Send me a tip
I'm so grateful for those who are able to support Serveo with a donation! Clicking one of the buttons below will take you to a donation form in a new tab.
Thank you so much!
Subscribe
Serveo gets better all the time. Leave your email address or follow me on Twitter to get notified of improvements. (Expect about one or two emails per month.)
How does it work?
Serveo is an SSH server just for remote port forwarding. When a user connects to Serveo, they get a public URL that anybody can use to connect to their localhost server.
.png)
Manual
Basic use
ssh -R 80:localhost:3000 serveo.net
The -R option instructs your SSH client to request port forwarding from the server and proxy requests to the specified host and port (usually localhost). A subdomain of serveo.net will be assigned to forward HTTP traffic.
Request multiple tunnels at once
ssh -R 80:localhost:8888 -R 80:localhost:9999 serveo.net
The target server doesn't have to be on localhost
ssh -R 80:example.com:80 serveo.net
Request a particular subdomain
The subdomain is chosen deterministically based on your IP address, the provided SSH username, and subdomain availability, so you'll often get the same subdomain between restarts. You can also request a particular subdomain:
ssh -R incubo:80:localhost:8888 serveo.net
ssh -R incubo.serveo.net:80:localhost:8888 serveo.net
Change the SSH username to get assigned a different subdomain:
ssh -R 80:localhost:8888 foo@serveo.net
ssh -R 80:localhost:8888 -l foo serveo.net
Private TCP and SSH forwarding
Serveo can be used to route private TCP traffic, almost like a lightweight VPN. To set up the tunnel, specify an alias as the hostname and some port:
ssh -R myalias:5901:localhost:5900 serveo.net
Then to connect to that port from another machine, use ssh -L:
ssh -L 5902:myalias:5901 serveo.net
Then connect to localhost:5902 on the remote machine, and SSH will send traffic through Serveo, which will forward it to the target machine, ultimately connecting you to port 5900 on the target machine.
If you're using this to connect to an SSH server, then you can use OpenSSH's JumpHost feature. On the target machine, you might start the tunnel like this:
ssh -R myalias:22:localhost:22 serveo.net
Then you can establish an SSH connection using serveo.net as an intermediary like this:
ssh -J serveo.net user@myalias
The -J option was introduced in the OpenSSH client version 7.3. If you have an older client, you can use the ProxyCommand option instead:
ssh -o ProxyCommand="ssh -W myalias:22 serveo.net" user@myalias
Public TCP forwarding
If you request a port other than 80 or 443, raw TCP traffic will be forwarded. (In this case, there's no way to route connections based on hostname, and the host, if specified, will trigger private TCP forwarding.)
ssh -R 1492:localhost:1492 serveo.net
If port 0 is requested, a random TCP port will be forwarded:
ssh -R 0:localhost:1492 serveo.net
Connect on port 443
In some environments, outbound port 22 connections are blocked. For this reason, you can also connect on port 443.
ssh -p 443 -R 80:localhost:8888 serveo.net
Automatically reconnect
Use autossh for more persistent tunnels. Use "-M 0" to disable autossh's connectivity checking:
autossh -M 0 -R 80:localhost:8888 serveo.net
See https://www.everythingcli.org/ssh-tunnelling-for-fun-and-profit-autossh/ for more about autossh.
Custom Domain
To use your own domain or subdomain, you'll first need an SSH key pair. Use the ssh-keygen program to generate a key pair if you don't already have one.
Next, use ssh-keygen -l and note your key's fingerprint. Here's an example output:
2048 SHA256:pmc7ZRv7ymCmghUwHoJWEm5ToSTd33ryeDeps5RnfRY no comment (RSA)
In this example, the fingerprint is SHA256:pmc7ZRv7ymCmghUwHoJWEm5ToSTd33ryeDeps5RnfRY.
Now you need to add two DNS records for the domain or subdomain you'd like to use:
- A CNAME record pointing to serveo.net.
- For each SSH key to allow, a TXT record at _serveo-authkey.[domain] = [fingerprint].
Once your DNS records are in place, you can request your subdomain/domain from Serveo:
ssh -R subdomain.example.com:80:localhost:3000 serveo.net
When you request port forwarding for subdomain.example.com, Serveo will fetch the TXT records from your DNS server and only allow forwarding if you've provided a public key with the same fingerprint as specified in TXT records.
Alternatives
ngrok
Serveo is an excellent alternative to ngrok. Serveo was inspired by ngrok and attempts to serve many of the same purposes. The primary advantage of Serveo over ngrok is the use of your existing SSH client, so there's no client application to install.
Other slight advantages include preservation of URLs across reconnect for free (ngrok allows this only for paid accounts) and in-terminal request inspection and replay (ngrok uses a web interface).
OpenSSH Server
Using Serveo instead of OpenSSH frees you from having to configure and maintain a server. It also handles HTTPS and subdomain generation, two features that complicate a typical SSH port-forwarding setup.
If Serveo doesn't meet your needs, this guide has some ideas for setting up OpenSSH.
Host it yourself
This free version is intended for evaluative and personal use and allows no more than 3 total simultaneous tunnels per instance.
Email me at trevor@serveo.net if you're interested in licensing Serveo for business use or otherwise need more than 3 tunnels at a time.
Download
Linux
Mac
Windows
Use
The server's behavior is configured using command line arguments. Use -h to see all options.
./serveo -h
-private_key_path
At the very least, you must specify the path to an encoded private key used for establishing SSH connections. You may be able to use /etc/ssh/ssh_host_rsa_key or $HOME/.ssh/id_rsa, but it's recommended that you generate a private key for Serveo's use (using ssh-keygen, for example: ssh-keygen -t rsa -f ssh_host_rsa_key).
./serveo -private_key_path=/etc/ssh/ssh_host_rsa_key
./serveo -private_key_path=$HOME/.ssh/id_rsa
-port, -http_port, -https_port
These options tell Serveo on which ports, respectively, to listen for SSH, HTTP, and HTTPS connections.
./serveo -private_key_path=ssh_host_rsa_key -port=22 -http_port=80 -https_port=443
./serveo -private_key_path=ssh_host_rsa_key -port=2222 -http_port=8080 -https_port=8443
-cert_dir
This is necessary for HTTPS support. The directory it specifies should contain TLS certificates and keys. For example, a cert_dir might contain the following files:
abc.crt abc.key foo.crt foo.key
Certificate files must end in .crt, and keys in .key. The basename for certificate files doesn't matter, but must match the corresponding key file (i.e. abc.{crt,key} should both exist). Wildcard certificates and certificates with multiple DNS names are supported.
./serveo -cert_dir=certs
-domain
This option specifies the default domain in case no domain is specified.
./serveo -domain=example.com
-disable_telemetry
A few basic events are reported for my analytical use (process startup and the start of port forwarding). Invoke this flag to disable telemetry.