DEV.co
Open-Source DevOps · ekzhang

bore

Bore is a lightweight, self-hosted CLI tool written in Rust that creates TCP tunnels to expose local ports to the internet, bypassing NAT firewalls. It works similarly to ngrok or localtunnel but prioritizes simplicity, efficiency, and minimal code footprint (~400 lines).

Source: GitHub — github.com/ekzhang/bore
11.3k
GitHub stars
514
Forks
Rust
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryekzhang/bore
Ownerekzhang
Primary languageRust
LicenseMIT — OSI-approved
Stars11.3k
Forks514
Open issues15
Latest releasev0.6.0 (2025-06-09)
Last updated2026-02-04
Sourcehttps://github.com/ekzhang/bore

What bore is

Bore implements a dual-port TCP tunnel architecture: a control port (7835) for handshake and UUID-based connection management, with subsequent data streams proxied between client and server. It supports optional HMAC-based authentication, configurable port ranges, and separate bind addresses for control and tunnel traffic.

Quickstart

Get the bore source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/ekzhang/bore.gitcd bore# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Development & Local Testing Over Internet

Quickly expose a local development server to testers, stakeholders, or webhooks without complex network setup. Ideal for validating integrations, testing webhooks, or sharing work-in-progress demos.

Self-Hosted Tunnel Infrastructure

Deploy bore server on internal or public infrastructure to provide a lightweight, auditable tunneling service for teams. Low resource overhead makes it suitable for cost-conscious deployments or resource-constrained environments.

Temporary Remote Access & Debugging

Grant temporary, on-demand remote access to local services without persistent VPN or firewall rule changes. Useful for debugging production issues, supporting customers, or collaborative debugging sessions.

Implementation considerations

  • Bore server requires network exposure (typically port 7835 control + dynamic tunnel ports). Plan firewall rules and port allocation ranges (default 1024–65535) before deployment.
  • Optional secret authentication uses HMAC challenges but provides no traffic encryption. Encrypt tunnel data separately if handling sensitive payloads (e.g., TLS offloading on client or VPN overlay).
  • Connection state on the server has a 10-second expiry; ensure client reconnection logic handles this, especially for long-lived or sensitive workloads.
  • Stateless server design enables horizontal scaling, but no built-in service discovery or load balancing. Coordinate client connections to the appropriate server instance manually.
  • Minimal runtime footprint (single binary, ~400 lines) simplifies deployment but means no embedded logging, metrics, or admin UI; integrate external monitoring if observability is required.

When to avoid it — and what to weigh

  • High-Security, Compliance-Critical Workloads — Bore does not encrypt tunnel traffic by default; only the HMAC handshake is authenticated. Avoid for regulated data (HIPAA, PCI-DSS, GDPR) unless running over a pre-encrypted channel (VPN, TLS wrapper).
  • Production-Grade Enterprise Features Required — Bore lacks advanced features such as rate limiting, DDoS protection, load balancing, analytics, or fine-grained access controls. Not suitable if you need enterprise-class tunnel management or observability.
  • Persistent, Always-On Tunnel Services — Bore is designed for temporary, ad-hoc tunneling. No built-in support for automatic reconnection, session persistence, or long-lived tunnel management; connections discarded after 10 seconds of inactivity on the server.
  • Protocol Support Beyond TCP — Bore handles only TCP traffic. If you need UDP, HTTP/WebSocket-specific features, or multi-protocol tunneling, choose an alternative like ngrok or Cloudflare Tunnel.

License & commercial use

Bore is licensed under the MIT License, a permissive OSI-approved license permitting commercial use, modification, and distribution with minimal restrictions (attribution and license copy required).

MIT license explicitly allows commercial use without restriction or royalty obligation. However, no warranty is provided. Ensure you comply with the MIT license terms (include license and attribution) if you redistribute or modify the code. Audit any custom deployments for security and compliance requirements before production use.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

No encryption of tunnel traffic by default; only HMAC authentication on handshake. Tunnel data traverses the server unencrypted unless wrapped in TLS or VPN. UUID-based connection tracking (10-second expiry) reduces replay risk but does not prevent eavesdropping. Secret authentication is optional and provides no mutual TLS or key exchange. For sensitive data, layer bore behind a TLS-terminating proxy or encrypt payloads client-side. No disclosed security audit history provided.

Alternatives to consider

ngrok

Feature-rich tunneling with HTTP routing, TLS termination, built-in logging/analytics, and higher security defaults. Better for enterprise; higher operational cost and learning curve.

localtunnel

Similar lightweight alternative; also simple and open-source (MIT/Apache 2.0). Less efficient (Node.js-based) and less actively maintained; similar feature set and ease of use.

Cloudflare Tunnel (Argo)

Managed, zero-trust tunneling with DDoS protection, load balancing, and fine-grained access control. More opinionated and costly; best for enterprise security requirements.

Software development agency

Build on bore with DEV.co software developers

Bore is ideal for development, testing, and temporary remote access. Assess whether its simplicity, lack of encryption-by-default, and lightweight footprint align with your security and operational requirements. Contact our team to architect a secure, scalable tunneling solution.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

bore FAQ

Can I encrypt bore tunnel traffic?
No, by default. Bore does not encrypt data traversing the tunnel. Wrap connections in TLS (e.g., reverse proxy), run over VPN, or encrypt payloads client-side for sensitive data.
How do I deploy bore on my own server?
Run `bore server` on a publicly accessible machine. Clients connect via `bore local <PORT> --to <SERVER_ADDRESS>`. Optionally set `--secret` for authentication and `--min-port`/`--max-port` to restrict port ranges.
What happens if the client disconnects?
Bore does not maintain persistent tunnels. If the client loses connection, the tunnel closes and must be re-established. Incoming connections are buffered for up to 10 seconds before being discarded.
Is bore suitable for production use?
Bore is suitable for temporary access, development, and internal deployments. Not recommended for production-critical services without additional security layers (TLS, authentication, monitoring, DDoS protection) and compliance validation.

Software development & web development with DEV.co

From first prototype to production, DEV.co delivers software development services around tools like bore. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source devops and beyond.

Evaluate Bore for Your Tunneling Needs

Bore is ideal for development, testing, and temporary remote access. Assess whether its simplicity, lack of encryption-by-default, and lightweight footprint align with your security and operational requirements. Contact our team to architect a secure, scalable tunneling solution.