NPS — Lightweight NAT Traversal and Reverse Proxy Server

Introduction

NPS is a lightweight, high-performance reverse proxy and NAT traversal tool written in Go. It enables developers and teams to expose services running behind firewalls or NAT networks to the public internet, with a web-based management interface for configuring tunnels and monitoring traffic.

What NPS Does

• Creates TCP and UDP tunnels to expose internal services through a public server
• Provides HTTP and HTTPS reverse proxying with custom domain binding
• Supports SOCKS5 proxy mode for general-purpose traffic forwarding
• Offers a web management dashboard for creating clients, tunnels, and access controls
• Enables P2P connections between clients to reduce server bandwidth consumption

Architecture Overview

NPS follows a server-client model. The server runs on a machine with a public IP and manages all tunnel configurations. Clients connect to the server using a unique verification key over a persistent multiplexed connection. Traffic is forwarded through the server or directly via P2P when both endpoints support it. The server stores configuration in a file-based database and exposes a web UI on a configurable port.

Self-Hosting & Configuration

• Download prebuilt binaries for Linux, macOS, Windows, or FreeBSD from the releases page
• Run the server with ./nps install && ./nps start to launch the web dashboard on port 8080
• Create clients and tunnels through the web UI or via the configuration file
• Configure bandwidth limits, connection limits, and access control lists per client
• TLS encryption is supported for both the management interface and tunnel traffic

Key Features

• Single binary deployment with no external dependencies for both server and client
• Web dashboard with real-time traffic monitoring, client status, and tunnel management
• Bandwidth and connection limiting per client for multi-tenant usage
• Compressed transmission reduces bandwidth usage on slow or metered connections
• Multi-user support with API tokens for programmatic tunnel management

Comparison with Similar Tools

• frp — Similar feature set; NPS adds a built-in web dashboard and multi-user management
• ngrok — Managed SaaS with free tier limits; NPS is fully self-hosted with no restrictions
• Cloudflare Tunnel — Requires Cloudflare; NPS works with any server and domain
• Tailscale/Headscale — Mesh VPN approach; NPS focuses on per-service tunnel exposure
• rathole — Rust-based and lighter; NPS provides a richer management UI and more protocols

FAQ

Q: What protocols does NPS support for tunneling? A: TCP, UDP, HTTP, HTTPS, and SOCKS5. Each tunnel type is configured independently per client.

Q: Can I use NPS to expose a web application with a custom domain? A: Yes. Configure an HTTP tunnel with a custom host header, then point your domain DNS to the NPS server.

Q: Is traffic between client and server encrypted? A: NPS supports TLS encryption for the control channel. For tunnel traffic, you can enable compression and encryption in the configuration.

Q: How does P2P mode work? A: When enabled, NPS attempts to establish a direct connection between two clients using hole punching. If P2P fails, traffic falls back to routing through the server.

Sources

• https://github.com/ehang-io/nps
• https://ehang-io.github.io/nps/