Skip to main content

Exposing HTTPS using a Bore tunnel without overhead

While a WireGuard tunnel allow UDP and TCP ports forwarding, it's quite complicated and heavy to set up.

Instead of using WireGuard, it is possible to use jkuri/bore, which is an implementation of a bore proxy based on Go and SSH port forwarding.

Advantages of jkuri/bore over WireGuard are:

  • Easy to set up
  • HTTPS/HTTP URL generation

How to use

Similar to WireGuard, you MUST set network to slirp4netns or pasta.

A bore server has been deployed at, with HTTPS already set up. If you are concerned about authority, you can choose to host your own bore server by following the README in the official repository of jkuri/bore. We also recommend deploying Caddy reverse proxy for easy configuration (auto TLS, HTTP/3 support).

Using DeepSquare to expose a port is quite easy:

enableLogging: true

tasks: 1
cpusPerTask: 1
memPerCpu: 512
gpus: 0

- name: start-nginx
command: nginx -g "daemon off;"
image: nginxinc/nginx-unprivileged:latest
## Use the container network interface slirp4netns (or pasta) to create a network namespace.
network: slirp4netns # or pasta
## Forward TCP/UDP traffic from port 8080 to
- bore:
targetPort: 8080

Remember that we are still running in an unprivileged container, so it is impossible to bind to restricted ports.

We use nginxinc/nginx-unprivileged:latest in our example, which is a simple web server that binds to port 8080. The bore client connects to the server and redirects the local port 8080 to the bore proxy.

You can then fetch the generated URL and port in the logs. It should look like this:

Generated HTTP URL:
Generated HTTPS URL:
Direct TCP: tcp://

Allocate a Bore address

This feature is unique to DeepSquare. If you go to the DeepSquare's Bore Proxy website, you can fetch a unique route:


Use a long-lived token if you plan to reuse the same authentication token. Fetch route will fetch an existing route. If the route doesn't exists yet, a new route will be generated.

Use MetaMask to authenticate. No payment is required, you only have to sign a message, which doesn't use any blockchain.

This will be returned:

Allocated HTTP URL:

Allocated HTTPS URL:

Allocated TCP URL: tcp://


Token expiration: 2024-01-09 14:33:02 +0100 CET

The URL and port is allocated to you and you can use it for your jobs. Right now, only one URL is allowed per user.

Use the token to fill the secret field of the bore proxy:

targetPort: 8080

The authentication token will automatically expire after a certain time, but the route will remain accessible.

If you've lost your token, you can recover the route and the old token will be invalidated.


If you self-host your own Bore proxy, the secret will correspond to the id parameter.