TCP Tunnels
Expose a local TCP port to the internet (non-HTTP protocols)
Overview
TCP tunnels are for raw TCP services (databases, game servers, custom protocols, webhook receivers that speak TCP, etc.). Unlike HTTP tunnels, TCP tunnels do not have per-request logs and can’t use HTTP-only security policies.
Quick start
This allocates a public port on tcp.ngsrv.com and forwards to localhost:4500.
Basic usage (allocated port)
By default, NGSRV allocates a random public port and prints an endpoint like tcp.ngsrv.com:40000.
ngsrv tcp <port>Example: ngsrv tcp 4500
Test with netcat:
# Terminal A (local server) nc -lk 4500 # Terminal B (client) nc tcp.ngsrv.com 40000
TLS + SNI mode (BYOD on :443)
If you want a stable public endpoint on port 443, you can run a TCP tunnel behind a verified custom hostname (BYOD). This uses TLS termination at the edge and routes by SNI.
Requirements
- • A verified BYOD domain in Dashboard → Domains
- • Your BYOD hostname must be in status “verified/active”
ngsrv tcp <port> --domain api.example.comPublic endpoint becomes api.example.com:443.
Test with OpenSSL:
openssl s_client -connect api.example.com:443 -servername api.example.com
Flags
| Flag | Description | Default |
|---|---|---|
| --domain, -d | Verified BYOD hostname for TLS+SNI mode (binds to :443). Without it, an allocated port on tcp.ngsrv.com is used. | unset |
| --force, -f | Terminate any existing tunnel on the same domain before starting. | false |
| --trace | Verbose connection logs (same as NGSRV_CLIENT_TRACE=1). | false |
| --no-tui | Disable the interactive TUI; print plain logs to stdout (recommended for CI / non-interactive shells). | false |
Notes & limitations
- HTTP-only features (Request Logs, WAF, Header Auth, etc.) are designed for HTTP tunnels.
- TCP tunnels show up in Dashboard → TCP Tunnels.
- Security policies are applied at the HTTP layer and are not compatible with raw TCP tunnels. To restrict access to a TCP service, terminate TLS in your own service and apply application auth.