A self-hosted tunneling solution to securely expose your services to the internet.

English | 中文文档

Drip is a quiet, disciplined tunnel.
You light a small lamp on your network, and it carries that light outward—through your own infrastructure, on your own terms.

Control your data. No third-party servers means your traffic stays between your client and your server.

No limits. Run as many tunnels as you need, use as much bandwidth as your server can handle.

Actually free. Use your own domain, no paid tiers or feature restrictions.

Our custom multiplexing protocol had too many edge-case bugs. We replaced it with yamux, HashiCorp's battle-tested stream multiplexing library.

Why Yamux?

• Production-proven in Consul, Nomad, and other critical infrastructure
• Built-in flow control and keepalive support
• Active maintenance and community support

What changed:

• Removed: Custom HPACK compression, flow control, binary framing, HTTP codec
• Added: Yamux-based connection pooling and session management
• Result: ~60% less protocol code, significantly improved stability

⚠️ Breaking Change: Protocol incompatible with v0.4.x. Upgrade both client and server.

bash <(curl -sL https://raw.githubusercontent.com/Gouryella/drip/main/scripts/install.sh)

• Pick a language, then choose to install the client (macOS/Linux) or server (Linux).
• Non-interactive examples:
  • Client: bash <(curl -sL https://raw.githubusercontent.com/Gouryella/drip/main/scripts/install.sh) --client
  • Server: bash <(curl -sL https://raw.githubusercontent.com/Gouryella/drip/main/scripts/install.sh) --server

bash <(curl -sL https://raw.githubusercontent.com/Gouryella/drip/main/scripts/uninstall.sh)

# Configure server and token (only needed once)
drip config init

# Expose local HTTP server
drip http 3000

# Expose local HTTPS server
drip https 443

# Pick your subdomain
drip http 3000 -n myapp
# → https://myapp.your-domain.com

# Expose TCP service (database, SSH, etc.)
drip tcp 5432

Not just localhost - forward to any device on your network:

# Forward to another machine on LAN
drip http 8080 -a 192.168.1.100

# Forward to Docker container
drip http 3000 -a 172.17.0.2

# Forward to specific interface
drip http 3000 -a 10.0.0.5

Run tunnels in the background with -d:

# Start tunnel in background
drip http 3000 -d
drip https 8443 -n api -d

# List running tunnels
drip list

# View tunnel logs
drip attach http 3000

# Stop tunnels
drip stop http 3000
drip stop all

• A domain with DNS pointing to your server (A record)
• Wildcard DNS for subdomains: *.tunnel.example.com -> YOUR_IP
• SSL certificate (wildcard recommended)

Drip server handles TLS directly on port 443:

# Get wildcard certificate
sudo certbot certonly --manual --preferred-challenges dns \
  -d "*.tunnel.example.com" -d "tunnel.example.com"

# Start server
drip-server \
  --port 443 \
  --domain tunnel.example.com \
  --tls-cert /etc/letsencrypt/live/tunnel.example.com/fullchain.pem \
  --tls-key /etc/letsencrypt/live/tunnel.example.com/privkey.pem \
  --token YOUR_SECRET_TOKEN

Run Drip on port 8443, let Nginx handle SSL termination:

server {
    listen 443 ssl http2;
    server_name *.tunnel.example.com;

    ssl_certificate /etc/letsencrypt/live/tunnel.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tunnel.example.com/privkey.pem;

    location / {
        proxy_pass https://127.0.0.1:8443;
        proxy_ssl_protocols TLSv1.3;
        proxy_ssl_verify off;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }
}

The install script creates /etc/systemd/system/drip-server.service automatically. Manage with:

sudo systemctl start drip-server
sudo systemctl enable drip-server
sudo journalctl -u drip-server -f

Security

• TLS 1.3 encryption for all connections
• Token-based authentication
• No legacy protocol support

Flexibility

• HTTP, HTTPS, and TCP tunnels
• Forward to localhost or any LAN address
• Custom subdomains or auto-generated
• Daemon mode for persistent tunnels

Performance

• Binary protocol with msgpack encoding
• Connection pooling and reuse
• Minimal overhead between client and server

Simplicity

• One-line installation
• Save config once, use everywhere
• Real-time connection stats

┌─────────────┐         ┌──────────────┐         ┌─────────────┐
│   Internet  │ ──────> │    Server    │ <────── │   Client    │
│   User      │  HTTPS  │    (Drip)    │ TLS 1.3 │  localhost  │
└─────────────┘         └──────────────┘         └─────────────┘

Development & Testing

# Show local dev site to client
drip http 3000

# Test webhooks from services like Stripe
drip http 8000 -n webhooks

Home Server Access

# Access home NAS remotely
drip http 5000 -a 192.168.1.50

# Remote into home network via SSH
drip tcp 22

Docker & Containers

# Expose containerized app
drip http 8080 -a 172.17.0.3

# Database access for debugging
drip tcp 5432 -a db-container

# HTTP tunnel
drip http <port> [flags]
  -n, --subdomain    Custom subdomain
  -a, --address      Target address (default: 127.0.0.1)
  -d, --daemon       Run in background
  -s, --server       Server address
  -t, --token        Auth token

# HTTPS tunnel (same flags as http)
drip https <port> [flags]

# TCP tunnel (same flags as http)
drip tcp <port> [flags]

# Background tunnel management
drip list              List running tunnels
drip list -i           Interactive mode
drip attach [type] [port]   View logs
drip stop <type> <port>     Stop tunnel
drip stop all               Stop all tunnels

# Configuration
drip config init       Set up server and token
drip config show       Show current config
drip config set <key> <value>

BSD 3-Clause License - see LICENSE for details