Zrok — Secure Internet Sharing and Tunneling Made Simple

Introduction

Zrok makes it simple to share local services, files, and directories with anyone on the internet or within a private network. Built on top of the OpenZiti zero-trust networking platform, it provides secure tunnels without opening firewall ports or configuring NAT rules.

What Zrok Does

• Creates public or private tunnels to local HTTP, TCP, and UDP services
• Shares files and directories via a built-in drive backend mode
• Provides end-to-end encryption through the OpenZiti overlay network
• Supports reserved shares that persist across sessions with stable URLs
• Offers a self-hostable control plane for enterprise deployments

Architecture Overview

Zrok is built on top of OpenZiti, a zero-trust networking platform. When you share a service, zrok creates an overlay network tunnel between your machine and the zrok frontend. Public shares get a randomly generated URL served by the frontend proxy. Private shares communicate directly over the OpenZiti mesh without touching the public internet. The control plane manages identity, authorization, and share lifecycle. All traffic is encrypted end-to-end by the OpenZiti SDK embedded in the zrok client.

Self-Hosting & Configuration

• Install the zrok CLI via the official install script or package managers
• Register an account on zrok.io or deploy your own self-hosted control plane
• Run zrok enable to link your environment to the control plane
• Use zrok share for ephemeral shares or zrok reserve for persistent endpoints
• Self-host the controller and frontend components using Docker Compose

Key Features

• One-command sharing for HTTP, TCP, UDP, and file/directory backends
• Public shares with generated URLs or private shares over encrypted mesh
• Built on OpenZiti zero-trust networking for end-to-end encryption
• Reserved shares maintain stable URLs across sessions
• Self-hostable control plane for organizations requiring full ownership

Comparison with Similar Tools

• ngrok — Established tunneling service; zrok is fully open source and self-hostable
• Cloudflare Tunnel — Requires a Cloudflare account; zrok works independently
• Tailscale Funnel — Tied to Tailscale mesh; zrok uses its own OpenZiti overlay
• bore — Minimal TCP tunnel; zrok supports HTTP, TCP, UDP, and file sharing
• frp — Reverse proxy tool; zrok adds zero-trust encryption and drive sharing

FAQ

Q: Is zrok free to use? A: Yes. The zrok.io hosted service has a free tier. The software is open source and can be self-hosted at no cost.

Q: How is zrok different from ngrok? A: zrok is fully open source and self-hostable. It also supports private shares over encrypted mesh and built-in file/drive sharing, which ngrok does not offer.

Q: Can I self-host the zrok control plane? A: Yes. zrok provides Docker Compose configurations for deploying the controller, frontend, and OpenZiti components on your own infrastructure.

Q: Does zrok work behind corporate firewalls? A: Yes. zrok uses outbound connections to the control plane, so it works behind NAT and firewalls without opening inbound ports.

Sources

• https://github.com/openziti/zrok
• https://docs.zrok.io/