Free & Open Source  ·  Self-Hosted

Public HTTPS for localhost —
without the middleman

Ztpr is a Zero Trust Proxy Relay: public HTTPS tunnels you run on your own server and domain. Friendly subdomains, automatic wildcard TLS, and an admin UI. Your traffic never touches a third party.

Get Started View on GitHub
$ ztpr --server https://app.example.com --key ztpr_•••• --target http://localhost:3000 → connecting to relay… authenticated → tunnel open. public url: https://royal-spruce.tun.example.com forwarding * → http://localhost:3000 (TLS terminated at relay)
ZT
Ztpr
admin@example.com Sign out

Your tunnels

Live tunnels registered to your API keys. Subdomains release automatically when idle or after 4 hours.
URLClientStartedIdleExpires in
royal-spruce.tun.example.comweb-dev14:023s3h 41m
amber-otter.tun.example.comapi-staging13:481m3h 27m
brave-finch.tun.example.com10.0.0.1413:204m2h 59m
Features

A tunneling service that answers to you

All the convenience of a hosted tunnel, none of the third-party trust. One ASP.NET Core process on your server is the whole relay.

You own the relay

Self-hosted on your own server and domain. No external service ever sits in your request path or sees your traffic.

Zero standing trust

Every client authenticates with a hashed API key on each connection. Keys are shown once and stored only as SHA-256 hashes.

Friendly subdomains

Each connection gets a memorable two-word host like red-tiger.tun.example.com, released automatically on disconnect or idle.

Automatic wildcard HTTPS

A single Let's Encrypt wildcard cert (*.tun.example.com) via DNS-01 covers every tunnel — issued hands-free when you connect Amazon Route 53, or with a guided manual wizard for any DNS provider. TLS terminates at the relay; your service sees plain HTTP.

Invite-based access

The first registered user is the admin; everyone else needs a single-use invite code. Block a user to instantly kill their sessions, keys, and tunnels.

Operator visibility

A Blazor admin UI shows every user, who holds which subdomain, and every active tunnel — with one-click disconnect and per-key limits.

How it works

From localhost to public URL in three steps

Stand up the relay once, then open tunnels from any machine with an API key.

1

Host the relay

Run the self-contained server on your Linux box and point a wildcard DNS record at it. The installer sets up the systemd service.

2

Connect the client

Run the downloadable client with your API key and a local target. It opens a persistent, authenticated WebSocket to the relay.

3

Share the URL

The relay assigns a subdomain and forwards public HTTPS to your local service — valid for up to four hours, released when you're done.

Run your own tunnels today

Free, open source, and completely self-hosted. Stand up the relay and open your first tunnel in minutes.

Read the Getting Started guide