Secure HTTP tunnels to localhost using WireGuard. Share your local development server instantly without signup or complex setup.
🌐 Try it now: arbok.mrkaran.dev
# 1. Get tunnel config (replace 3000 with your local port)
curl https://arbok.mrkaran.dev/3000 > burrow.conf
# 2. Start tunnel
sudo wg-quick up ./burrow.conf
# 3. Stop tunnel when done
sudo wg-quick down ./burrow.confYour local service is now accessible at the HTTPS URL shown in the config file.
- Build from source:
git clone https://github.com/mr-karan/arbok
cd arbok
make build- Configure (copy
config.sample.tomltoconfig.toml):
[app]
domain = "arbok.yourdomain.com"
[auth]
# Optional: Add API keys for authentication
api_keys = ["secret-key-1"]
[tunnel]
default_ttl = "24h"
cleanup_interval = "5m"
[server]
cidr = "10.100.0.0/24"
listen_port = 54321
private_key = "your-wireguard-private-key"
[http]
listen_addr = ":8080"- Run:
./bin/server.bin --config config.tomlTest without DNS setup using Host headers:
# Start local service
python3 -m http.server 3000 &
# Create tunnel
curl http://localhost:8080/3000 > burrow.conf
sudo wg-quick up ./burrow.conf
# Test with Host header (replace subdomain from burrow.conf)
curl -H "Host: your-subdomain.localhost" http://localhost:8080Simple & Secure
- Straightforward tunnel setup and management
- WireGuard encryption with modern cryptography
- No account needed - anonymous tunnels by default
- Self-hosted - complete control over your infrastructure
Production Ready
- Prometheus metrics at
/metrics - Automatic tunnel cleanup with configurable TTLs
- Resource management prevents IP exhaustion
- WebSocket and SSE support
# Get WireGuard config with instructions
curl https://arbok.mrkaran.dev/3000# Create tunnel
curl -X POST -H "X-API-Key: your-key" https://arbok.mrkaran.dev/api/tunnel/3000
# List tunnels
curl -H "X-API-Key: your-key" https://arbok.mrkaran.dev/api/tunnels
# Delete tunnel
curl -X DELETE -H "X-API-Key: your-key" https://arbok.mrkaran.dev/api/tunnel/{id}Browser → HTTPS → Arbok Server → WireGuard Tunnel → Local Service
- HTTP API allocates IP and generates Curve25519 keypair
- WireGuard tunnel created with encrypted connection
- Browser requests proxied through tunnel to localhost
For detailed technical internals, see docs/internals.md.
- Linux/macOS with WireGuard installed
wg-quickcommand available- sudo/root access for WireGuard interface
| Feature | Arbok | ngrok | Cloudflare Tunnel |
|---|---|---|---|
| No signup | ✓ | ✗ | ✗ |
| Self-hosted | ✓ | ✗ | ✗ |
| Modern crypto | ✓ | ✗ | ✓ |
| Open source | ✓ | ✗ | ✗ |
- End-to-end encryption via WireGuard
- Automatic tunnel expiration prevents orphaned connections
- IP address isolation between tunnels
- No persistent logs of tunneled traffic
MIT License - see LICENSE for details.