ngrok invented the category and is genuinely great. We built 21tunnel because we wanted the same developer experience on our own infra, open-source end-to-end, without per-request fees and without reserving custom domains behind a $10/mo paywall. Here's the straight comparison, facts only.
ngrok is the right call when you're solo-hacking and their free tier limits don't bite. We're the right call when you want more generous limits, per-tenant RBAC, or you want to run the whole thing yourself — for free, forever.
Everything below is a documented fact as of April 2026. If any row is wrong — ngrok's pricing changed, we missed a feature — email hey@21tunnel.com and we'll fix it.
| 21tunnel | ngrok | |
|---|---|---|
| Open-source agent 1 | MIT + Apache-2.0 | Open-source agent only; control plane proprietary |
| Open-source server | ||
| Self-hostable | ||
| Multi-tenant dashboard | single-tenant your data lives on their infra | |
| Language | Rust | Go |
| Transport | TLS 1.3 + yamux / TCP | TLS / QUIC |
| Reserved custom domain (free tier) | ||
| Request cap on free tier 2 | unlimited | 40 tunnels/min per their public plan limits |
| Concurrent tunnels (free) | 3 | 1 |
| TOTP MFA | free, all tiers | paid tiers |
| RBAC (owner/admin/member/viewer) | free, all tiers | enterprise tier |
| Audit log | all tiers | paid tiers |
| Webhook signature verification | pro+ | paid tiers |
| Per-request fees | varies bandwidth + overage pricing on paid tiers | |
| Source on GitHub | github.com/vikasswaminh/21tunnel | github.com/ngrok/ngrok (agent only) |
21tunnel's SaaS pricing is built to undercut every public ngrok tier. Self-host is always free. Migration from ngrok is a one-line config change.
| 21tunnel | ngrok (published) | |
|---|---|---|
| Hobby / personal | $0 3 tunnels, 50 GB/mo, 1 custom domain | Free plan 1 tunnel, ephemeral subdomain |
| Starter paid tier | $5/mo Pro 20 tunnels, 250 GB/mo, webhook verify, 3 domains | ~$10/mo Personal their published starter tier |
| Per-user team tier | $15/user/mo Team unlimited tunnels, SSO, RBAC | ~$20/user/mo Pro their published team tier |
| Self-host | $0 forever your VM, your Postgres, MIT | no self-host option |
| Enterprise | Custom · BYOC · SCIM · SLA | Custom |
We're shipping ngrok compat shims so your existing
.ngrok.yml and CI scripts keep working. Here's
what the everyday commands look like side-by-side.
# expose a local port
ngrok http 3000
# with a reserved domain
ngrok http 3000 --domain=api.company.ngrok.app
# TCP tunnel
ngrok tcp 22
# config file
# ~/.ngrok/ngrok.yml
authtoken: 2a...
tunnels:
api:
proto: http
addr: 3000
domain: api.company.ngrok.app# exact same ergonomics
tunnel21 http 3000
# reserved domain — free tier
tunnel21 http 3000 --domain=api.21tunnel.app
# TCP tunnel
tunnel21 tcp 22
# same config format, --ngrok-compat reads ngrok.yml
tunnel21 --ngrok-compat
# or use our native TOML
# ~/.21tunnel/config.toml
authtoken = "eyJ..."
[tunnels.api]
proto = "http"
addr = 3000
domain = "api.21tunnel.app"Bulk migration. Run tunnel21 import --from-ngrok to auto-pull your reserved domains + agent tokens from ngrok's API into an equivalent 21tunnel account. No DNS changes needed if you stay on our subdomain; one CNAME if you bring your own.
For 90% of use cases, yes. ngrok http 3000 becomes
tunnel21 http 3000. Config files migrate with
--ngrok-compat. The specific features we don't
have yet: a dedicated Kubernetes Operator (on the roadmap),
some of the deeper traffic-policy connectors, and a handful of
ngrok's enterprise-only agent flags. If any of those are
load-bearing for you, stay on ngrok; we'll tell you when
parity lands.
Yes — that's the main reason we exist. The server is one Rust binary, the dashboard is a static Next.js export, the database is Postgres. The self-host guide walks through the four commands. Your users' traffic never touches our infrastructure.
Fair. We're newer, and we're up-front about it —
MVP-stage, ~5,000 lines of Rust with every unwrap,
panic, and todo! as a deny-level
lint, and #![forbid(unsafe_code)] at the crate
root. Auth is argon2id + JWT + optional TOTP MFA + rotating
refresh tokens with theft detection. The build log
walks through the architecture. Use it knowing it's early;
self-host it when you want the audit trail in your own hands.
Self-host is the hedge: the whole stack is MIT + Apache-2.0, on GitHub, runnable without our cloud. If we ever raise prices past what you're comfortable with, you fork the repo and host it yourself. There's no vendor lock-in because the source is the product.
On our hosted tier, yes for the inspector — that's how request replay works. You can disable body logging per-tunnel in the dashboard, or run in end-to-end TLS passthrough where we route without decrypting. Self-host and the question doesn't even come up: you operate the inspector, we never see anything.
Keep ngrok running. Point one tunnel at us as a test. If it's worse, you've lost five minutes. If it's better, you've cut your bill in half.