Why I Stopped Paying for Tunnels and Built My Own (in 500 Lines of Rust).

Dhinesh Krishnan — Wed, 10 Jun 2026 05:37:22 +0000

Why I Stopped Paying for Tunnels and Built My Own (in 500 Lines of Rust)

We’ve all been there: you’re working on a project, you need to show it to a client or a teammate, and you reach for Ngrok. It works, it’s reliable, but then you hit the paywall. Or maybe, like me, you just wanted to understand how that "magic" URL actually pipes traffic to your localhost.

I wanted to see if I could build a solution that was lightweight, self-hosted, and blazing fast. So, I spent the last few weeks building Macha—a high-performance reverse tunnel written in Rust.

The "Aha!" Moment: How Tunnels Actually Work

Most people think a tunnel is just a complex proxy. In reality, it’s a multiplexer. To make this work, you need two distinct communication planes:

The Control Plane (Port 9000): A persistent TCP heartbeat that tells your machine, "Hey, a request is waiting for you."
The Data Plane (Port 9001): An ephemeral, high-speed pipe that opens only when traffic actually arrives.

By separating these, you ensure your tunnel doesn't hang when someone downloads a large file or triggers a heavy request.

Why Rust?

I chose Rust because I needed three things:

Memory Safety: Network programming is rife with buffer overflows and memory leaks. Rust’s borrow checker gives me total peace of mind.
Async Power: Using tokio, I can handle thousands of concurrent connections on a single thread.
Static Binaries: I wanted a tool that "just works" without needing to install a heavy runtime like Node.js or Python. Rust compiles down to a single binary I can drop on any server.

The Architecture Under the Hood

The system is built on three components:

The Server (EC2 + Nginx): My "Switchboard Operator." It maintains a registry of connected agents using an in-memory DashMap.
The Agent (CLI): A thin Rust binary that handles the tunneling and provides a real-time telemetry dashboard.
The Dashboard (SSE): My favorite part—I built a real-time monitoring dashboard in-process using Server-Sent Events (SSE) that lets me watch incoming requests in real-time.

Lessons Learned (The "Internet Background Noise")

The second I put this live on a public domain, I realized how loud the internet is. Within minutes, my Nginx logs were flooded with automated bots scanning for /robots.txt and .env files.

It was a wake-up call: When you build infrastructure, you don't just build an app—you build a digital perimeter. I had to quickly learn how to use fail2ban and secure my AWS Security Groups to ensure my infrastructure didn't become a playground for scanners.

Check it out!

The project is MIT-licensed, open-source, and—most importantly—totally free to self-host. You can install it with a one-liner:

curl -fsSL [https://macha.live/install.sh](https://macha.live/install.sh) | bash

Github