Secure HTTP tunnels to localhost

Share your local development server instantly with WireGuard encryption. No signup required.

Start tunnel:

curl https://arbok.mrkaran.dev/3000 > burrow.conf && sudo wg-quick up ./burrow.conf

Replace 3000 with your local port.
Important: Your app must listen on 0.0.0.0 (not just 127.0.0.1) for the tunnel to work.

Stop tunnel:

sudo wg-quick down ./burrow.conf

↓

✨ Your app is live at https://brave-snake-1234.arbok.mrkaran.dev

🔒

Secure

End-to-end encryption with WireGuard

🌐

Simple

One command, no account required

🛠️

Self-hosted

Complete control over your tunnels

How it Works

Peer Registration

Server generates WireGuard keypair, assigns IP from pool, creates peer config. Returns config file with server public key, client private key, and allocated IP address from 10.100.0.0/24 range.

WireGuard Interface

Client establishes encrypted UDP tunnel on port 54321, server adds peer dynamically. All traffic flows through the secure WireGuard tunnel using userspace TUN interface.

HTTP Proxy

Subdomain requests route through tunnel to peer's local port. Server maintains registry mapping subdomains to WireGuard peer IPs, proxying HTTP/WebSocket traffic bidirectionally.

Advanced Usage

API Access

curl -X POST -H "X-API-Key: your-key" https://arbok.mrkaran.dev/api/tunnel/3000

Troubleshooting

🔥 Firewall Issues (CentOS/RHEL/Fedora)

If you can ping through the tunnel but TCP connections fail, add the WireGuard interface to the trusted zone:

sudo firewall-cmd --permanent --zone=trusted --add-interface=burrow

sudo firewall-cmd --reload

🔍 Common Issues

App not accessible: Ensure your app binds to 0.0.0.0:PORT not 127.0.0.1:PORT

Handshake fails: Generate a fresh config - old configs become invalid after server restarts

Permission denied: WireGuard requires root/sudo privileges to create network interfaces