Nubeo Engineering // Internal // v0.8.4

Expose any port,anywhere.

tunnelctl is the in-house tunneling daemon for Nubeo developers. Drop an encrypted public URL on top of any localhost service in under 200 ms — share with the team, hit it from a phone, get the QA crew unblocked. Zero accounts. Zero config. Free for the whole org.

▶ Install Read the docs >

Free for Nubeo Self-hosted on Pi-blade cluster Single binary

— tunnelctl :: session 0xC0DE —

grid@nubeo ~ $  tunnelctl up esigno-dev localhost:5173    ▌ tunnelctl :: forging encrypted tunnel...    ✓ handshake          tls 1.3 / chacha20-poly1305    ✓ edge node          prg-01.tunnelctl.eu    ✓ slug bound         esigno-dev      → public  https://esigno-dev.tunnelctl.eu    → local   http://localhost:5173      ──── live traffic ────────────────────────────    14:22:01  200 GET   /api/users          42ms    14:22:02  200 POST  /api/login         118ms    14:22:03  404 GET   /favicon.ico         3ms    14:22:04  200 GET   /api/users/42       29ms 
grid@nubeo ~ $   

Latency p99

38 ms

Edge

prg-01.eu

Uptime

99.9%

01 /

What it does today

Tiny scope. Honest tooling.

tunnelctl deliberately ships less than ngrok. No paid plans, no feature creep — just the one job done well. Spin up an HTTPS tunnel against a localhost port, share the URL, ship the demo. Anything fancier we add only when an actual Nubeo project asks for it.

// CORE

Instant Tunnels

One command spins up a TLS-terminated tunnel pointing at any local port. No signup, no DNS, no waiting. Ship a working URL before your coffee finishes brewing.

// DNS

Pick Your Subdomain

You choose the slug — every tunnel lives at <slug>.tunnelctl.eu. The same name across restarts means stable URLs for QA, webhook callbacks, and shared previews.

// SEC

End-to-end Encryption

TLS 1.3 with ChaCha20-Poly1305 between client and edge. Optional basic-auth gate or IP allowlist if you're exposing a staging build to a vendor.

// SHIP

Single Binary

One static binary. No Docker, no systemd hoops, no language runtime. macOS (Intel + Apple Silicon), Linux x86_64 / arm64, Windows. Just drop it in your $PATH.

02 /

Power-up sequence

Three commands to go live.

Install once. Authenticate against your Nubeo SSO once. Tunnel forever. The full reference — every flag, every config knob, every edge case — lives at docs.tunnelctl.eu.

LEVEL 01

Install

Single binary, zero deps. Pick your distro in the hero — the snippet below switches with it. Same data, just annotated for context.

# Add the tunnelctl Homebrew tap (one-time setup):
$ brew tap tunnelctl/tunnelctl https://git.piblade.net/tunnelctl/homebrew-tunnelctl.git
# Install the CLI:
$ brew install tunnelctl

LEVEL 02

Auth

SSO via Nubeo's identity provider. Browser device flow — no copy-pasting tokens, no editing TOML files in a panic.

$ tunnelctl login
→ opening browser...
✓ device CODE-9F2-X1A approved
✓ logged in as you@nubeo.eu

LEVEL 03

Tunnel

Pick a slug, point at a port, go. Host:port form lets you target localhost, an explicit IPv6, or anything else your dev server listens on. -d backgrounds it.

# Port-only shorthand → binds to 127.0.0.1:
$ tunnelctl up web 3000
# Custom host (e.g. Vite's localhost or explicit IPv6):
$ tunnelctl up web localhost:5173 --host-header-rewrite=localhost
# Detached (-d) — daemon runs in background, terminal returns:
$ tunnelctl up web localhost:5173 -d
→ tunnelctl logs web # tail daemon output
→ tunnelctl down web # stop the tunnel

03 /

Patch notes & roadmap

What ships. What doesn't (yet).

We're being upfront about scope. Below is what's in the box right now and what's on the backlog. If something on the right side blocks your work, file an issue at track.nubeo.eu and we'll bump it.

v0.8 — Shipped

STABLE

HTTPS tunnels on <slug>.tunnelctl.eu

slug is required and chosen by you — same name across restarts
Flexible target syntax

port-only shorthand (3000), explicit host (localhost:5173), IPv6 ([::1]:5173)
Detached daemon mode (-d)

terminal returns; tail with tunnelctl logs, stop with tunnelctl down
Host header rewrite

--host-header-rewrite for dev servers that strict-match the Host header (Vite, webpack-dev-server)
TLS 1.3 end-to-end (ChaCha20-Poly1305)

between client and edge
Basic auth + IP allowlist

simple gates for vendor demos
Nubeo SSO device-flow login

tied to your @nubeo.eu identity
Single static binary, multi-arch

macOS / Linux / Windows

Backlog

NOT YET

Auto-suggested slugs

slug is mandatory today — no random fallback for quick one-shots
Custom domains

currently only *.tunnelctl.eu — no api.acme.dev yet
Traffic inspector

no built-in request replay UI for now
Webhook replay & persistence

tunnels are ephemeral; replay is on the backlog
Load balancing across clients

one tunnel, one client — round-robin not implemented
Multi-region edge

single edge in Prague (prg-01) for now
TCP / UDP forwarding

HTTP(S) only today

Ready Player One?

Drop a public URL on top of localhost in the next 30 seconds. No credit card. No marketing email. No quota. Just a daemon and a glowing terminal — courtesy of Nubeo Engineering.

$ brew tap tunnelctl/tunnelctl https://git.piblade.net/tunnelctl/homebrew-tunnelctl.git
$ brew install tunnelctl