ANNOUNCEMENT: tunnel consent page now requires the tunnel creator's public IP in order to access tunnel content.

[TheBoroer]

Hey everyone,
It saddens me to be forced to add yet another annoying thing to the public localtunnel server but...

As of 2 minutes ago, all tunnels now require a real user to enter the endpoint IP address (which acts like your tunnel link's password) on the consent page.

Showing and having the users click a continue button in order to access the tunnel content didn't really do too much to fight of people hosting phishing portals via localtunnel. I've also been getting an enormous amount of phishing/abuse notices from various organizations worldwide, forwarded notices from my hosting provider, and even have been put on notice that I will be responsible for costs related to removing IPs from various IP blacklists...

I'm currently building an abuse reporting tool for these orgs to use that'll automate banning users hosting phishing portals but until that's built & tested this new password-protection way of abuse fighting will have to do.

Sorry for any inconvenience...

PS. If localtunnel doesn't work for your use case for whatever reason, feel free to checkout other alternatives like https://ngrok.io

---

If anyone has any other suggestions on easy ways to fight phishing/malware portals from using this service, i'm all ears!

[Yggdrasil777]

Ummm... I use this through Paperspace, not a local computer. Any ideas on how I would get the information needed so that I can continue generating my pictures?

[TheBoroer]

hey @Yggdrasil777, that's an interesting use-case...
I've never used paperspace so i'll have to play with it to see if you're able to get the public ip address from there.
If you have access to a terminal there you can get the IP address by running:

curl ipv4.icanhazip.com

or if you like wget better:

wget -q -O - ipv4.icanhazip.com

lmk if that helps you out!

[Yggdrasil777]

Yes, that helped. I am in. Thank you for the command. I couldn't find it anywhere, have been searching since I made the comment. Kinda stopped my UE5 thing looking for the solution. The terminal helped.
curl ipv4.icanhazip.com

[TheBoroer]

Hey @hamnv,
Do you have access to a terminal running on colab notebook?
If yes, please run the commands in my previous comment above and you should be able to get the IP address of whatever instance your colab project is running on.

[uriariel]

Is the code of the server is open source and updated?

[FabianSilva]

Hello, I tried to use localtunnel, I put the public IP and it doesn't work, there is another alternative to validate?

[Atlinx]

Hey all, I'm hitting the same problem as well -- entering the public IP doesn't work.

[hamnv]

Code in python:
print("Password/Enpoint IP for localtunnel is:",urllib.request.urlopen('https://ipv4.icanhazip.com').read().decode('utf8').strip("\n"))

[TheBoroer]

@FabianSilva and @Atlinx

Are you running the client locally or on a remote server?
Are you entering in your public ip ipv4 (i believe the server only supports ipv4 at the moment)?

There's no other way to validate unless you run a firefox/chrome extension to add a specific header to all requests to bypass the consent page for you locally.

[TheBoroer]

Is the code of the server is open source and updated?

Yup the code for the server part of localtunnel is opensourced (https://github.com/localtunnel/server)
It's pretty up to date, with some outstanding PRs I think. It's easy to run your own fork on any domain you control and I highly recommend running a private one yourself.

The version running on the public localtunnel server is slightly more modified with the consent page middleware and not publically available (because abusers would just read the code and circumvent what I've implemented)

[Atlinx]

Hey @TheBoroer, I'm using the ip listed in the ipconfig. I also tried using the IP from a "whats my IP" search on google, and that didn't work either.

I'm hosting locally on a Windows machine and I need to test the site from mobile devices. I initially tried directly connecting to my computer's private IP address, but that didn't work so I ended up using localtunnel to access the site from my phone. The alternative of using extensions to pass a header probably won't work for me since I'm using mobile devices.

[ferasAbdulazem]

entering the public IP doesn't work. and my webhooks are now broken anyway thanks to this :(

[TheBoroer]

Hey @TheBoroer, I'm using the ip listed in the ipconfig. I also tried using the IP from a "whats my IP" search on google, and that didn't work either.

I'm hosting locally on a Windows machine and I need to test the site from mobile devices. I initially tried directly connecting to my computer's private IP address, but that didn't work so I ended up using localtunnel to access the site from my phone. The alternative of using extensions to pass a header probably won't work for me since I'm using mobile devices.

Can you try to just go to ipv4.icanhazip.com in a browser on that Windows machine and enter that IP into your tunnel? The IP listed in iponfig won't work because it's highly likely its a LAN IP that's shown there.

If you happen to have a dual WAN setup (two internet connections) then that might cause issues. Let me think of an alternative to using the endpoint IP as a password (but not breaking backwards compatibility with older localtunnel clients) 🤔

[TheBoroer]

entering the public IP doesn't work. and my webhooks are now broken anyway thanks to this :(

Sorry for breaking stuff for you 😔
Was the public IP you entered ipv4 or IPv6?

[TheBoroer]

Btw if anyone of you guys wanna do some one on one troubleshooting, dm me on Twitter! @TheBoroer

[Atlinx]

Using the ip from ipv4.icanhazip.com also doesn't work, unfortunately. I'm using ngrok as a workaround for now.

[TheBoroer]

Using the ip from ipv4.icanhazip.com also doesn't work, unfortunately. I'm using ngrok as a workaround for now.

Can you please send me your tunnel subdomain and the first and last digits of your IP? I can check to see what IP it saved in the db for you.

I would love to troubleshoot this issue and see if it's something i can workaround or fix

[FabianSilva]

my case: https://fabian-development.loca.lt -> 190.210.192.113
doesn't work
I tried also to create tunnel with another IP (I have another ISP providers/connections to test) and none of them works

[felix068]

doesn't work
entering the public IP doesn't work

[TheBoroer]

hey @felix068, can you please let me know:

• what localtunnel version you're using (lt --version should print out the version)
• if your network has multiple internet connections (e.g. sometimes schools or offices have dual WAN/internet setups that load balances)

[TheBoroer]

my case: https://fabian-development.loca.lt -> 190.210.192.113 doesn't work I tried also to create tunnel with another IP (I have another ISP providers/connections to test) and none of them works

hey @FabianSilva I don't even see that tunnel in the tunnels db 🤔 that's probably why it's not working. Could you please let me know what lt client version you're using (lt --version)

[felix068]

hey @felix068, can you please let me know:

• what localtunnel version you're using (lt --version should print out the version)
• if your network has multiple internet connections (e.g. sometimes schools or offices have dual WAN/internet setups that load balances)

@TheBoroer
my version is 2.0.2, I'm only on 1 network (it's a home network) when I type my ip it tells me that it's not valid but I'm sure that's my public ip
and I specify that it is a pity that the password must necessarily be the public ip, because my use is precisely to hide my ip ... so if I have to give my ip to hide it ... I would prefer to put a password or random password

[TheBoroer]

hey @felix068, can you please let me know:

• what localtunnel version you're using (lt --version should print out the version)
• if your network has multiple internet connections (e.g. sometimes schools or offices have dual WAN/internet setups that load balances)

@TheBoroer my version is 2.0.2, I'm only on 1 network (it's a home network) when I type my ip it tells me that it's not valid but I'm sure that's my public ip and I specify that it is a pity that the password must necessarily be the public ip, because my use is precisely to hide my ip ... so if I have to give my ip to hide it ... I would prefer to put a password or random password

hmm i'll have to troubleshoot this further...

I would have loved to do a randomized password for all tunnels but I don't have permissions to push a new client version to npm plus it needs to also be backwards compatible with older clients. so that's the constraints im working within when coming up with a solution. I'm still evaluating other password-like ways of stopping unsuspecting users from entering phishing portals but for now the endpoint IP is the easiest...i'll just have to figure out why some users (like you) aren't able to access their tunnels 🤔

I dislike having to enforce password protection in general but the endpoint IP was the only thing I could use that's unique per tunnel endpoint AND could be backwards compatible with older versions of localtunnel (i don't have npm publish permissions atm so I can't even publish updated clients).

About leaking your ip, your IP was always being exposed even before this recent change via special localtunnel http headers. Ngrok also exposes the tunnel endpoint's real IPs via ngrok-agent-ips headers and subdomains (more info under Anonymity here). I implemented that too so that IT security organizations know which ISP to alert and/or to prosecute the actual bad actors behind the phishing pages not me the relayer.

localtunnel isn't meant as an anonymizing service. It's meant to be a simple tool to help you temporarily share your localhost webdev progress with others or make webhook development easier so devs dont have to open ports in order to test out webhooks.

[felix068]

hey @felix068, can you please let me know:

• what localtunnel version you're using (lt --version should print out the version)
• if your network has multiple internet connections (e.g. sometimes schools or offices have dual WAN/internet setups that load balances)

@TheBoroer my version is 2.0.2, I'm only on 1 network (it's a home network) when I type my ip it tells me that it's not valid but I'm sure that's my public ip and I specify that it is a pity that the password must necessarily be the public ip, because my use is precisely to hide my ip ... so if I have to give my ip to hide it ... I would prefer to put a password or random password

hmm i'll have to troubleshoot this further...

I would have loved to do a randomized password for all tunnels but I don't have permissions to push a new client version to npm plus it needs to also be backwards compatible with older clients. so that's the constraints im working within when coming up with a solution. I'm still evaluating other password-like ways of stopping unsuspecting users from entering phishing portals but for now the endpoint IP is the easiest...i'll just have to figure out why some users (like you) aren't able to access their tunnels 🤔

I dislike having to enforce password protection in general but the endpoint IP was the only thing I could use that's unique per tunnel endpoint AND could be backwards compatible with older versions of localtunnel (i don't have npm publish permissions atm so I can't even publish updated clients).

About leaking your ip, your IP was always being exposed even before this recent change via special localtunnel http headers. Ngrok also exposes the tunnel endpoint's real IPs via ngrok-agent-ips headers and subdomains (more info under Anonymity here). I implemented that too so that IT security organizations know which ISP to alert and/or to prosecute the actual bad actors behind the phishing pages not me the relayer.

localtunnel isn't meant as an anonymizing service. It's meant to be a simple tool to help you temporarily share your localhost webdev progress with others or make webhook development easier so devs dont have to open ports in order to test out webhooks.

@TheBoroer
Thank you for all these precisions...
I use localtunnel because you can choose your subdomain for free unlike ngrok which always gives a random address which can be annoying to share things. I may have an idea why it doesn't work for some people, I'll stay with my IPv6 because I have an IPv4 and v6 (even if by default my ip is in IPv4)

edit : I just tested in IPv6 and it doesn't work either

[FabianSilva]

my case: https://fabian-development.loca.lt -> 190.210.192.113 doesn't work I tried also to create tunnel with another IP (I have another ISP providers/connections to test) and none of them works

hey @FabianSilva I don't even see that tunnel in the tunnels db 🤔 that's probably why it's not working. Could you please let me know what lt client version you're using (lt --version)

as felix068, I'm also on 2.0.2

[DaveO-Home]

@TheBoroer The site I defined before you changed things works fine. I'm even using GRPC with your bypass headers and it works. However, I changed the Subdomain to see it would work - it failed with my public IP (provider AT&T). I suspect that my original subdomain will fail with my users - right?

[Ronald3217]

Code in python: print("Password/Enpoint IP for localtunnel is:",urllib.request.urlopen('https://ipv4.icanhazip.com').read().decode('utf8').strip("\n"))

Thank you very much, I had a code that I had not touched in a few weeks and now it was asking me for the ip, Your comment with the python code solved my problem.

[Kamal-Moha]

Code in python: print("Password/Enpoint IP for localtunnel is:",urllib.request.urlopen('https://ipv4.icanhazip.com').read().decode('utf8').strip("\n"))

Thank you @hamnv, your solution worked. I was previously trying to follow what localtunnel was telling me on the page, but their suggestions didn't work.
Thanks a lot your solution worked bro

[evan-kolberg]

The "password" doesn't work with a VPN

[Kamal-Moha]

The "password" doesn't work with a VPN

The reason why it doesn't work with VPN is because your internet is running on a secret/unknown IP address. The code can't know the IP of this secret server and that's why its not working.

[arnemolland]

If you're on macOS and using Private Relay, make sure to pause/disable it as its masks your IP.

[jalpanparekh]

@TheBoroer I am facing same issue. ipv4 public address shows incorrect. I have given internet from my mobile hotspot to local linux machine. How can I resolve this?

[alessandroAmedei]

The Meta Cloud API webhook is making a GET with a query parameter that my webservice should send back in the http body response with http status = 200 to validate the webhook.
unfortunately the Frendly Reminder page will block the weebhook Meta verification.
Fantastic tool anyway! Thanks!

[Darren120]

ig this is unusable now rip.

[odama626]

just grabbed this to try and see if the activity pub api I'm working on can be reached by mastadon... I think this verification page is preventing it

[adeyinkaroyal]

Hello @TheBoroer, localatunnel has been a great tool in my magicbox until this verification feature was implemented. Unfortunately, like other users' experience, I had difficulty validating with the IP generated by ipv4.icanhazip.com and I'd now have to source for an alternative. I hope this will be fix asap. Why not include a simple command like lt --myipv4 and let it provide me with the IP that was stored in your database, or better still, on creating the proxy using lt --port 4040, just respond with the ipv4 along side the your URL ... information.

[ericlyoung]

this simply doesn't work now

[alxlion]

Unusable for me too. I don't understand why we need to provide an IP which could be different depending on ipv6 or v4. Just a generated or custom passphrase is enough and simpler.

[adeyinkaroyal]

@TheBoroer, I think there may be a need to review this feature. Even Microsoft has introduced "Dev Tunnel" into Visual Studio, enabling Developer to seamlessly generate both static, dynamic, publicly accessible, and privately accessible as well as organization-level accessible URLs which are automatically mapped to the project during the development stage, thereby enabling ease of Debugging and integration testing.
Please, let there be a better way to implement this policy, I suggested in my last message to display the IP address stored in your db within the cli console.

[Fabeca]

Unusable for me too. I don't understand why we need to provide an IP which could be different depending on ipv6 or v4. Just a generated or custom passphrase is enough and simpler.

this simply doesn't work now

Are you not getting the link with the IP ? thats whats been happening to me lately

[TheBoroer]

Unusable for me too. I don't understand why we need to provide an IP which could be different depending on ipv6 or v4. Just a generated or custom passphrase is enough and simpler.

The reason for doing it the IP way for now is that a generated or custom password would need changes to the localtunnel-client npm package and I don't have access to push new versions to that package. I only maintain the public localtunnel server so I'm doing what I can with what I have. shrugs shoulders

Hello @TheBoroer, localatunnel has been a great tool in my magicbox until this verification feature was implemented. Unfortunately, like other users' experience, I had difficulty validating with the IP generated by ipv4.icanhazip.com and I'd now have to source for an alternative. I hope this will be fix asap. Why not include a simple command like lt --myipv4 and let it provide me with the IP that was stored in your database, or better still, on creating the proxy using lt --port 4040, just respond with the ipv4 along side the your URL ... information.

Same reason as my first quote reply above :(
I did think about returning the password by appending something to the end of the url like https://test.loca.lt#password=123123 but since the client can be programmatically started up, some people depend on the url value being returned in their code later on (e.g. like this ${tunnelUrl}/api/some/endpoint) ... so i decided against it.

this simply doesn't work now

It should work now. Those who had issues with the tunnel password before, could you please try again? If you access https://loca.lt/mytunnelpassword (instead of the icanhazip.com url) from the same computer/wifi-network where your localtunnel client is running from it should give you the value that's stored in the db for your tunnel.

[rulesharish]

To get your password ente this in your local browser
https://loca.lt/mytunnelpassword

[Black-Platypus]

@TheBoroer Hey, thank you for all your work :)
Could you tell me where the code relevant to the Friendly Reminder check is?
Searching for "detect-browser", "password", "useragent", "user agent", "user-agent" in this repo or /server turn up no relevant results O_o
I'd like to give users a preface if they're likely to see the reminder, so I'd like to know how that check is performed exactly

[Parking-Master]

@Black-Platypus unfortunately the tunnel reminder is not in this repository directly. The developers purposely put the friendly reminder on all of the https://*.loca.lt domains, so before visiting any localtunnel server, you will see the page. Even if the server doesn't exist.

The friendly reminder page is hosted on localtunnel's main server and nobody can access it but the developers.

I'm also wondering why the server repo doesn't include this page either, because supposedly this is the main server that hosts localtunnel.

TL;DR As far as I'm aware, there is no way to remove, customize, or modify anything about the friendly reminder page. The only way that you can bypass it is by having a non-browser user-agent (it can be anything), or setting the HTTP request header Bypass-Tunnel-Reminder to any value.

[TheBoroer]

Hey @Black-Platypus,
The reminder page is closed-source for the moment because it's messy code haha but I use this package: https://www.npmjs.com/package/detect-browser

And basically do something like:

const clientBrowser = detect(requestUserAgent);
if (clientBrowser.type == "browser") {
  // Show reminder page if there wasn't a consent given from that public IP in last 7 days 
}

Does that help you?

[Black-Platypus]

@Parking-Master Thanks, that's what I figured
@TheBoroer Yeah, I saw this linked above. Ultimately, I want to minimize unnecessarily showing my friends and family the "prelude" page with the current password, which I'm serving in PHP, so I was also wondering how the consent is stored. Through testing, I already figured out earlier it must've tied to the users' IP server-side.

Do I have the right idea with these assumptions?

• First, presence of a request header called "Bypass-Tunnel-Reminder" is checked
• If not present, the user agent is checked, to see if it looks like a regular browser according to detect-browser's default behavior
• If it's classified as "browser", there is a DB lookup to see if the user's IP has given consent within the last 7 days
• If no valid consent could be found, the reminder page is shown. Correct password submissions see the user's IP entered into the above DB

Are there other things to worry about? For example, will two devices with the same public IP still match a DB entry, even if their user agent string differs slightly? Or is the exact user agent entered and matched against as well?

[TheBoroer]

@Black-Platypus you pretty much got it figured out!

Only thing to correct is; if Bypass-Tunnel-Reminder header is set, the request is proxied without showing the reminder page.

The bullet points on the db lookup and saving consents to the db are correct.

There's some logic for rate limiting and blacklisting bots that spam the server with hundreds of tunnels per second but that's only on the new tunnel endpoint, not the tunnel subdomains so shouldn't be affecting your users. So yeah, there shouldn't be anything else going on that you have to worry about.

For example, will two devices with the same public IP still match a DB entry, even if their user agent string differs slightly? Or is the exact user agent entered and matched against as well?

same public ip w/ an valid consent in the db = automatic bypassing of the page regardless of what the user-agent is

[Black-Platypus]

Thank you, @TheBoroer !
I meant to write "If NOT present", referring to the bypass request header, of course 🤦.
I've corrected myself above, so there's a bullet point list representing more or less what's happening for easy looking over at a glance.
If things are more or less correct now, let this comment explain the correction above for posterity ^^

[Marvin-Brouwer]

Hi @TheBoroer,

I've been rummaging around in the localtunnel/server source code. And I can't find any reference to this page.
If I were to host this client on my own domain, how would I add such a page?

[TheBoroer]

Hi @TheBoroer,

I've been rummaging around in the localtunnel/server source code. And I can't find any reference to this page. If I were to host this client on my own domain, how would I add such a page?

Hey, the localtunnel-guard (the proxy that handles the tunnel reminder page + logic) is a separate closed source expressjs+proxy app atm so you'll have to come up with your own solution until i clean up some code and release it

[Marvin-Brouwer]

Hi @TheBoroer,
I've been rummaging around in the localtunnel/server source code. And I can't find any reference to this page. If I were to host this client on my own domain, how would I add such a page?

Hey, the localtunnel-guard (the proxy that handles the tunnel reminder page + logic) is a separate closed source expressjs+proxy app atm so you'll have to come up with your own solution until i clean up some code and release it

Loud and clear, thanks.
I'm not planning on hosting anytime soon. And if I do, I'm not communicating it publicly I think so I'm fine for now.