Data security is important, whether it's on our home networks or in transit between our devices and the servers that store it. Virtual Private Networks (VPNs) have been the trusted solution for a long time, but can be complicated to set up or limited in bandwidth and versatility. New solutions like Cloudflare Tunnels are significantly easier to set up, but come with their own trade-offs, and that's why I don't like using them.
It's not entirely that I don't trust Cloudflare. It's that I don't trust anyone when it comes to data security (and yes, that includes myself). While data is on Cloudflare's network, it's not encrypted, which is a big deal for me, and also they really don't like you using Tunnel for media streaming from your Jellyfin or Plex server, making it a dealbreaker for my needs.
But thankfully, there are plenty of other alternatives, from reverse proxies to overlay networks. I found another one to add to my collection called NodePass, and while it's not as user-friendly as NetBird, Tailscale, or Pangolin, it's easy to set up and has various options depending on how you want to handle your network tunneling.
You haven't heard of this self-hosted Cloudflare Tunnel alternative
I've only scratched the surface of what this tool can do
What is NodePass, and why would you use it?
Make your own peer-to-peer VPN
NodePass is a high-performance tunnel written in Go, which seems to be the flavor of choice for DevOps tools these days. Thankfully, for those in corporate environments, it supports TCP and UDP tunneling, as we all know the pain of not being able to use our favorite UDP options. It's easy to set up, scales well, and has built-in TLS encryption and authentication methods.
Some standout features of NodePass include:
- Tunneling over TCP and UDP
- Single binary or container to support client, server, and manager roles
- Zero-conf install
- "Connection pool" feature which keeps pre-connected handshakes ready to move data
- API management layer
- Your choice of plaintext, self-signed, or strict validation for TLS
It works on Linux, Windows, and macOS, though it should run on anything that can run Go apps. I love that it's one app whether you use it in client, server or manager roles, so you can adjust accordingly or turn any computer that it's installed on into a control plane.
4 reasons your cloud provider should be using end-to-end encryption
Using zero knowledge architecture and E2EE makes the web safer for everyone.
Be in charge of your own encryption keys
One neat feature is that you're in charge of how far into TLS you want to go. That makes it great for testing how things will work through tunnels, as you can use plaintext, self-signed certificates, or strict validation depending on your use case, development or production environment, and other factors. Self-signed TLS certs are fine if you're only using it as a Cloudflare Tunnel replacement for your own needs.
Setting up NodePass is quick
And there's a mobile app for management
NodePass is awesome because of zero-configuration deployment. It doesn't require config files, takes seconds to deploy, and everything runs from the command line. Some users have created containers with a dashboard GUI for management; these are third-party, and your mileage may vary on how well they work.
To install NodePass on a Linux system (like the VPS that I'm using) in master mode (API mode) it's a one-line script:
bash
Running this will guide you through a few questions about if you want to use the public IP or only use NodePass on your local network, which port to use, and if you want to use unencrypted tunnels, ones secured with a self-signed certificate, or a third-party certificate. If you opt for self-signing, it will generate a certificate for you to use without setting up Let's Encrypt or another service.
It takes about a minute to fully install, and then you get the API URL, your API key for connecting clients, a URI for your server, and a QR code to scan with the mobile app, so you don't have to type complex secrets.
Don't worry about my secrets, this server no longer exists.
Or there are Docker images if you prefer
Docker makes things even easier, if you have a containerized workflow already. Pull the image, give it a port to listen on and you've got a control server in seconds. Run the same image in client mode to connect to the server, and you'll have encrypted tunnels within a few minutes, and that's all it takes.
# Pull the container image
docker pull ghcr.io/NodePassProject/nodepass:latest
# Run in server mode
docker run -d --name nodepass-server -p 10101:10101 -p 8080:8080 \
ghcr.io/NodePassProject/nodepass server://0.0.0.0:10101/0.0.0.0:8080
# Run in client mode
docker run -d --name nodepass-client \
-e NP_MIN_POOL_INTERVAL=200ms \
-e NP_SEMAPHORE_LIMIT=512 \
-p 8080:8080 \
ghcr.io/NodePassProject/nodepass "client://nodepass-server:10101/127.0.0.1:8080?min=32&max=512"
Sure, Tailscale, Cloudflare Tunnels and other options take a similar amount of time, but not every corporate environment allows the use of services hosted elsewhere, and NodePass is fully-contained.
I stopped exposing my smart home to the Internet, and remote access is still easy
Use IoT devices on your own terms
Self-hosting your own tunnels is neat
Being able to control your own infrastructure is part of the reason anyone starts self-hosting, and now you can create your own encrypted tunnels with seperated data and control streams, just like Cloudflare Tunnels or Tailscale. NodePass is one of the easier options I've tried, and is good for a mix of Linux and Windows machines, but it's not for all use cases. Still, it's nice to have more options.