Show HN: Lynk – Securely expose local TCP and HTTP services to the web

I want to be supportive, and I believe this solves a real issue, but this giving me serious pause:<p>&gt; We take security very seriously, especially when it comes to our users. This is why we offer end-to-end SHA-256 encryption<p>You take security seriously, but are confusing pretty basic and fundamental concepts of encrypting vs hashing.<p>Given that the point of this service to expose local services to the internet, and only provides compression benefits if I expose the plaintext traffic of my service, I&#x27;m not seeing a lot of information that gives me confidence you truly understand the importance of doing what you are doing securely and safely. Not to mention confidence to defend against what an attractive target this makes you for attackers to passively tap or pivot into your customers.

This product offering is a bit confusing. Not that I don&#x27;t get the offering - but that the marketing around it confuses me.<p>It&#x27;s designed for forwarding applications for development purposes? But then why the in-depth monitoring and alerting (something that seems to imply a production system might be running on top of this.)<p>The &quot;meaning your website performance won&#x27;t take a hit no matter where your users are&quot; doesn&#x27;t really make sense in this context either. My &quot;users&quot; are hopefully my coworkers&#x2F;the client I&#x27;m demoing to. And if I&#x27;m tunneling up my site over wifi from my laptop, a &quot;highly available&quot; and &quot;globally distributed&quot; load balancer setup really doesn&#x27;t make sense, nor is it relevant for the development use-case.<p>And if it&#x27;s &quot;6x more performant&quot; than ngrok- is that really relevant if you&#x27;re using it for a trivial amount of traffic in a development environment? Why is this a selling point to me?<p>Further - if I&#x27;m tunneling TCP, does &quot;end to end&quot; really matter? If I&#x27;m tunneling something that&#x27;s not encrypted on my application (let&#x27;s say a plaintext redis connection) the link between this service and the person connecting to the tunnel is still unencrypted. Which means the whole &quot;end to end&quot; marketing really doesn&#x27;t make much sense - unless of course I don&#x27;t trust the network I&#x27;m running on - but for some reason maybe trust the network the person accessing the tunnel is on (super unlikely situation...)<p>The example also irks me - exposing a database directly to the internet (if it&#x27;s a database for development, hopefully - it&#x27;s probably fine?)<p>Is this trying to compete with ngrok, or something like Cloudflare&#x27;s Argo tunnels? Because the marketing material leads me in two different directions, which is pretty confusing.

The standard answer to this problem is ngrok, so it&#x27;d be useful to have a direct comparison. I couldn&#x27;t find any encryption code in the Github repos you have exposed (I didn&#x27;t look hard); obviously, since you&#x27;ve documented &quot;SHA-256 encryption&quot;, you should probably write that up a lot better. I assume that at least the client side of this will be open source, in that people are going to be squeamish about running closed source desktop tunneling software.

If I can just offer one bit of feedback, if you just type any email and password in the &quot;Sign in &#x2F; Register&quot; page, it just creates an account for you if it doesn&#x27;t exist.<p>There&#x27;s a ton of reasons you don&#x27;t want that, and should probably have a separate &quot;sign up&quot; flow for email&#x2F;password login. Here&#x27;s a few:<p>1. It&#x27;s not at all clear you can actually do that. One guy in the comments below thinks you can only sign up using Github&#x2F;Gitlab&#x2F;etc.<p>2. Many of us have multiple emails, what if I don&#x27;t remember what email I used for your service? Every time I try the wrong one, it&#x27;ll just create a separate account, and it&#x27;ll take me a few minutes to realize this isn&#x27;t my account, but I just created a new one.<p>3. No double &quot;password confirmation&quot;. Some sites skip this step now, so I guess it&#x27;s not required, but not having it is part of why people will think this isn&#x27;t a sign up field.

I wanted to like this, but I couldn&#x27;t get passed the awful landing page.<p>It brought my phone to crawl. Moving wireframes in the background would have been distracting at the best of times, let alone on an older phone.<p>It gives me the impression they value style over function, which is a huge turn off for me.

Hi Hackernews,<p>We&#x27;re excited to announce that the Lynk Beta is now live!<p>We&#x27;ve been hard at work building out Lynk&#x27;s tunnelling protocols to make them faster, more stable, and all around better. We&#x27;re happy to announce that vs. Ngrok our tunnels perform up to 6 times faster (source: <a href="https:&#x2F;&#x2F;medium.com&#x2F;@shivanshvij&#x2F;building-a-better-ngrok-dbc104754822" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@shivanshvij&#x2F;building-a-better-ngrok-dbc1...</a>) and support technologies such as HTTP&#x2F;2 (with HTTP1 fallback) and Websockets.<p>Check out our open beta and documentation here: <a href="https:&#x2F;&#x2F;lynk.sh" rel="nofollow">https:&#x2F;&#x2F;lynk.sh</a>

One piece of feedback: for security reasons use a different domain for tunnels.<p>lynk.sh &amp; lynkapp.sh<p>Heroku, Netlify, Github made the same mistake of originally using their main domains for user hosted apps and it lead to several vulnerabilities.

I honestly don&#x27;t see the use of this. Why would anyone want to expose a development environment to the internet, especially in the age of devops and reproducible environments. 98% of all my development happens over 127.0.0.1 now. I have zero need to expose a service when I can replicate multi sites on a lan with the lightweight environment given to me with containers and vms.

How are you handling connections? I think the original ngrok had a control connection and then opened a new connection for each request. I think they have now switched to multiplexing. I&#x27;ve heard multiplexing multiple HTTP connections over a single HTTP connection can have issues if there is packet loss.<p>For example if you have 1% chance of dropping a packet, and your conversation involves 1 packet then if you have 10 conversions each with its own TCP connection you will average 0.1 conversations being stalled from packet loss.<p>But if you multiplex those 10 conversations over 1 TCP connection then you will average ~ 1 conversation being stalled from packet loss.<p>I&#x27;m guessing this is not such a big problem with typical packet loss and a low number of conversations but if you are pushing a lot of conversations simultaneously over a single TCP connection then it could become noticeable.

&gt; we offer end-to-end SHA-256 encryption<p>Is this a mistake?

<a href="https:&#x2F;&#x2F;lynk.sh&#x2F;faq&#x2F;#privacy" rel="nofollow">https:&#x2F;&#x2F;lynk.sh&#x2F;faq&#x2F;#privacy</a><p>&gt; We only ask for personal information when we truly need it to provide a service to you. We collect it by fair and lawful means, with your knowledge and consent. We also let you know why we’re collecting it and how it will be used.<p>Be specific on this <i>in</i> your privacy policy. What information do you collect?

I echo the sentiments that the features you promote seem overkill for the &quot;primary use-case&quot; of local development.<p>On another note I suggest you improve the accessibility of your pages. The contrast of the text in the navigation bar and on the FAQ page makes it hard to read, and is below the WCAG standards.

Canyon add up comparisons with inlets and cloudflare warp? It may help migrate existing customers.

Interesting. But I hate getting random endpoints, that means I need to keep updating configs. I&#x27;d rather use a self hosted solution, there are some easy ones out there.

Immediately reminds me on <a href="https:&#x2F;&#x2F;ngrok.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;ngrok.com&#x2F;</a> which should do basically the same

Author of <a href="https:&#x2F;&#x2F;inlets.dev" rel="nofollow">https:&#x2F;&#x2F;inlets.dev</a> here, inlets is open-source (client and server) and can be self-hosted along with link encryption with TLS. We use web sockets which can penetrate almost any firewall&#x2F;NAT situation. It&#x27;s also important to note the Kubernetes and cloud integration for provisioning your own exit hosts. Take a look. TCP support in PRO edition with personal license available.

This reminds me of cloudflare access with faster ui&#x2F;ux. The cli interface looks very similar to cloudflared.<p>Will give it a go when in need, cheers.

Malware&#x2F;bots will abuse this a lot just like with ngrok.io because of the free tier.

How is this better than ngrok?

Can the client run on a raspberry pi?

To tunnel your whole infrastructure traffic through a third party is one of the dumbest ideas I have ever heard of.