“Open source” is doing a lot of heavy lifting in tunneling marketing. Some projects release the agent but keep the server closed. Some say “MIT” and ship a compiled binary that phones home. This page scores the real options honestly, and points you at the two stacks you can actually self-host end-to-end.
Before scoring anyone, decide which definition of “open source” you actually care about. They are not the same.
Useful for security teams, supply-chain review, and debugging. An open agent is usually enough — you can confirm it doesn't exfiltrate data, you can cross-compile for your architecture, you can fork if upstream stalls.
Required for air-gapped deployments, compliance lockdowns, and “what happens when this startup dies” planning. You need both the agent and the server under a license that permits self-hosting, plus enough operational docs to stand them up.
Most “open source” tunneling projects answer yes to #1 and no to #2. That's fine — as long as you know which one you got.
Six mainstream tunnels, eight criteria, no fudging. The two fully self-hostable stacks are on the left.
| Criterion | 21tunnel | frp | Cloudflare | Tailscale | localtunnel | ngrok |
|---|---|---|---|---|---|---|
| Agent (client) source | Yes | Yes | Yes | Yes | Partial | No |
| Server (control plane) source | Yes | Yes | No | No | No | No |
| Fully self-hostable | Yes | Yes | No | No | No | No |
| License | MIT / Apache-2.0 | Apache-2.0 | Proprietary | Proprietary | Proprietary | Proprietary |
| Hosted SaaS free tier | 3 tunnels · 50 GB | None | Paid only | Free-ish¹ | 1 tunnel | 1 static domain |
| Custom domain on free tier | Yes | Self-host only | — | Yes (CF only) | No | No |
| Multi-tenant dashboard | Yes | Via fork | — | — | — | Yes (hosted) |
| Runs without third-party account | Yes | Yes | No (CF) | No (Tailscale) | No (LT) | No (ngrok) |
¹ Cloudflare Tunnel is free but requires a Cloudflare account, DNS on Cloudflare, and your traffic routes through their edge — you are not self-hosting, you are using their free product.
Agent and server are both MIT/Apache-2.0. One Postgres database, one docker-compose, one binary. The multi-tenant dashboard — orgs, RBAC, Stripe billing — is in the same repo; fork it or disable it.
Go. Apache-2.0. Has been around since 2016 and runs at scale in China where ngrok isn't reliably reachable. No dashboard, no multi-tenant, no billing — you write INI files and run the server behind a reverse proxy yourself.
If you want a tunneling service that your whole team uses — with a dashboard, audit log, and per-user tokens — 21tunnel ships that in the repo. If you want a single-tenant proxy that you bolt onto your own auth, frp is a great pick. The other four tools on the grid are hosted services; their “open source” is marketing, not a deployable stack.
Running a tunneling control plane is real work. Most teams shouldn't. Use the hosted SaaS, and keep the option to migrate.
No. ngrok v1 had an open agent years ago; v3 and the entire server stack are closed. You can't self-host ngrok upstream — any guide that says otherwise is building against the abandoned v1 source, which has known security issues and doesn't implement modern protocol features.
The cloudflared agent is open source. The
control plane, edge, and dashboard are Cloudflare's
proprietary infrastructure. You can audit the client; you
cannot run the server. Full comparison in
21tunnel vs Cloudflare Tunnel.
To match the Rust ecosystem's convention — most Rust libraries are MIT-or-Apache-2.0, which lets downstream users pick whichever fits their legal situation. No CLA, no dual proprietary license escape hatch, no “fair source” clause. It's open source, full stop.
No — the multi-tenant dashboard ships in the same repo and
runs against the same Postgres. If you want a single-tenant
install, set QNT_DISABLE_MULTITENANT=1 and the
server skips the orgs/RBAC layer. See the
self-host guide for both paths.
Yes. PRs welcome on GitHub. No CLA required. The repo ships the architecture docs and runbooks so you can find your way around.
Start on the free hosted tier — 3 tunnels, custom domain, no credit card. Migrate to self-host if compliance ever asks. Same binary, same dashboard, same Postgres schema.