Gapo exposes local services to the internet through secure tunnels. Share a website, SSH access, or database with a single command — no port forwarding or firewall changes needed.
Features:
- HTTP/HTTPS tunnels with automatic Let's Encrypt certificates
- TCP tunnels for SSH, databases, and any TCP service
- WebSocket support
- Interactive TUI dashboard
- URL rewriting for WordPress and CMS apps (
--rewrite) - Web-based request inspector (
--inspect) - Automatic reconnection on network failure
- Self-update built in
- Single static binary, no dependencies
Download from the Releases page.
Linux / macOS / FreeBSD:
tar xzf gapo_*_linux_amd64.tar.gz
sudo mv gapo gapo-server /usr/local/bin/Windows (client only):
Extract the zip file and add gapo.exe to your PATH.
Run this on your VPS:
gapo-server \
--domain tunnel.example.com \
--token your-secret-token \
--autocert \
--cert-dir /var/lib/gapo/certs \
--email admin@example.com \
--http 443 \
--tunnel 19443Add two DNS records pointing to your server:
A tunnel.example.com → your-server-ip
A *.tunnel.example.com → your-server-ip
gapo --server tunnel.example.com:19443 --token your-secret-token --http myapp 3000Your site is now live at https://myapp.tunnel.example.com.
Note: Use your local service's HTTP port (e.g., 80 or 3000). If your local service uses HTTPS (port 443), gapo detects this automatically. You can also use
--local-httpsfor other HTTPS ports.
gapo-server \
--domain tunnel.example.com \
--token your-secret-token \
--tunnel 19443 \
--tcp-ports 30000-39999Make sure ports 30000-39999 are open in your firewall.
gapo --server tunnel.example.com:19443 --token your-secret-token --tcp ssh 22Gapo will show the allocated public port (e.g., tcp port 30000 -> localhost:22).
ssh user@tunnel.example.com -p 30000Same server setup as SSH, then connect:
gapo --server tunnel.example.com:19443 --token your-secret-token --tcp mysql 3306Others connect using the port Gapo assigns:
mysql -h tunnel.example.com -P 30000 -u myuser -pAdd --inspect to open a local web dashboard that shows all HTTP requests in real time:
gapo --inspect 4040 --http myapp 3000Open http://127.0.0.1:4040 in your browser. Click any request to see headers, body, and timing details.
Use --rewrite to tunnel apps that have a fixed local URL (like WordPress). Gapo rewrites URLs automatically — no need to change your app's config:
gapo --rewrite wpdev.local myapp 80This rewrites URLs in responses, redirects, and cookies so everything works through the tunnel URL.
Create ~/.gapo/config to avoid repeating flags:
GAPO_SERVER=tunnel.example.com:19443
GAPO_TOKEN=your-secret-tokenNow you only need:
gapo --http myapp 3000 # share a website
gapo --tcp ssh 22 # share SSHSee Configuration for server config and all available keys.
gapo --update
gapo-server --updateHTTP tunnel — TUI dashboard:
TCP tunnel — TUI dashboard:
Server log output:
- Server Setup — server guide, systemd, firewall, requirements
- Client Usage — all client options, TUI dashboard, troubleshooting
- Configuration — config file format and all keys
- FAQ — common questions and problems
Proprietary. See LICENSE.md.
Copyright (c) 2026-present Ghostbird Media