Stop Overpaying for ngrok! OutRay Is the Open-Source Tunnel You Need
Your webhook just failed. Again. You're demoing to a client in five minutes, and your localhost API is trapped behind your laptop. You've been here before—fumbling for credit cards, hitting ngrok's connection limits, watching that paywall slam down right when you need it most. What if I told you there's a self-hosted, open-source ngrok alternative that puts you in control? No metered connections. No surprise bills. No vendor lock-in.
Meet OutRay—the tunneling tool that's making developers ditch proprietary services and reclaim their infrastructure. Built for teams who refuse to compromise on privacy, cost, or flexibility, OutRay delivers everything ngrok does and more, with one radical difference: it's completely yours. Whether you're shipping webhooks, sharing dev previews, or tunneling production databases, this open-source ngrok alternative eliminates the friction that's been slowing you down. Ready to see how deep this rabbit hole goes?
What Is OutRay? The Open-Source Tunneling Revolution
OutRay is a self-hosted tunneling platform that exposes local servers to the internet through secure, encrypted connections. Created by the outray-tunnel organization and released under the AGPL-3.0 license, it represents a fundamental shift in how developers approach localhost exposure.
Unlike SaaS tunneling services that route your traffic through third-party infrastructure, OutRay gives you complete ownership of the entire stack. The project is architected as a modern monorepo with six distinct applications: a CLI client for tunnel creation, a cron service for background jobs, an internal-check service for domain verification, a landing page, the core tunnel server, and a comprehensive web dashboard with API.
Why it's trending now: The developer community is experiencing acute tunneling fatigue. ngrok's pricing changes, security concerns about traffic interception, and the need for team collaboration features have created perfect conditions for an open-source insurgent. OutRay arrives with HTTP, TCP, and UDP support, custom domains with automatic TLS, and organization-wide access controls—features typically locked behind enterprise tiers elsewhere.
The project leverages Node.js 20+, PostgreSQL, Redis, and TimescaleDB (Tiger Data) for its backend, signaling serious engineering intent. This isn't a weekend hack; it's production infrastructure designed for scale. With Vercel's OSS Program backing and active community contributions, OutRay is positioned to become the de facto standard for self-hosted tunneling.
Key Features That Crush the Competition
OutRay doesn't merely match ngrok—it reimagines what's possible when tunneling infrastructure is truly open. Here's the technical breakdown:
Multi-Protocol Tunneling
- HTTP Tunnels: Full web server exposure with custom subdomain allocation. Perfect for webhook development, OAuth callbacks, and client demos.
- TCP Tunnels: Raw TCP forwarding for databases (PostgreSQL, MySQL, MongoDB), SSH servers, game servers, and any TCP-based service. The
outray tcp 5432command transforms your local database into a globally accessible endpoint. - UDP Tunnels: Critical for DNS testing, VoIP development, TFTP transfers, and real-time gaming protocols. Most competitors ignore UDP entirely—OutRay embraces it.
Custom Domains with Automatic TLS
Bring your own domain and let OutRay handle Let's Encrypt certificate provisioning and renewal automatically. The internal-check service validates domain ownership, while Caddy (implied by the domain verification component) manages TLS termination. No manual certificate wrangling, no downtime during renewals.
Real-Time Dashboard & Analytics
The web application provides traffic monitoring, tunnel analytics, and connection metrics. Unlike ngrok's web interface (which requires paid plans for meaningful retention), your OutRay dashboard stores data in TimescaleDB—a PostgreSQL extension optimized for time-series data. Query historical traffic patterns, identify bottlenecks, and optimize your tunnel configurations with SQL you already know.
Team Support with RBAC
Organizations get role-based access control for tunnel management. Share tunnel endpoints across teams without sharing credentials. Audit who created which tunnel, when, and for how long. This is enterprise-grade governance without the enterprise-grade invoice.
Modern Deployment Architecture
The deploy/ directory contains infrastructure-as-code configurations. Deploy to your own VPS, Kubernetes cluster, or edge locations. The cron service handles automated cleanup, certificate rotation, and health checks—zero manual intervention required.
Use Cases Where OutRay Absolutely Dominates
1. Webhook Development Without the Headaches
You're building a Stripe integration. Their webhooks demand a public HTTPS endpoint, but you're coding on localhost:3000. With outray http 3000, you get an instant public URL with valid TLS. Test payment flows in real-time, inspect headers in the dashboard, and iterate without deploying to staging. No more ngrok connection limits killing your flow.
2. Database Sharing Across Distributed Teams
Your data scientist in Berlin needs access to your local PostgreSQL instance in San Francisco. Instead of dumping schemas or setting up VPNs, run outray tcp 5432. They connect with standard PostgreSQL clients to your assigned endpoint. When the session ends, the tunnel dies—no persistent exposure, no security debt.
3. IoT and Hardware Development
You're prototyping an ESP32 sensor that reports to a local MQTT broker. OutRay's UDP tunneling lets you test device-to-cloud flows before hardware ships. Tunnel CoAP, DNS-SD, or custom UDP protocols that ngrok simply cannot handle. Validate your firmware against real network conditions.
4. Game Server Testing and Demos
Built a multiplayer server with UDP-based netcode? Share it with playtesters instantly. OutRay's UDP support means Unreal Engine, Unity, or custom game servers work out of the box. No port forwarding, no router configuration, no explaining NAT traversal to non-technical stakeholders.
5. Microservice Development in Complex Architectures
Your system has twelve services, but you're only developing one. Use OutRay to expose your local service while tunneling to remote dependencies. The dashboard shows cross-service traffic patterns, helping you identify integration issues before they reach production.
Step-by-Step Installation & Setup Guide
Prerequisites
Before installing OutRay, ensure you have:
- Node.js 20+ (check with
node --version) - PostgreSQL 14+ for primary data storage
- Redis 6+ for session caching and real-time features
- TimescaleDB extension installed on PostgreSQL
Install the CLI
The fastest path to tunneling:
# Install globally via npm
npm install -g outray
# Verify installation
outray --version
Server Setup (Self-Hosted)
For the complete self-hosted experience, deploy the tunnel server:
# Clone the repository
git clone https://github.com/outray-tunnel/outray.git
cd outray
# Install dependencies for all workspace packages
npm install
# Configure environment variables
cp apps/tunnel/.env.example apps/tunnel/.env
# Edit apps/tunnel/.env with your PostgreSQL, Redis, and domain settings
# Run database migrations
npm run db:migrate --workspace=apps/tunnel
# Start the tunnel server
npm run dev --workspace=apps/tunnel
Environment Configuration
Your .env file needs these critical values:
# Database connection with TimescaleDB support
DATABASE_URL=postgresql://user:pass@localhost:5432/outray?sslmode=disable
# Redis for caching and pub/sub
REDIS_URL=redis://localhost:6379
# Base domain for generated subdomains
BASE_DOMAIN=tunnel.yourdomain.com
# TLS configuration (automatic with custom domains)
ACME_EMAIL=admin@yourdomain.com
Dashboard Deployment
# Build the web dashboard
npm run build --workspace=apps/web
# Start with production optimizations
npm run start --workspace=apps/web
The dashboard will be available at your configured domain, with the API serving tunnel management endpoints at /api/v1/.
REAL Code Examples from OutRay
Let's dissect the actual commands and patterns from the OutRay repository, with detailed explanations of what's happening under the hood.
Example 1: Basic HTTP Tunnel
# Expose a local web server on port 3000
outray http 3000
What happens: The CLI establishes a WebSocket connection to your OutRay tunnel server, authenticates with your API key, and requests an HTTP tunnel allocation. The server assigns a subdomain (e.g., abc123.tunnel.yourdomain.com), configures Caddy to route that subdomain to your WebSocket stream, and returns the public URL. All traffic is end-to-end encrypted—the server cannot inspect HTTPS payloads, only route them.
When to use this: React dev servers, API development, webhook endpoints, static site previews, OAuth callback testing.
Example 2: TCP Tunnel for Database Access
# Tunnel a local PostgreSQL instance
outray tcp 5432
What happens: This creates a raw TCP proxy. The CLI listens locally, wraps TCP packets in the WebSocket tunnel, and the server unwraps them at the edge. Unlike HTTP tunnels, TCP tunnels get random high ports on the public endpoint (e.g., tunnel.yourdomain.com:40217). The server maintains connection state, handles backpressure, and retries failed packets automatically.
Critical security note: TCP tunnels expose raw database protocols. Always use PostgreSQL's native SSL (sslmode=require) and restrict tunnel access to specific IP ranges via the dashboard's firewall rules.
Example 3: UDP Tunnel for Real-Time Applications
# Tunnel DNS or VoIP traffic on UDP port 53
outray udp 53
What happens: UDP is connectionless, so OutRay implements virtual connection tracking. The CLI maintains a mapping of (source_ip, source_port) to tunnel sessions, ensuring reply packets route correctly. The server buffers out-of-order packets and handles NAT hole punching for peer-to-peer scenarios.
Why this matters: Most tunneling solutions ignore UDP because it's stateless and harder to proxy correctly. OutRay's implementation means you can test QUIC, DNS over HTTPS, WebRTC signaling, and custom game protocols without infrastructure changes.
Example 4: Project Structure Deep Dive
outray/
├── apps/
│ ├── cli/ # CLI client - your primary interface
│ ├── cron/ # Background jobs - certificate renewal, cleanup
│ ├── internal-check/ # Domain verification for Caddy TLS automation
│ ├── landing/ # Marketing website - Next.js or similar
│ ├── tunnel/ # Tunnel server - the core proxy engine
│ └── web/ # Dashboard & API - React frontend, REST/GraphQL API
├── shared/ # Shared utilities - types, validation, crypto
└── deploy/ # Deployment configs - Docker, Terraform, K8s
Architecture insight: This monorepo structure enables coordinated deployments. When you update the tunnel protocol in apps/tunnel/, the CLI in apps/cli/ automatically gets compatible changes through the shared/ package. The internal-check service runs as a Caddy module, validating domain ownership before Let's Encrypt challenges complete. This isn't accidental complexity—it's operational resilience.
Advanced Usage & Best Practices
Optimize Tunnel Performance
- Enable compression for text-heavy payloads: set
COMPRESSION_LEVEL=gzipin your CLI environment - Use connection pooling for TCP tunnels to database—PostgreSQL's
pgbouncerworks seamlessly through OutRay - Monitor latency in the dashboard; deploy tunnel servers geographically close to your users
Security Hardening
- Rotate API keys monthly using the dashboard's key management
- Enable IP allowlisting for production tunnels—block unexpected connection sources
- Audit tunnel logs via TimescaleDB queries:
SELECT * FROM tunnel_sessions WHERE created_at > NOW() - INTERVAL '7 days'
Team Workflows
- Create organization-scoped tunnels with prefixed subdomains (
team-name--project.tunnel.yourdomain.com) - Use role-based access to limit who can create persistent vs. ephemeral tunnels
- Integrate tunnel creation into CI/CD pipelines for preview deployments
Custom Domain Automation
Point a wildcard DNS record (*.tunnel.yourdomain.com) to your OutRay server. The internal-check service validates new domains automatically, and Caddy provisions certificates via ACME. Zero manual TLS management, even for hundreds of subdomains.
OutRay vs. Alternatives: The Brutal Truth
| Feature | OutRay | ngrok | Cloudflare Tunnel | LocalTunnel |
|---|---|---|---|---|
| Open Source | ✅ AGPL-3.0 | ❌ Proprietary | ❌ Proprietary | ✅ MIT (limited) |
| Self-Hosted | ✅ Full control | ❌ SaaS only | ⚠️ Requires Cloudflare | ❌ Public servers |
| TCP Tunnels | ✅ Native | 💰 Paid plans only | ✅ | ❌ |
| UDP Tunnels | ✅ Rare feature | ❌ | ❌ | ❌ |
| Custom Domains | ✅ Free, auto-TLS | 💰 Enterprise | ✅ | ❌ |
| Team/RBAC | ✅ Built-in | 💰 Enterprise | ⚠️ Via Cloudflare | ❌ |
| Data Privacy | ✅ Your servers | ❌ Third-party | ⚠️ Cloudflare sees all | ❌ Public logs |
| Cost at Scale | ✅ Server costs only | 💰💰💰 Metered | ⚠️ Freemium limits | ✅ Free (unreliable) |
The verdict: ngrok wins on convenience for solo developers with simple needs. But the moment you need UDP, team features, or data sovereignty, OutRay becomes unbeatable. Cloudflare Tunnel is compelling if you're already in their ecosystem, but you're locked into their infrastructure and pricing. LocalTunnel is free but unreliable—fine for quick demos, dangerous for production workflows.
FAQ: What Developers Actually Ask
Is OutRay really free for commercial use?
Yes! The AGPL-3.0 license requires you to share modifications if you distribute the software, but internal commercial use is completely free. No usage limits, no feature gates, no surprise invoices.
How does OutRay compare to ngrok's performance?
Performance depends on your server infrastructure. With proper deployment (Redis caching, TimescaleDB for analytics, geographically distributed instances), OutRay matches or exceeds ngrok's throughput. You control the hardware—you control the performance ceiling.
Can I use OutRay without self-hosting?
Currently, OutRay is self-hosted by design. The project may offer managed hosting in the future, but the core value proposition is infrastructure ownership. If you need instant SaaS tunneling, ngrok remains the path of least resistance.
What happens if my tunnel server goes down?
Active tunnels disconnect immediately—there's no magic here. For production scenarios, deploy multiple tunnel servers behind a load balancer with shared PostgreSQL and Redis. The cron service handles failover detection and certificate synchronization.
Is UDP tunneling actually stable?
OutRay's UDP implementation uses connection simulation over WebSockets, which adds slight overhead (~5-10ms). For VoIP and gaming, this is usually imperceptible. For DNS at scale, consider dedicated anycast infrastructure instead.
How do I migrate from ngrok?
Replace ngrok http 3000 with outray http 3000. Update webhook URLs in your services. The mental model is identical—only the infrastructure ownership changes. The dashboard provides similar inspection capabilities.
What's the catch with AGPL-3.0?
If you modify OutRay and distribute it (including as a service to external users), you must share those modifications. For internal teams and personal use, this requirement doesn't trigger. Consult legal counsel if building commercial tunneling services on top of OutRay.
Conclusion: Take Back Your Tunnels
OutRay isn't just another open-source ngrok alternative—it's a declaration of infrastructure independence. In an era where developer tools increasingly demand recurring subscriptions and data access, OutRay hands you the keys to your own tunneling kingdom.
The technical depth is undeniable: multi-protocol support, automatic TLS, team governance, and a modern monorepo architecture that scales. But the real victory is freedom from vendor calculus—no more counting connections, no more pricing page anxiety, no more explaining to security why third parties handle your development traffic.
My take? If you're a solo developer with occasional tunneling needs, ngrok's convenience still holds value. But the moment you hit a paywall, need UDP, or care about data residency, OutRay becomes essential infrastructure. The setup investment pays dividends in control, cost, and capability.
Ready to tunnel on your own terms? Star the repository, deploy your first server, and join the community reshaping how developers expose localhost. The future of tunneling is open-source—and it's waiting for you at github.com/outray-tunnel/outray.