Shortest path
Clone, build, install the edge daemon, install the client, run preflight checks, and start one tunnel.
mytunnel
mytunnel is a small self-hosted tunnel system for exposing local HTTP apps through a public hostname you control.
It uses SSH reverse forwarding for the data plane and Caddy’s Admin API for dynamic HTTPS routes at the edge.
It is for operators who want an ngrok-style workflow without handing traffic, DNS, or tunnel ownership to a hosted tunnel provider. It is not a replacement for application authentication, a private network, or a managed zero-trust proxy.
git clone <repo-url> tunneledcd tunneledmake buildmytunnel http 3000 --edge mytunnel-edge --base-domain tunnel.example.com --name portalThat command prints:
url: https://portal.tunnel.example.comlease: <id>Operator runbook
Set wildcard DNS, choose the Caddy ACME DNS provider, install services, check logs, reconcile routes, and recover from stale leases.
Security model
Understand SSH owner scoping, forced-command keys, Caddy Admin API loopback rules, filesystem permissions, admin takeover, and exposure risks.
Exact commands
Reference every mytunnel, mytunneld, and operator script command
from the current source tree.
How it works
Section titled “How it works”
mytunnelcallsmytunneld ctlover SSH to allocate a lease.mytunneldderives the owner from the SSH OS user, persists the lease in SQLite, and adds a Caddy route.- The client starts a dedicated
ssh -Rprocess from an edge loopback port to your local app. - Caddy terminates HTTPS for
https://<slug>.<base-domain>and proxies to the loopback edge port.
Current distribution model
Section titled “Current distribution model”This repository is source-first in the current cycle. Build from source locally or with Docker, then install the binaries with the provided scripts. Published release binaries can be added later without changing the operator model.
Start with Quickstart if you want the first working tunnel, or Installation if you are preparing the edge host.