No port forwarding
openhost hole-punches through NAT with WebRTC. Your router stays closed. Even behind carrier-grade NAT, the common cases just work.
Your home server. Reachable. Nothing else in between.
openhost connects your phone to services running on your own machines — over end-to-end encrypted WebRTC, addressed by a public key, discovered on the BitTorrent DHT. No port forwarding. No tunnel service. No account.
Read the spec
Install
— coming soon
End-to-end encrypted
DTLS 1.3 from your phone straight to your home daemon. Nothing in the middle — not us, not your ISP, not a relay — can read your traffic.
No accounts, no servers
Your Ed25519 public key is your address. openhost runs no backend. We have no servers to shut down, nothing to leak, and nothing to charge you for.
Why openhost, and not the thing you're already using?
If you self-host, you've probably tried ngrok, Tailscale, Cloudflare Tunnel, or port forwarding with DDNS. Each works — and each trades away something a self-hoster actually cares about.
| openhost | ngrok | Tailscale Funnel | Cloudflare Tunnel | Port forward + DDNS | |
|---|---|---|---|---|---|
| Traffic path | End-to-end encrypted, direct | Through ngrok servers | Direct if possible; DERP relay fallback | Through Cloudflare edge (TLS terminated there) | Direct |
| Provider can see your data? | No — nothing in the middle | Yes (TLS terminated at ngrok) | Metadata at coord server | Yes (TLS terminated at edge) | N/A — you are the provider |
| Requires an account | No | Yes | Yes | Yes (+ domain on CF) | No |
| Requires a domain | No | No (random URL free) | No (uses *.ts.net) | Yes | Optional |
| Monthly cost | $0 | $5+ for a stable URL | Free tier; paid for extras | Free with CF account | $0 (domain extra) |
| Works behind CGNAT | Yes (WebRTC hole-punch) | Yes (tunnel) | Yes (DERP relay) | Yes (tunnel) | No |
| Opens a port on your router | No | No | No | No | Yes |
| Provider can change terms / shut down | No provider to change terms | Yes | Yes | Yes | N/A |
| Protocol is open / any client works | Yes | No | No | No | Yes (plain HTTP) |
| Address is stable forever | Yes (your pubkey) | Paid tier only | Tied to your Tailscale account | Tied to your CF account + domain | Tied to your domain |
Traffic path
- openhost End-to-end encrypted, direct
- ngrok Through ngrok servers
- Tailscale Funnel Direct if possible; DERP relay fallback
- Cloudflare Tunnel Through Cloudflare edge (TLS terminated there)
- Port forward + DDNS Direct
Provider can see your data?
- openhost No — nothing in the middle
- ngrok Yes (TLS terminated at ngrok)
- Tailscale Funnel Metadata at coord server
- Cloudflare Tunnel Yes (TLS terminated at edge)
- Port forward + DDNS N/A — you are the provider
Requires an account
- openhost No
- ngrok Yes
- Tailscale Funnel Yes
- Cloudflare Tunnel Yes (+ domain on CF)
- Port forward + DDNS No
Requires a domain
- openhost No
- ngrok No (random URL free)
- Tailscale Funnel No (uses *.ts.net)
- Cloudflare Tunnel Yes
- Port forward + DDNS Optional
Monthly cost
- openhost $0
- ngrok $5+ for a stable URL
- Tailscale Funnel Free tier; paid for extras
- Cloudflare Tunnel Free with CF account
- Port forward + DDNS $0 (domain extra)
Works behind CGNAT
- openhost Yes (WebRTC hole-punch)
- ngrok Yes (tunnel)
- Tailscale Funnel Yes (DERP relay)
- Cloudflare Tunnel Yes (tunnel)
- Port forward + DDNS No
Opens a port on your router
- openhost No
- ngrok No
- Tailscale Funnel No
- Cloudflare Tunnel No
- Port forward + DDNS Yes
Provider can change terms / shut down
- openhost No provider to change terms
- ngrok Yes
- Tailscale Funnel Yes
- Cloudflare Tunnel Yes
- Port forward + DDNS N/A
Protocol is open / any client works
- openhost Yes
- ngrok No
- Tailscale Funnel No
- Cloudflare Tunnel No
- Port forward + DDNS Yes (plain HTTP)
Address is stable forever
- openhost Yes (your pubkey)
- ngrok Paid tier only
- Tailscale Funnel Tied to your Tailscale account
- Cloudflare Tunnel Tied to your CF account + domain
- Port forward + DDNS Tied to your domain
openhost is for people who already run the services they use. You've got Jellyfin, Home Assistant, a Gitea, maybe a personal dashboard — all on hardware you own, sitting on your home network. You want to reach them from your phone when you're out, and you want that to keep working in five years without depending on a company's roadmap. That's the only thing openhost tries to do well.
How it works
Three pieces of mature, boring technology.
A small daemon on your server publishes a signed DNS record to the BitTorrent Mainline DHT, keyed by your Ed25519 public key. Paired clients resolve it, negotiate a direct WebRTC connection, and speak HTTP over an end-to-end encrypted data channel.
No new cryptography. No invented protocols. Every piece has years of production use outside of openhost.
- 1 Pair once, at the kitchen table.Scan a QR, confirm a 4-word phrase on both devices. Your client's pubkey is now on the host's allowlist.
- 2 The server publishes, the DHT spreads.Signed DNS record with ICE candidates and a DTLS fingerprint, refreshed every 30 minutes.
- 3 Your client opens a direct connection.WebRTC hole-punch, DTLS 1.3 handshake, pubkey-bound channel binding. HTTP starts flowing.
Pre-alpha. Watch the repo.
The protocol is being finalized. Installers, apps, and the extension are in the works. Star the repo to follow along.