Bore — Simple Self-Hosted TCP Tunnel to Localhost

Introduction

Bore is a lightweight TCP tunnel tool written in Rust that exposes local services to the internet without complex networking setup. Unlike commercial alternatives, bore can be entirely self-hosted and requires no accounts, API keys, or configuration files.

What Bore Does

• Creates TCP tunnels from a local port to a publicly accessible address
• Supports self-hosting the relay server for full infrastructure control
• Provides optional secret-based authentication to restrict tunnel creation
• Assigns random or specific remote ports for predictable URLs
• Works with any TCP-based protocol including HTTP, SSH, and databases

Architecture Overview

Bore uses a client-server model. The server listens on a control port (default 7835) for incoming client connections and allocates proxy ports for tunneled traffic. When external traffic arrives on a proxy port, the server forwards it through the control connection to the client, which relays it to the local service. All communication uses a minimal binary protocol over TCP.

Self-Hosting & Configuration

• Deploy the server with bore server on any internet-facing VPS
• Set --min-port to restrict the range of ports clients can request
• Use --secret flag on both server and client to require authentication
• No configuration files needed; all options are CLI flags
• Docker image available at ekzhang/bore for containerized deployment

Key Features

• Single static binary with zero dependencies (thanks to Rust)
• Sub-millisecond overhead on tunnel connections
• No rate limiting or bandwidth caps when self-hosted
• Supports concurrent tunnels on a single server instance
• Public relay at bore.pub available for quick testing without self-hosting

Comparison with Similar Tools

• ngrok — Feature-rich commercial product with TLS termination and dashboards; bore is simpler, free, and self-hostable
• Cloudflare Tunnel — Requires Cloudflare account and DNS setup; bore works with raw TCP and needs no third-party accounts
• frp — More configurable with TOML config files and multiple protocols; bore prioritizes zero-config simplicity
• rathole — Similar Rust alternative with NAT traversal; bore focuses on ease of use with fewer moving parts

FAQ

Q: Can bore handle HTTPS traffic? A: Bore tunnels raw TCP, so you can run a reverse proxy like Caddy on the server side for TLS termination, or handle TLS at the local service.

Q: How do I get a stable subdomain? A: Bore assigns ports, not domains. For stable URLs, use a reverse proxy on the server that routes based on Host headers to specific bore ports.

Q: Is the traffic encrypted? A: The tunnel itself does not encrypt traffic. Use TLS at the application layer or wrap with SSH for sensitive data.

Q: What happens if the tunnel connection drops? A: The client will exit. Use a process manager like systemd or a restart loop to automatically reconnect.

Sources

• https://github.com/ekzhang/bore
• https://crates.io/crates/bore-cli