ExposeHost: Exposing Localhost to Internet

Abstract

In an era dominated by cloud computing and the Internet of Things (IoT), the ability to access local services remotely is a fundamental requirement. However, the exhaustion of IPv4 addresses and the widespread implementation of Carrier-Grade NAT (CGNAT) by Internet Service Providers (ISPs) have made traditional port forwarding increasingly difficult and insecure. This paper presents \"ExposeHost,\" a secure, self-hosted, end-to-end port forwarding solution designed to expose local TCP and HTTP services to the public internet. Unlike commercial solutions that function as \"black boxes,\" ExposeHost offers a transparent, Python-based architecture leveraging asyncio for high-concurrency connection multiplexing. It introduces a custom JSON-header-based protocol over TLS for secure control channels and integrates a client-side authentication proxy (AuthProxy) using HMAC-signed cookies to secure otherwise unprotected local services. We evaluate ExposeHost against existing solutions like Ngrok and FRP (Fast Reverse Proxy), demonstrating its efficacy in providing a secure, performant, and customizable alternative for developers and self-hosters.

Introduction

The rapid growth of the Internet has caused a shortage of IPv4 addresses, leading Internet Service Providers to adopt Network Address Translation (NAT) and Carrier-Grade NAT (CGNAT). Although these technologies conserve IP addresses, they make local devices inaccessible from external networks without complicated configurations. At the same time, the increasing popularity of self-hosting and remote application demonstrations has created a demand for simple and secure tunneling solutions.

Existing solutions such as Ngrok and FRP have limitations including restricted free features, privacy concerns, difficult configuration, and lack of integrated authentication. To address these issues, the proposed system, ExposeHost, is designed to provide reliable NAT/CGNAT bypassing, secure encrypted communication, optimized performance, and user-friendly deployment.

ExposeHost uses a client-server architecture where a public server acts as a gateway and a local client creates outbound connections to establish secure tunnels. The system consists of three main components:

• A TLS-encrypted control plane for signaling and authentication
• A dynamic data plane for forwarding traffic
• An optional AuthProxy layer that protects local services with authentication before access is granted

The system supports features such as TCP tunneling, public and custom subdomains, encrypted channels, self-hosting, GUI support, SDK integration, and open-source deployment. Compared to other remote access tools, ExposeHost provides a more complete and developer-friendly solution by combining security, usability, and flexibility in a single platform.

The study also reviews existing NAT traversal techniques such as STUN, TURN, and modern QUIC/MASQUE protocols, highlighting the shift toward Zero Trust Network Access (ZTNA) architectures. ExposeHost follows this trend by implementing a “verify then connect” security model to ensure secure access to exposed services.

Conclusion

ExposeHost fills a critical gap for developers and IT professionals who require a self-hosted, secure, and authenticated method to expose local services. While commercial tools exist, they often obscure the underlying mechanism or limit features behind paywalls. By modernizing the concept pioneered by NetMask[1] and integrating essential features like AuthProxy and TLS-based control planes, ExposeHost provides a transparent and robust solution. The successful stress tests on minimal cloud infrastructure confirm its viability for real-world use cases. Future Work includes: 1) UDP Support: Extending packets.py to support UDP tunneling for game servers and VOIP. 2) P2P Hole Punching: Implementing STUN/ICE logic to attempt direct peer-to-peer connections, bypassing the relay server for improved latency. 3) Dashboard: Developing a web-based management UI for the server to monitor active tunnels and bandwidth usage.

References

[1] Dove, J. (2024). NetMask: Secure TCP/UDP Tunneling Tool. GitHub. [2] Splashtop. (2024). What is AnyDesk?. [3] Mehta, S. A., Pathak, K., & Garg, A. (2023). \"Smart Reverse Proxy with Remote Management\". International Journal of Engineering Research & Technology (IJERT), 12(08). [4] Maier, G., & Smith, R. (2022). \"Secure and Efficient Tunneling of MACsec for Modern Industrial Use Cases\". arXiv:2205.12748. [5] Dor, L., & Inp, H. (2020). Localhost Detour from Public to Private Networks: Vulnerabilities and Mitigations. Deepness Lab. [6] Rescorla, E. (2019). Transport Layer Security (TLS) Security Mechanisms. Springer. [7] Scribe. (2019). Ngrok: Secure Tunnel to Localhost. [8] Gupta, A., & Sharma, K. (2017). \"Establishing Remote Networks for ROS Applications via Port Forwarding\". International Journal of Advanced Robotics Systems. [9] Honda, M. (2005). \"A Retrospective View of Network Address Translation (NAT)\". ACM SIGCOMM. [10] Ngrok Documentation. https://ngrok.com/docs [11] IETF RFC 5389. (2008). Session Traversal Utilities for NAT (STUN). [12] IETF RFC 8656. (2020). Traversal Using Relays around NAT (TURN). [13] FRP (Fast Reverse Proxy). https://github.com/fatedier/frp [14] Gartner. (2023). Market Guide for Zero Trust Network Access. [15] Cybersecurity Insiders. (2024). 2024 Zero Trust Security Report. [16] HHF Technology. (2024). Benchmark: Traefik vs Nginx - Performance Analysis. [17] KU Leuven & Top10VPN. (2024). Bypassing Tunnels: Vulnerabilities in VPN and Tunneling Protocols.

Copyright

Copyright © 2026 Yash Patil, Sairaj Pai, Nandini Nichite, Dr. Devika Rani Roy. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.