FAQ
Frequently asked questions about MekongTunnel.
FAQ
General
Is MekongTunnel free?
Yes. The public hosted instance at mekongtunnel.dev is free to use. The server code is MIT licensed โ you can also self-host for free.
Do I need to create an account?
No. There is no account system. Connect and get a URL immediately.
How is this different from ngrok?
| MekongTunnel | ngrok | |
|---|---|---|
| Open source | โ MIT | โ Proprietary |
| Account required | โ None | โ Required |
| Self-hostable | โ Yes | โ No |
| Custom domains | โ (self-hosted) | ๐ฒ Paid plan |
| Protocol | Standard SSH | Proprietary |
What protocols are supported?
HTTP, HTTPS, and WebSocket. Raw TCP tunneling is not currently supported.
Troubleshooting
"No output / connection hangs"
The -t flag is required when using raw SSH. Without it, no TTY is allocated and the server cannot display the URL:
# Wrong โ hangs
ssh -R 80:localhost:8080 mekongtunnel.dev
# Correct
ssh -t -R 80:localhost:8080 mekongtunnel.devThe mekong CLI handles this automatically.
"Host key verification failed"
Accept the host key on first connection:
Are you sure you want to continue connecting (yes/no)? yes
Or add -o StrictHostKeyChecking=no (not recommended for production).
"Connection refused on port 22"
# Check that the service is running
docker compose ps
# Check ports are open
sudo ss -tlnp | grep -E ':(22|80|443)'
sudo ufw status"Certificate issues"
sudo certbot renew
sudo cp /etc/letsencrypt/live/yourdomain.com/*.pem data/certs/
docker compose restart"Rate limit exceeded"
The public hosted instance allows up to 1,000 tunnels per IP with no connection rate limit. If you still hit a limit, self-host and tune MAX_TUNNELS_PER_IP, MAX_TOTAL_TUNNELS, and MAX_CONNECTIONS_PER_MINUTE in your .env.
"IP is temporarily blocked"
Auto-blocking is disabled by default since v1.4.8. If you see this message you are connecting to an older server or a self-hosted instance with auto-blocking enabled. Wait for the block to expire โ the error message shows the remaining time. The mekong CLI will automatically stop retrying when blocked.
Self-Hosting
Do I need a wildcard TLS certificate?
Yes. Without a wildcard cert (*.yourdomain.com), the browser will show a certificate error for tunnel subdomains. Let's Encrypt issues wildcard certs for free via DNS challenge.
Can I run multiple instances?
Yes. Use different ports for each instance. See the Configuration docs.
How do I update?
git pull
make build-small
docker compose down && docker compose up -dTechnical
What is the subdomain format?
Subdomains are generated as adjective-noun-hex8 (e.g. happy-tiger-a1b2c3d4). They are memorable, unique, and URL-safe.
Can I request a specific subdomain?
No. As of v1.4.3, the --subdomain flag has been removed. Tunnels always receive a randomly generated URL (e.g. happy-tiger-a1b2c3d4).
Is WebSocket compression supported?
Not currently. WebSocket frames are proxied as-is without compression negotiation.
Where is the request log stored?
In foreground mode, logs are streamed to your terminal in real time and not persisted to disk.
In daemon mode (mekong -d <port>), all output โ including the tunnel URL and request logs โ is written to ~/.mekong/mekong.log.
You can read it with mekong logs, follow it live with mekong logs -f, or filter it by local port with mekong logs 3000. Stopping mekong stop 3000 clears old log lines for that port, and mekong stop --all clears the daemon log file.