Documentation / TCP Tunneling

TCP Tunneling

Expose databases, SSH, and other TCP services to the internet securely

Overview

TCP tunneling allows you to expose any TCP-based service through stunl. Perfect for databases (PostgreSQL, MySQL, MongoDB, Redis), SSH access, game servers, and custom TCP protocols.

Included in Pro

TCP tunneling is included in all Pro accounts. Start free.

How TCP Tunneling Works
Your Machine
localhost:5432
PostgreSQL
Public Endpoint
myapp.stunl.io:15432
Accessible anywhere

Quick Start

Create a TCP tunnel 
# Expose PostgreSQL (port 5432)
$ stunl -protocol tcp -port 5432 -id mydb

  ● STUNL

  ╭── ⇄ ── TCP mydb
  │   Connect  mydb.stunl.io:15432
  │   Local    localhost:5432

# Connect from anywhere:
$ psql -h mydb.stunl.io -p 15432 -U postgres

Database Examples

PostgreSQL

# Create tunnel
$ stunl -protocol tcp -port 5432 -id mydb

# Connect with psql
$ psql -h mydb.stunl.io -p 15432 -U myuser -d mydb

# Connection string
postgresql://myuser:mypass@mydb.stunl.io:15432/mydb

MySQL / MariaDB

# Create tunnel
$ stunl -protocol tcp -port 3306 -id mysql

# Connect with mysql client
$ mysql -h mysql.stunl.io -P 13306 -u root -p

# Connection string
mysql://root:password@mysql.stunl.io:13306/mydb

Redis

# Create tunnel
$ stunl -protocol tcp -port 6379 -id redis

# Connect with redis-cli
$ redis-cli -h redis.stunl.io -p 16379

# Connection string
redis://redis.stunl.io:16379

MongoDB

# Create tunnel
$ stunl -protocol tcp -port 27017 -id mongo

# Connect with mongosh
$ mongosh "mongodb://mongo.stunl.io:17017/mydb"

# Connection string
mongodb://mongo.stunl.io:17017/mydb

Reserved Ports

By default, TCP tunnels are assigned random public ports (10001-19999) that change each time you reconnect. With reserved ports, you lock in a specific port number that persists across reconnects.

Using Reserved Ports 
# First, reserve a port at portal.stunl.com
# Then use the -public-port flag:

$ stunl -protocol tcp -port 5432 -id mydb -public-port 15432

  ● STUNL

  ╭── ⇄ ── TCP mydb
  │   Connect  mydb.stunl.io:15432  ← Always the same!
  │   Local    localhost:5432

Why Reserve Ports?

  • Stable connection strings - No need to update configs when you reconnect
  • Team collaboration - Share once, works forever
  • Firewall rules - Pre-configure firewall for specific ports
  • Exclusive access - Port is yours even when offline

Pro includes 2 reserved ports free (max 10). Reserve ports at portal.stunl.com.

Multi-Port TCP Tunnels

Combine HTTP and multiple TCP services in a single tunnel using the -ports flag.

Full Stack: HTTP + PostgreSQL + Redis 
$ stunl -id myapp -ports "web:3000:http,db:5432:tcp,cache:6379:tcp"

  ● STUNL

  ╭── ◎ ── HTTP web
  │   HTTPS    https://myapp.stunl.io
  │   Local    localhost:3000

  ╭── ⇄ ── TCP db
  │   Connect  myapp.stunl.io:15432
  │   Local    localhost:5432

  ╭── ⇄ ── TCP cache
  │   Connect  myapp.stunl.io:16379
  │   Local    localhost:6379

# With reserved ports:
$ stunl -id myapp -ports "web:3000:http,db:5432:tcp@15432,cache:6379:tcp@16379"

UDP Tunneling

stunl also supports UDP tunneling for game servers, VoIP, and real-time applications.

UDP tunnel for game server 
# Expose Minecraft server (UDP port 25565)
$ stunl -protocol udp -port 25565 -id minecraft

  ● STUNL

  ╭── ◇ ── UDP minecraft
  │   Connect  minecraft.stunl.io:10001
  │   Local    localhost:25565

Pro Limits

Feature Pro
Total tunnels (HTTP/TCP/UDP) 10
Reserved ports included 2
Max reserved ports 10

⚠️ Security Best Practices

  • Use strong passwords - TCP tunnels expose your service directly. Always use strong database passwords.
  • Limit access - Consider using database-level access control (IP whitelists, user permissions).
  • TLS encryption - Enable TLS on your database if possible. stunl provides transport encryption, but database-level TLS adds another layer.
  • Development only - TCP tunnels are great for development and testing. For production, use proper VPN or private networking.

Next Steps