Project is explicitly work-in-progress; features and stability may change significantly
• Some advertised capabilities may be incomplete depending on the current release state

NetGoat is best suited for users who want a centralized, UI-driven reverse proxy with security-focused controls and extensibility. As it matures, it can serve as a flexible edge layer for both homelab and small-team deployments.

traefik-kop is a small Go-based discovery agent that reads Docker container labels on a local node and publishes equivalent service definitions to Redis so a single central Traefik instance (configured with a Redis provider) can route to services running on multiple Docker hosts.

Key Features

• Mirrors Traefik Docker provider logic: reads container labels and translates them into Traefik service/route definitions
• Publishes service definitions into Redis so a remote Traefik instance can consume them
• Flexible IP binding: explicit bind-ip, interface-derived IP, container networking overrides, or auto-detection
• Namespace and label-prefix filtering to target or isolate sets of containers
• Load balancer merging option to combine endpoints from multiple nodes for the same service
• Configurable via CLI flags or environment variables; supports redis auth, TTL, and poll interval

Use Cases

• Expose services from multiple non-swarm Docker hosts through a single public Traefik reverse proxy
• Centralized ingress routing for heterogenous Docker hosts where Traefik cannot run locally on every node
• Multi-tenant or environment separation using namespaces or custom label prefixes to control which containers are published

Limitations and Considerations

• Requires a reachable Redis instance and a Traefik instance configured to use the Redis provider
• Needs access to the Docker socket on each node; running with this access has security implications
• If redis-ttl is not used or load balancer merging is enabled, stale/backing IP entries can persist when node IPs change
• Some deployment modes (host networking, multiple port bindings) require explicit labels or host networking for correct port selection

traefik-kop is a pragmatic solution when you need Traefik-style label-driven routing across multiple Docker hosts without Swarm or Kubernetes. It is lightweight, configurable, and designed to integrate with existing Traefik Docker-provider semantics.

HomeServerHQ is an all-in-one home server infrastructure and integrated installer designed to simplify self-hosting for non-experts and power users alike. It installs and configures a cohesive suite of services (networking, email, reverse proxy, VPN, and management tooling) and includes a RelayServer mode to enable hosting and remote access even behind NAT or CGNAT.

Key Features

• Single integrated installer and web-based management utility to install and manage supported services
• RelayServer architecture for NAT/CGNAT traversal enabling hosting of email and public websites without open router ports
• WireGuard-based VPN for outer-layer encryption and private networking between HomeServers
• Internal certificate authority with OpenSSL and Caddy for automatic HTTPS inside the private network
• Preconfigured, production-oriented email stack and firewall defaults to simplify mail hosting and delivery
• Authelia for user-based authentication and finer access control
• Custom ISO builds (desktop and server), automated service updates, backups and monitoring integrations
• Cryptographically-signed source code and security-first defaults

Use Cases

• Host a fully configured email server and multiple domains from a home connection, even behind CGNAT
• Provision a secure private network linking multiple home servers and devices for remote access and service isolation
• Deploy and manage a small self-hosted platform of services (websites, mail, file services) with minimal manual configuration

Limitations and Considerations

• Supported distributions are limited to a small set of Debian/Ubuntu-based releases; installers expect a fresh OS install or provided custom ISO
• RelayServer requires an externally reachable VPS or server to function as the relay endpoint
• Installation and many orchestration steps are driven by shell scripts and opinionated defaults, which may require manual adjustments for advanced custom setups

HomeServerHQ focuses on delivering a secure, integrated home-hosting stack with built-in networking and service automation. It is suited for users who want a turnkey self-hosting platform that handles NAT traversal, TLS, email, and centralized management while preserving security-focused defaults.