bore
Bore is a lightweight, self-hosted CLI tool written in Rust that creates TCP tunnels to expose local ports to the internet, bypassing NAT firewalls. It works similarly to ngrok or localtunnel but prioritizes simplicity, efficiency, and minimal code footprint (~400 lines).
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | ekzhang/bore |
| Owner | ekzhang |
| Primary language | Rust |
| License | MIT — OSI-approved |
| Stars | 11.3k |
| Forks | 514 |
| Open issues | 15 |
| Latest release | v0.6.0 (2025-06-09) |
| Last updated | 2026-02-04 |
| Source | https://github.com/ekzhang/bore |
What bore is
Bore implements a dual-port TCP tunnel architecture: a control port (7835) for handshake and UUID-based connection management, with subsequent data streams proxied between client and server. It supports optional HMAC-based authentication, configurable port ranges, and separate bind addresses for control and tunnel traffic.
Get the bore source
Clone the repository and explore it locally.
git clone https://github.com/ekzhang/bore.gitcd bore# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Bore server requires network exposure (typically port 7835 control + dynamic tunnel ports). Plan firewall rules and port allocation ranges (default 1024–65535) before deployment.
- Optional secret authentication uses HMAC challenges but provides no traffic encryption. Encrypt tunnel data separately if handling sensitive payloads (e.g., TLS offloading on client or VPN overlay).
- Connection state on the server has a 10-second expiry; ensure client reconnection logic handles this, especially for long-lived or sensitive workloads.
- Stateless server design enables horizontal scaling, but no built-in service discovery or load balancing. Coordinate client connections to the appropriate server instance manually.
- Minimal runtime footprint (single binary, ~400 lines) simplifies deployment but means no embedded logging, metrics, or admin UI; integrate external monitoring if observability is required.
When to avoid it — and what to weigh
- High-Security, Compliance-Critical Workloads — Bore does not encrypt tunnel traffic by default; only the HMAC handshake is authenticated. Avoid for regulated data (HIPAA, PCI-DSS, GDPR) unless running over a pre-encrypted channel (VPN, TLS wrapper).
- Production-Grade Enterprise Features Required — Bore lacks advanced features such as rate limiting, DDoS protection, load balancing, analytics, or fine-grained access controls. Not suitable if you need enterprise-class tunnel management or observability.
- Persistent, Always-On Tunnel Services — Bore is designed for temporary, ad-hoc tunneling. No built-in support for automatic reconnection, session persistence, or long-lived tunnel management; connections discarded after 10 seconds of inactivity on the server.
- Protocol Support Beyond TCP — Bore handles only TCP traffic. If you need UDP, HTTP/WebSocket-specific features, or multi-protocol tunneling, choose an alternative like ngrok or Cloudflare Tunnel.
License & commercial use
Bore is licensed under the MIT License, a permissive OSI-approved license permitting commercial use, modification, and distribution with minimal restrictions (attribution and license copy required).
MIT license explicitly allows commercial use without restriction or royalty obligation. However, no warranty is provided. Ensure you comply with the MIT license terms (include license and attribution) if you redistribute or modify the code. Audit any custom deployments for security and compliance requirements before production use.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
No encryption of tunnel traffic by default; only HMAC authentication on handshake. Tunnel data traverses the server unencrypted unless wrapped in TLS or VPN. UUID-based connection tracking (10-second expiry) reduces replay risk but does not prevent eavesdropping. Secret authentication is optional and provides no mutual TLS or key exchange. For sensitive data, layer bore behind a TLS-terminating proxy or encrypt payloads client-side. No disclosed security audit history provided.
Alternatives to consider
ngrok
Feature-rich tunneling with HTTP routing, TLS termination, built-in logging/analytics, and higher security defaults. Better for enterprise; higher operational cost and learning curve.
localtunnel
Similar lightweight alternative; also simple and open-source (MIT/Apache 2.0). Less efficient (Node.js-based) and less actively maintained; similar feature set and ease of use.
Cloudflare Tunnel (Argo)
Managed, zero-trust tunneling with DDoS protection, load balancing, and fine-grained access control. More opinionated and costly; best for enterprise security requirements.
Build on bore with DEV.co software developers
Bore is ideal for development, testing, and temporary remote access. Assess whether its simplicity, lack of encryption-by-default, and lightweight footprint align with your security and operational requirements. Contact our team to architect a secure, scalable tunneling solution.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
bore FAQ
Can I encrypt bore tunnel traffic?
How do I deploy bore on my own server?
What happens if the client disconnects?
Is bore suitable for production use?
Software development & web development with DEV.co
From first prototype to production, DEV.co delivers software development services around tools like bore. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source devops and beyond.
Evaluate Bore for Your Tunneling Needs
Bore is ideal for development, testing, and temporary remote access. Assess whether its simplicity, lack of encryption-by-default, and lightweight footprint align with your security and operational requirements. Contact our team to architect a secure, scalable tunneling solution.