For the better part of the last decade, developers have relied on localhost tunneling services to expose local applications to the wider internet. Tools that generate a quick, temporary URL pointing straight to your machine's port 3000 became indispensable for web developers building webhooks, OAuth flows, and REST APIs.
But the development ecosystem of 2026 has outgrown that model. We are no longer just building stateless HTTP web applications. We are building real-time multiplayer game netcode, low-latency video streaming applications using WebRTC, and specialized IoT networks running protocols like CoAP and DTLS. The problem is that most legacy tunneling tools are strictly hardcoded for HTTP and TCP. When you try to route a connectionless protocol like UDP through a TCP-centric tunnel, you encounter massive overhead, latency spikes, and fundamentally broken application behaviour.
This article explains why, walks through the tools that actually solve it, and covers what you need to know to do it safely.
To understand why tunneling UDP is difficult, you have to look at the architectural difference between TCP and UDP.
TCP (Transmission Control Protocol) is connection-oriented. It guarantees delivery, manages packet ordering, and handles error checking. It is perfect for web traffic, where receiving every byte of an HTML document in the correct order is non-negotiable. Traditional tunneling tools thrive on TCP because they act as reverse proxies, managing the state of the connection between the public endpoint and your local machine.
UDP (User Datagram Protocol) is connectionless — a fire-and-forget protocol. It does not care if a packet arrives out of order, or at all. This absence of overhead is what makes UDP the backbone of real-time applications where low latency beats perfect reliability.
When you push a game server's UDP traffic through a TCP tunnel, the tunneling software encapsulates lightweight, stateless UDP packets inside a heavy, stateful TCP connection. This produces head-of-line blocking: if a single packet is lost on the public network, TCP stalls the entire stream while waiting for retransmission. For a web page, that is a minor delay. For a fast-paced multiplayer game or a live WebRTC video call, it means rubber-banding, latency spikes, and dropped clients.
This architectural mismatch is exactly why ngrok — arguably the most widely installed tunneling tool in the world — still does not support UDP in 2026. Its free tier also carries a hard 1 GB/month bandwidth cap, and its recent pivot toward enterprise "Universal Gateway" features has made the free experience noticeably more restrictive.
This is not just a developer-tooling story. The broader internet is moving toward UDP at a fundamental level.
HTTP/3, the latest version of HTTP, runs over QUIC (RFC 9000) — a transport protocol built on UDP, not TCP. QUIC solves TCP's head-of-line blocking problem at the transport layer: each stream handles packet loss independently, so a lost packet for one resource does not freeze the others. As of October 2025, HTTP/3 adoption had reached 35% of global traffic according to Cloudflare data, and over 95% of major web browsers support it. Real-world benchmarks show HTTP/3 response times roughly 47% faster than HTTP/1.1 on high-latency or lossy connections.
For streaming media, Media over QUIC (MOQ) is emerging as an alternative to WebRTC for broadcast-grade use cases, with sub-second latency over QUIC-based WebTransport. The first production MOQ deployment launched in 2025.
The takeaway for developers: UDP is no longer a niche concern for game programmers. It is the foundation of the modern, real-time web. Your tooling needs to reflect that.
The tunneling market has bifurcated. A handful of tools handle HTTP well and UDP not at all (ngrok, Localtunnel). A newer generation treats UDP as a first-class citizen. Here is where things stand.
LocalXpose has become the go-to recommendation in communities like r/selfhosted and gaming forums for raw protocol support. It treats HTTP, HTTPS, TCP, TLS, and UDP as equally valid tunnel types. Its dedicated UDP tunnels map a public port directly to your local instance without encapsulation overhead, and it provides both a CLI and a GUI — making it accessible to non-developers who want to run a game server for friends without learning terminal flags. Pricing is approximately $6/month for 10 concurrent tunnels with unlimited bandwidth, along with a built-in file server for sharing game mods or server logs.
Pinggy has gained traction in the terminal-first crowd with one compelling trick: it requires nothing to install. You run a standard SSH command and get a live tunnel — no npm package, no binary. It supports HTTP, HTTPS, TCP, UDP, and TLS tunnels, and adds a terminal UI with QR codes and a built-in request inspector. The Pro plan is $3/month, less than half the cost of ngrok's Personal plan ($8/month), and unlike ngrok, UDP is fully supported. For quick "let me show you this" moments, it is hard to beat.
Localtonet has become a strong all-rounder, described as offering features that would otherwise require three separate tools: a webhook inspector, a file server, and a mobile proxy — all in one. It supports HTTP, TCP, and UDP with end-to-end encryption across 16+ global server locations. At approximately $2/tunnel/month with unlimited bandwidth and no session timeouts, it significantly undercuts ngrok on price.
Playit.gg is purpose-built for gamers. It provides both TCP and UDP tunnels for hosting Minecraft, Terraria, and other multiplayer game servers, is open source, and offers a generous free tier with up to 4 TCP and 4 UDP tunnels. The paid plan (Playit Plus) costs $3/month or $30/year and adds custom domains, dedicated IPs, and additional tunnels. If your only use case is hosting a game server, this is the most frictionless starting point.
For teams with data sovereignty requirements, self-hosted options like FRP (Fast Reverse Proxy) give you full control over your infrastructure, no vendor lock-in, and support for complex protocol configurations. WireGuard, often paired with Tailscale for zero-configuration NAT traversal, provides proven speed advantages with minimal latency — particularly well-suited for streaming, video, and high-frequency update workloads. Wrapping WireGuard in QUIC (as Mullvad and others now support) makes the traffic indistinguishable from ordinary HTTP/3 web traffic, which is rarely filtered even on restrictive networks.
Game servers rely heavily on UDP for player position updates, fast-sync actions, and state replication. If your ISP uses Carrier-Grade NAT (CGNAT) — meaning you do not actually have a public IP address to port forward from your router — you traditionally had to rent a cloud VPS just to test your netcode.
With LocalXpose, exposing a local game server is a single command. If your server is listening on port 19132:
loclx tunnel udp --to 127.0.0.1:19132 --region usThe CLI outputs a public endpoint such as us-1.loclx.io:4506. Your friends or playtesters enter that address into their game client. Traffic flows cleanly through the public UDP endpoint to your machine, preserving the low latency required for real-time play. With Pinggy, the equivalent command using SSH is:
ssh -p 443 -R0:localhost:19132 udp@a.pinggy.ioNo binary to install, no account required to try it.
WebRTC is the standard for browser-based, peer-to-peer real-time communication. While its initial signalling phase (exchanging connection details via SDP) happens over HTTP or WebSockets, the actual media streams are transmitted over UDP using SRTP (Secure Real-time Transport Protocol).
Testing WebRTC locally is notoriously frustrating. WebRTC uses the ICE (Interactive Connectivity Establishment) framework to find the shortest path between peers. Corporate firewalls and NAT regularly block the incoming UDP media streams — resulting in a successful signalling handshake where neither side can hear or see the other. TURN and STUN servers help with NAT traversal, but they do not solve the problem of your local SFU or media server not being reachable at all.
The practical fix is to tunnel both layers simultaneously. Using a service like Localtonet, which supports mixed TCP/UDP workloads, you can expose your signalling server (TCP/HTTP) and your media ports (UDP) at the same time. This allows external peers or mobile devices to connect to your local WebRTC instance and stream video directly through the firewall, mimicking a production environment without deploying to a staging server.
For teams using mediasoup, Janus, or a custom SFU locally, this removes a significant CI friction point.
The IoT ecosystem favours lightweight protocols to conserve battery life and bandwidth on constrained devices. CoAP (Constrained Application Protocol) and MQTT over DTLS (Datagram TLS) both rely entirely on UDP.
If you are developing firmware for a custom sensor board and need to test its telemetry reporting to an external cloud ingestion service, you need a public UDP endpoint that you can hand off to a remote team or a CI pipeline. Tunnels like LocalXpose or Pinggy let you expose your local IoT rig to the internet, allowing cloud-based services to push commands directly to a device on your desk — no staging environment required.
UDP tunnels are powerful, but they fundamentally extend your localhost's trust boundary to the open internet. Do not treat them as casually as an HTTP tunnel.
DDoS vulnerability. Unlike HTTP tunnels that can rate-limit requests based on headers and session state, raw UDP tunnels forward datagrams indiscriminately. An attacker who discovers your public UDP endpoint can flood it with garbage packets, easily saturating your local connection. Always close UDP tunnels the moment your testing session ends — ephemeral is not just convenient, it is a security property.
No inherent authentication layer. HTTP tunnels can overlay Basic Auth or OAuth. Raw UDP does not have that concept. The application listening on the exposed port must handle its own authentication. If you are exposing a game server or local database, ensure it requires strong credentials independently of the tunnel.
The OAuth redirect URI trap. A real risk that has become more visible in 2026: developers who register an ephemeral tunnel URL as an authorised redirect URI in a Google or GitHub OAuth app and forget to remove it after the PR merges. If that subdomain pattern is later issued to another user on the same tunneling service, they can potentially intercept OAuth callbacks. Mitigate this by implementing automated cleanup of OAuth redirect URIs as part of your PR merge workflow, and enforce OIDC authentication at the tunnel edge for any OAuth-adjacent testing.
Identity-aware access for sensitive workloads. For anything beyond throwaway local testing, tools like Cloudflare Tunnel or Tailscale enforce authentication before traffic can reach your tunnel endpoint. This should be the baseline for any tunnel that stays up longer than a single session.
| Feature | ngrok | Pinggy | LocalXpose | Localtonet | Playit.gg |
|---|---|---|---|---|---|
| UDP Support | ✗ | ✓ | ✓ | ✓ | ✓ |
| Free Tier | 1 GB/mo | Yes | Yes | 1 tunnel, 1 GB | 4 UDP + 4 TCP |
| Paid Plan | $8/mo | $3/mo | ~$6/mo | ~$2/tunnel/mo | $3/mo |
| Install Required | Yes | No (SSH) | CLI/GUI | CLI/GUI/SSH | Yes |
| Best For | HTTP/Webhooks | Quick sharing | Gaming, IoT | All-round workloads | Game servers |
The line between "UDP tunneling" and "HTTP" is going to keep blurring. WebTransport, built on HTTP/3 and QUIC, is a W3C API that gives browsers native access to UDP-like streams and datagrams over an authenticated QUIC connection — without the full complexity of WebRTC's ICE/STUN/TURN stack. As WebTransport matures, some of the use cases currently requiring dedicated UDP tunnels (real-time game state synchronisation, low-latency telemetry) will be handlable over a single QUIC connection that looks like ordinary HTTPS to any firewall.
For now, though, the practical developer toolkit is clear. If you are building anything real-time — a multiplayer game, a WebRTC media app, an IoT data pipeline — you need a UDP tunnel in your local development workflow. The old HTTP-only tools are no longer sufficient, and the good news is that the alternatives are cheaper, better, and in some cases require nothing to install at all.
LocalXpose — game server on port 19132:
loclx tunnel udp --to 127.0.0.1:19132 --region usPinggy — UDP port via SSH (no install):
ssh -p 443 -R0:localhost:19132 udp@a.pinggy.ioLocaltonet — mixed HTTP + UDP (signalling + media):
localtonet http -port 3000
localtonet udp -port 5000Close your tunnel when you are done. An open UDP endpoint on a public relay is a scan target. Ephemeral is the right default.