fxTunnel vs Tailscale vs ZeroTier — 2026 Compared

Q: What is the difference between fxTunnel and Tailscale?

fxTunnel is a tunneling tool that gives your localhost a public URL in 30 seconds — ideal for webhooks, demos, and exposing local services. Tailscale is a mesh VPN that creates a private network between your devices — ideal for secure device-to-device access. fxTunnel is free with no limits, open source, and supports HTTP, TCP, and UDP tunnels. Tailscale's free tier is limited to 3 users and 100 devices.

Q: Is fxTunnel a Tailscale alternative?

fxTunnel and Tailscale solve different problems. fxTunnel replaces ngrok and Cloudflare Tunnel for exposing local services to the internet. Tailscale replaces traditional VPNs for connecting devices in a private network. If you need a public URL for webhooks, demos, or API testing, fxTunnel is the right tool. If you need device-to-device connectivity without public exposure, Tailscale is better.

Q: Can ZeroTier replace a tunnel like fxTunnel?

Not directly. ZeroTier creates a virtual private LAN between devices but does not provide public URLs or HTTPS endpoints. To expose a local service to the internet with ZeroTier, you still need a reverse proxy on a public server. fxTunnel gives you a public HTTPS URL with a single command — no extra infrastructure required.

Q: Which is cheaper — fxTunnel, Tailscale, or ZeroTier?

fxTunnel's free tier has no limits on traffic, connections, or tunnels. Paid plans start at $5/mo for custom domains, traffic inspector, and replay. Tailscale's free Personal plan supports up to 3 users and 100 devices; paid plans start at $6/user/mo. ZeroTier is free for up to 25 devices; paid plans start at $10/mo for 25+ nodes. For development tunneling, fxTunnel is the most cost-effective.

Q: Which tool supports HTTP, TCP, and UDP?

fxTunnel supports HTTP, TCP, and UDP tunnels out of the box. Tailscale routes all IP traffic (TCP and UDP) within its mesh network but does not create public URLs or HTTP tunnels. ZeroTier operates at Layer 2 and supports all IP traffic within the virtual network but similarly has no tunneling or public endpoint features.

Why Compare fxTunnel, Tailscale, and ZeroTier

The names fxTunnel, Tailscale, and ZeroTier keep appearing in the same conversations, even though they solve fundamentally different problems. Choosing the wrong tool leads to wasted time, unnecessary complexity, or paying for features you do not need.

This article breaks down the differences so you can make an informed choice. Need to expose localhost to the internet for webhook testing, demos, or API development? That is what fxTunnel is built for. Need a private mesh VPN to connect devices securely? Tailscale or ZeroTier may be what you want. Understanding the distinction is the first step.

We also have comparisons with ngrok and Cloudflare Tunnel and an overview of the tunneling tools landscape in 2026.

Tunneling vs Mesh VPN — Key Concepts

Before comparing features, it is essential to understand the architectural difference between tunneling tools and mesh VPNs. They operate at different layers and serve different purposes.

What Is a Tunnel

A tunnel creates a public endpoint (URL or port) that routes internet traffic to a service running on your local machine. The key characteristic: traffic flows from the public internet to your localhost. This is what you need for webhook development, sharing demos, testing OAuth callbacks, and exposing local APIs.

fxTunnel is a tunneling tool. You run fxtunnel http 8080, and you get a public HTTPS URL like https://abc123.fxtun.dev that points to your local port 8080. No server, no DNS configuration, no firewall rules.

What Is a Mesh VPN

A mesh VPN creates a private, encrypted network between your devices. Every device gets a private IP address, and they can communicate directly — as if they were on the same LAN. Traffic stays private; there is no public endpoint.

Tailscale and ZeroTier are mesh VPNs. They connect your laptop, server, NAS, and cloud VMs into a single virtual network. Great for accessing a home server from work, connecting office branches, or administering remote infrastructure.

The Critical Distinction

Aspect	Tunneling (fxTunnel)	Mesh VPN (Tailscale, ZeroTier)
Purpose	Expose local services to the public internet	Connect devices in a private network
Traffic direction	Internet → localhost	Device ↔ device (private)
Public URL	Yes (HTTPS, TCP, UDP endpoints)	No
Use case	Webhooks, demos, API testing, development	Remote access, device management, internal tools
Requires other devices	No — works with a single machine	Yes — needs 2+ devices in the network

Overview of Each Tool

fxTunnel — Open-Source Tunneling Tool

fxTunnel is an open-source tunneling tool written in Go. It creates public endpoints for local services — HTTP, TCP, and UDP. Install, run one command, and your local server is accessible from the internet in 30 seconds.

Strengths:

Free tier — no limits on traffic, connections, tunnels, or agents.
Fully open source — source code on GitHub. Full security audit possible.
HTTP + TCP + UDP — supports all three protocols out of the box.
Simple CLI — one command to start. No registration required for the free tier.
Traffic inspector + replay — web UI for inspecting and replaying requests (from $5/mo).
Custom domains — works with any DNS provider (from $5/mo).
Self-hosting — deploy the server component on your own VPS if needed.

Limitations:

Younger project — ecosystem and documentation still growing compared to established tools. Actively developed.

# Install fxTunnel
curl -fsSL https://fxtun.dev/install.sh | bash

# Or via Go
go install github.com/mephistofox/fxtun.dev/cmd/fxtunnel@latest

# HTTP tunnel — public HTTPS URL in seconds
fxtunnel http 8080

# TCP tunnel (e.g., PostgreSQL)
fxtunnel tcp 5432

# UDP tunnel (e.g., game server)
fxtunnel udp 27015

# Custom domain (paid plan)
fxtunnel http 8080 --domain myapp.example.com

Tailscale — Mesh VPN Built on WireGuard

Tailscale is a mesh VPN that creates a private network between your devices using the WireGuard protocol. Founded in 2019, it has become one of the most popular VPN solutions for teams and individuals who need secure device-to-device access.

Strengths:

WireGuard-based — fast, modern, well-audited encryption protocol.
Zero-config networking — devices find each other automatically via coordination server.
NAT traversal — works behind most firewalls and NATs without port forwarding.
MagicDNS — automatic DNS names for devices (e.g., laptop.tail1234.ts.net).
ACLs — fine-grained access control policies for device-to-device communication.
Exit nodes — route internet traffic through a specific device in your network.
Subnet routing — expose an entire subnet through a single Tailscale node.

Limitations:

Not a tunneling tool — Tailscale does not create public URLs. You cannot use it to expose localhost to the internet for webhooks or demos without additional setup.
Coordination server is proprietary — the client is open source, but the coordination server is not. You depend on Tailscale Inc.’s infrastructure (Headscale is a third-party open-source alternative).
Free tier limits — 3 users, 100 devices on the Personal plan. Paid plans start at $6/user/mo.
No traffic inspector — no built-in way to inspect or replay HTTP requests.
Requires installation on all devices — every device that joins the network needs the Tailscale client.

# Install Tailscale (Linux)
curl -fsSL https://tailscale.com/install.sh | sh

# Start and authenticate
sudo tailscale up

# Check status
tailscale status

# Access another device in your Tailscale network
ssh user@my-server.tail1234.ts.net

# Share a device with another user
tailscale share my-server user@example.com

# Use Tailscale Funnel to expose a port publicly (limited)
tailscale funnel 8080

Note on Tailscale Funnel: Tailscale does offer a feature called Funnel that can expose a local service publicly. However, it requires HTTPS, only supports HTTP/HTTPS and TCP, is limited to ports 443, 8443, and 10000, and requires an active Tailscale account. It is not a general-purpose tunneling tool.

ZeroTier — Virtual Network Layer

ZeroTier is a software-defined networking tool that creates virtual Layer 2 Ethernet networks. Think of it as creating a virtual LAN switch that connects devices anywhere in the world. It is more flexible than Tailscale at the network layer but also more complex.

Strengths:

Layer 2 networking — operates at the Ethernet level, supporting any protocol that works over Ethernet (including multicast, broadcast).
Self-hosting possible — the controller (moon/planet) can be self-hosted for full independence.
Cross-platform — runs on Linux, macOS, Windows, BSD, and even embedded devices.
Network rules engine — powerful flow rules for fine-grained traffic control.
Bridging — can bridge physical and virtual networks together.
Large community — established project with active development since 2014.

Limitations:

Not a tunneling tool — like Tailscale, ZeroTier does not create public URLs or HTTP endpoints. It only connects devices privately.
More complex setup — creating networks, authorizing members, and configuring routes requires more steps than Tailscale.
Free tier limited to 25 devices — paid plans start at $10/mo for additional nodes.
No traffic inspector — no built-in HTTP inspection or replay.
Higher latency than Tailscale — uses its own protocol instead of WireGuard, which can be slower in some scenarios.
Partially proprietary — the client is open source (BSL), but the commercial controller and hosted infrastructure are proprietary.

# Install ZeroTier (Linux)
curl -s https://install.zerotier.com | sudo bash

# Join a network
sudo zerotier-cli join <NETWORK_ID>

# Check status
sudo zerotier-cli status

# List joined networks
sudo zerotier-cli listnetworks

# Authorize a member (via ZeroTier Central or API)
curl -X POST "https://api.zerotier.com/api/v1/network/<NETWORK_ID>/member/<MEMBER_ID>" \
  -H "Authorization: token YOUR_API_TOKEN" \
  -d '{"config": {"authorized": true}}'

Full Comparison Table: fxTunnel vs Tailscale vs ZeroTier

Here is how the three tools compare across the dimensions that matter most. fxTunnel covers development tunneling: public URLs, all protocols, open source. Tailscale excels at device-to-device connectivity with WireGuard. ZeroTier offers the most flexible virtual networking at Layer 2.

Criterion	fxTunnel	Tailscale	ZeroTier
Category	Tunneling tool	Mesh VPN	Virtual network (SDN)
Primary use case	Expose localhost to internet	Private device-to-device access	Virtual LAN between devices
Public URLs	Yes (HTTPS, TCP, UDP)	Limited (Funnel, HTTPS only)	No
Protocols	HTTP, TCP, UDP	All IP (within mesh)	All Ethernet (within mesh)
Setup time	~30 seconds	~2 minutes	~5 minutes
Free tier	No limits	3 users, 100 devices	25 devices
Paid plans	From $5/mo	From $6/user/mo	From $10/mo
Open source	Fully (client + server)	Client only (Headscale as alt)	Client (BSL), controller proprietary
Traffic inspector	Yes (from $5/mo)	No	No
Request replay	Yes (from $5/mo)	No	No
Custom domains	Yes (any DNS, from $5/mo)	Tailscale DNS only	No
Self-hosting	Yes (full server)	Via Headscale (third-party)	Yes (moon/planet)
NAT traversal	Built-in (relay server)	Built-in (WireGuard + DERP)	Built-in (root servers)
Encryption	TLS	WireGuard (Noise protocol)	256-bit AES
Requires account	No (free tier)	Yes	Yes

Architectural Comparison

Understanding how each tool works under the hood helps you choose the right one and anticipate its limitations.

fxTunnel Architecture

fxTunnel uses a client-server model. The client on your machine establishes an outbound connection to the fxTunnel relay server. The relay server allocates a public endpoint (URL or port) and forwards incoming traffic to your client, which routes it to your local service. The fxTunnel architecture article explains the internals in depth.

Internet → fxTunnel relay server → fxTunnel client → localhost:8080

This model means: no inbound firewall rules, no port forwarding, no DNS changes. One command, and you are live.

Tailscale Architecture

Tailscale uses a coordination server to exchange WireGuard keys between devices. Once keys are exchanged, devices communicate directly over encrypted WireGuard tunnels. If direct connections fail (due to NAT), traffic is relayed through Tailscale’s DERP (Designated Encrypted Relay for Packets) servers.

Device A ←→ WireGuard tunnel ←→ Device B
         (via DERP relay if needed)

The coordination server is proprietary (though Headscale is a community alternative). All data traffic is end-to-end encrypted — Tailscale cannot read it.

ZeroTier Architecture

ZeroTier creates a virtual Ethernet switch in software. Devices join a virtual network by its ID, authenticate via the controller (hosted or self-hosted), and establish encrypted peer-to-peer connections. ZeroTier operates at Layer 2, so devices on the same virtual network see each other as if connected to the same Ethernet switch.

Device A ←→ ZeroTier virtual switch ←→ Device B
         (peer-to-peer or relayed)

The controller manages network membership and authorization. Traffic flows directly between peers when possible; otherwise, it is relayed through ZeroTier’s root servers.

Cost Comparison Table

Cost is often the deciding factor. Below is a breakdown of real-world scenarios and what each tool costs.

Scenario	fxTunnel	Tailscale	ZeroTier
Solo developer, basic use	$0 (no limits)	$0 (1 user, 100 devices)	$0 (up to 25 devices)
Team of 5, tunneling	$0	Not applicable (no tunneling)	Not applicable (no tunneling)
Team of 5, private networking	Not applicable (not a VPN)	$30/mo (5 × $6/user)	$10/mo (Essential plan)
Custom domain	From $5/mo (any DNS)	N/A (Tailscale DNS only)	N/A
Up to 5 tunnels + inspector	From $5/mo	N/A	N/A
10+ simultaneous tunnels	From $10/mo	N/A	N/A
100+ devices in private network	N/A	$6/user/mo	$10-49/mo
Self-hosted (full control)	$0 (open source)	$0 (Headscale)	$0 (self-hosted controller)
Annual cost, solo dev tunneling	$0-60/year	Not designed for this	Not designed for this

For tunneling during development, fxTunnel is the most cost-effective option. Tailscale and ZeroTier pricing applies to their respective VPN use cases.

Decision Matrix: Which Tool for Which Scenario

The right tool depends entirely on your use case. Here are specific recommendations.

Choose fxTunnel — for development and tunneling:

Webhook testing (Stripe, GitHub, Telegram) — public HTTPS URL in 30 seconds, one command, no sign-up.
Client or team demos — share a readable URL, no infrastructure setup, no VPN installation on the viewer’s side.
OAuth callback development — HTTPS localhost URL that works with OAuth providers.
API development and testing — expose your local API server for mobile apps, partners, or CI pipelines.
TCP use cases (databases, SSH, remote debugging) — fxtunnel tcp 5432 and you are connected.
UDP use cases (game servers, VoIP, IoT) — the only tool of the three with UDP tunnel support.
Request debugging — traffic inspector with replay from $5/mo. Neither Tailscale nor ZeroTier offer this.
Docker container exposure — tunnel to services running in Docker without port mapping to the host.
Maximum transparency — fully open source, audit every line of code.

Choose Tailscale — for private device networking:

Remote access to home/office servers — SSH into your home NAS or office machine from anywhere without port forwarding.
Connecting cloud and on-premise infrastructure — link AWS, GCP, or Azure VMs to your office network seamlessly.
Team internal tools — make Grafana, Jenkins, or internal APIs accessible only to team members.
Exit nodes — route your internet traffic through a trusted device for privacy or geo-access.
Simple setup — if you want WireGuard-level security without WireGuard-level configuration.

Choose ZeroTier — for advanced virtual networking:

Multi-site connectivity — connect multiple offices or data centers into a single virtual LAN.
IoT device management — manage fleets of embedded devices on a virtual network.
Gaming LAN parties — create a virtual LAN for LAN-only multiplayer games.
Network lab and testing — simulate complex network topologies with flow rules.
Layer 2 requirements — if you need broadcast, multicast, or Ethernet-level features.

When Tools Overlap

There are edge cases where you might use multiple tools together:

fxTunnel + Tailscale — use Tailscale for private device access and fxTunnel for exposing specific services publicly during development.
fxTunnel + ZeroTier — connect devices via ZeroTier for private communication, use fxTunnel when you need a public URL for a webhook or demo.

These tools are complementary, not competitive. The overlap is minimal.

Security Comparison

Security architecture differs significantly between these tools because they solve different problems.

Aspect	fxTunnel	Tailscale	ZeroTier
Encryption	TLS (tunnel to relay)	WireGuard (end-to-end)	AES-256 (end-to-end)
Public exposure	Yes (by design — that is the point)	No (private by default)	No (private by default)
Code audit	Full (open source)	Partial (client only)	Partial (client BSL)
Self-hosting	Full server component	Via Headscale (third-party)	Controller only
Zero Trust support	N/A (tunneling, not VPN)	Yes (ACLs, device identity)	Yes (network rules)
Auth for tunnels	Optional (paid plans)	N/A	N/A

An important nuance: public exposure is not a security flaw for fxTunnel — it is the purpose. When you need to receive a webhook from Stripe, the endpoint must be publicly reachable. fxTunnel provides that with TLS encryption. Tailscale and ZeroTier keep everything private, which is great for internal access but useless for webhooks.

We cover the encryption model in detail in TLS 1.3 and Tunnel Security.

Setup Complexity Compared

How quickly can you go from zero to a working setup? This matters for developers who want to get things done, not spend time configuring.

fxTunnel — 30 seconds

# One-line install
curl -fsSL https://fxtun.dev/install.sh | bash

# Start a tunnel — done
fxtunnel http 8080
# Output: https://abc123.fxtun.dev → localhost:8080

No account creation, no configuration files, no DNS changes. One command, and your local service has a public URL.

Tailscale — 2 minutes

# Install
curl -fsSL https://tailscale.com/install.sh | sh

# Authenticate (opens browser for login)
sudo tailscale up

# Check your Tailscale IP
tailscale ip -4
# Output: 100.x.y.z

# Access from another Tailscale device
ssh user@100.x.y.z

Requires account creation and authentication. Each device that needs access must have Tailscale installed. The setup is simple but requires more steps than fxTunnel.

ZeroTier — 5 minutes

# Install
curl -s https://install.zerotier.com | sudo bash

# Create a network (via ZeroTier Central web UI or API)
# Get a network ID like: 8056c2e21c000001

# Join the network
sudo zerotier-cli join 8056c2e21c000001

# Authorize the member (via ZeroTier Central web UI)
# ...wait for authorization...

# Check assigned IP
sudo zerotier-cli listnetworks
# Output: 200 ... OK PRIVATE 10.147.17.x/24

Requires account creation, network creation via a web UI, joining the network, and authorizing members — a multi-step process that takes 5+ minutes even for experienced users.

Protocol Support Deep-Dive

Protocol support is where the tools differ most, because they serve different purposes.

Protocol	fxTunnel	Tailscale	ZeroTier
HTTP/HTTPS	Yes (public URL)	Internal only	Internal only
TCP	Yes (public port)	Yes (within mesh)	Yes (within mesh)
UDP	Yes (public port)	Yes (within mesh)	Yes (within mesh)
Public endpoint	Yes	Funnel only (limited)	No
Layer	Application / Transport	Network (Layer 3)	Data Link (Layer 2)

fxTunnel creates public endpoints for HTTP, TCP, and UDP — accessible from anywhere on the internet. This is essential for webhooks, API testing, and demos.

Tailscale and ZeroTier support TCP and UDP within their private networks, but traffic is only accessible to devices that have joined the network. There is no public URL or public port for external services to reach.

The TCP/UDP Tunneling Explained article goes deeper into protocol-level differences.

Real-World Scenarios

Scenario 1: Stripe Webhook Development

You are building a payment integration and need Stripe to send webhook events to your local server.

fxTunnel — perfect fit:

fxtunnel http 3000
# Copy the URL https://wh-xyz.fxtun.dev/webhook into Stripe Dashboard
# Events arrive at localhost:3000/webhook instantly

Tailscale — wrong tool. Stripe cannot reach a Tailscale private IP. You would need Tailscale Funnel, which is limited to specific ports and requires an account.

ZeroTier — wrong tool. Same problem — ZeroTier IPs are private and not reachable from Stripe’s servers.

Scenario 2: Accessing a Home Server Remotely

You want to SSH into your home server from a coffee shop without opening ports on your router.

Tailscale — perfect fit:

# On home server and laptop: install Tailscale and run tailscale up
# From the coffee shop:
ssh user@home-server.tail1234.ts.net

ZeroTier — also works well:

# Both devices join the same ZeroTier network
ssh user@10.147.17.5

fxTunnel — usable but not ideal. You could run fxtunnel tcp 22 on the home server and SSH to the public endpoint, but this exposes your SSH port to the internet. For private access, a mesh VPN is more appropriate.

Scenario 3: Team Demo for a Client

You want to show your React app running on localhost to a client across the country.

fxTunnel — perfect fit:

fxtunnel http 3000
# Send the URL to your client — they open it in a browser, done

Tailscale — impractical. Your client would need to install Tailscale, create an account, and join your network. Too much friction for a quick demo.

ZeroTier — same problem as Tailscale. Not suitable for sharing with external users.

Scenario 4: Multi-Office Network

You need to connect three office locations into a single private network for internal services.

ZeroTier — excellent fit. Create a virtual network, install ZeroTier on devices in each office, and they can communicate as if on the same LAN.

Tailscale — also works well, especially with subnet routing to expose entire office subnets.

fxTunnel — wrong tool. fxTunnel creates public endpoints for individual services, not private networks between offices.

Performance Comparison

Performance characteristics differ because the tools work at different levels.

Factor	fxTunnel	Tailscale	ZeroTier
Additional latency	+15-60 ms (relay)	+1-5 ms (direct P2P)	+5-20 ms (direct P2P)
Throughput	No limits (free tier)	Near wire speed (P2P)	Near wire speed (P2P)
Connection model	Client → relay → internet	Peer-to-peer (direct)	Peer-to-peer (direct)
Relayed latency	+15-60 ms	+50-150 ms (via DERP)	+30-100 ms (via root)

Tailscale and ZeroTier have lower latency when direct peer-to-peer connections succeed, because traffic does not pass through a relay. However, when NAT traversal fails and traffic is relayed, latency increases significantly.

fxTunnel’s relay-based architecture provides consistent latency regardless of NAT configuration. For development use cases (webhook testing, demos, API development), +15-60 ms is imperceptible.

Bottom Line: Which Tool to Choose in 2026

fxTunnel, Tailscale, and ZeroTier are excellent tools — for different problems. Choosing between them is not about which is “better” overall, but which matches your specific needs.

fxTunnel – the best option for exposing local services to the internet. Free tier, open source, HTTP + TCP + UDP tunnels, traffic inspector with replay from $5/mo, setup in 30 seconds. Choose fxTunnel for webhook testing, demos, API development, and any scenario where you need a public URL for your localhost.
Tailscale — the go-to consumer-friendly mesh VPN. WireGuard-based, zero-config, excellent NAT traversal. Choose Tailscale for private device-to-device access, remote server management, and connecting team infrastructure.
ZeroTier — the most flexible virtual networking tool. Layer 2, powerful flow rules, self-hostable controller. Choose ZeroTier for multi-site networking, IoT device fleets, gaming LANs, and advanced network topologies.

If your use case is development – webhooks, demos, API testing, Docker container exposure – fxTunnel is a strong fit:

# Install and launch in 30 seconds
curl -fsSL https://fxtun.dev/install.sh | bash
fxtunnel http 8080

FAQ

If you are new to tunneling in general, our what is tunneling explainer is a good starting point. The tunneling tools 2026 overview covers the broader landscape.

What is the difference between fxTunnel and Tailscale?

They solve different problems. fxTunnel is a tunneling tool – it gives your localhost a public URL so external services, teammates, and mobile devices can reach it. Tailscale is a mesh VPN that connects your devices in a private encrypted network. fxTunnel is open source with an unrestricted free tier supporting HTTP, TCP, and UDP tunnels. Tailscale’s free plan caps at 3 users and 100 devices.

Is fxTunnel a Tailscale alternative?

Not really – they serve different needs. fxTunnel sits in the same category as ngrok and Cloudflare Tunnel: exposing local services to the public internet. Tailscale replaces traditional VPNs for private device-to-device connectivity. If you need a public URL (webhooks, demos, API testing), reach for fxTunnel. If you need secure access between your own devices without public exposure, Tailscale is the better fit.

Can ZeroTier replace a tunnel like fxTunnel?

Not out of the box. ZeroTier creates a virtual private LAN between devices, but it does not generate public URLs or HTTPS endpoints. If you want to expose a local service to the internet through ZeroTier, you still need to set up a reverse proxy on a public server. fxTunnel gives you a public HTTPS URL with a single command and no additional infrastructure.

Which is cheaper – fxTunnel, Tailscale, or ZeroTier?

For tunneling, fxTunnel’s free tier covers traffic, connections, and tunnels without caps. Paid plans start at $5/mo for custom domains, the traffic inspector, and replay. Tailscale’s free Personal plan allows up to 3 users and 100 devices, with paid plans from $6/user/mo. ZeroTier is free up to 25 devices, with paid plans from $10/mo. For exposing local services during development, fxTunnel is the most economical.

Which tool supports HTTP, TCP, and UDP?

fxTunnel handles all three protocols as tunnels with public endpoints. Tailscale carries TCP and UDP within its mesh but does not expose public URLs or offer HTTP-level tunnels. ZeroTier works at Layer 2 and supports any IP traffic inside the virtual network, but likewise has no public endpoint or tunneling feature.