Server data from the Official MCP Registry
Let two developers' Claude agents talk directly through an ephemeral, end-to-end-encrypted tunnel.
Let two developers' Claude agents talk directly through an ephemeral, end-to-end-encrypted tunnel.
Valid MCP server (1 strong, 1 medium validity signals). 4 known CVEs in dependencies (0 critical, 3 high severity) Package registry verified. Imported from the Official MCP Registry.
5 files analyzed · 5 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: TUNNEL_DOH
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-zachlikefolio-tunnel-mcp": {
"env": {
"TUNNEL_DOH": "your-tunnel-doh-here"
},
"args": [
"-y",
"tunnel-mcp"
],
"command": "npx"
}
}
}From the project's GitHub README.
A direct, end-to-end-encrypted tunnel between two developers' Claude agents — no human copy-paste required.

Reproduce that yourself in 30 seconds — clone the repo and:
npm ci && npm run demo
That opens a real encrypted tunnel through Cloudflare's edge, joins it as a guest, exchanges end-to-end-encrypted messages, proves the join link is single-use, and tears everything down.
When two developers each run a Claude agent and need those agents to collaborate, the usual workaround is a human sitting in the middle, copy-pasting messages from one chat window to the other. tunnel-mcp removes that human. It's an MCP server that lets one developer's agent open a throwaway, encrypted tunnel and the other developer's agent dial straight into it, so the two agents can talk to each other directly — while their humans stay in control of what actually happens to the filesystem or the shell.
One developer (the host) calls tunnel_open. Their local tunnel-mcp
process becomes an in-process WebSocket relay and exposes it to the internet via
a throwaway cloudflared Quick Tunnel — no port-forwarding, no server to
provision. The other developer (the guest) calls tunnel_join with the link
the host shares, and their agent dials outbound to that same tunnel. Because both
sides only ever make outbound connections, it works from behind ordinary
firewalls and NAT.
Host machine Guest machine
┌───────────────────┐ outbound HTTPS ┌───────────────────┐
│ Claude (host) │ wss:// │ Claude (guest) │
│ │ │ ┌──────────────┐ │ │ │
│ tunnel_open/say/ │──────▶ cloudflared │◀────────│ tunnel_join/say/ │
│ listen/close │ │ Quick Tunnel │─────────▶ listen/close │
│ │ │ └──────────────┘ │ │ │
│ in-process relay │ └───────────────────┘
└───────────────────┘
The relay, the cloudflared child process, and the on-disk session log all live
only for the lifetime of the session and are destroyed on teardown.
npm install -g tunnel-mcp
# or, without installing:
npx tunnel-mcp
Register it with Claude Code (both developers do this once):
claude mcp add tunnel -- tunnel-mcp # if globally installed
# or, with no global install:
claude mcp add tunnel -- npx -y tunnel-mcp
tunnel-mcpis a stdio MCP server, not an interactive CLI. Launching it by hand just waits silently for a client — that's expected. Runtunnel-mcp --helpfor usage, ortunnel-mcp --version.
The tunnel-etiquette skill teaches each agent how to behave inside a tunnel
(treat the peer as untrusted input, and check with its human before acting on
anything the peer says). Installing the package copies it into ~/.claude/skills/
automatically (best-effort). If install scripts are disabled
(npm install --ignore-scripts), or you want it in a custom directory or force an
update, run it explicitly:
npx tunnel-mcp install-skill # into ~/.claude/skills
npx tunnel-mcp install-skill --dir <path> --force # elsewhere / overwrite
Set TUNNEL_SKILLS_DIR to change the default target, or
TUNNEL_SKIP_SKILL_INSTALL=1 to opt out of the automatic copy.
cloudflared is auto-downloaded to ~/.tunnel/bin the first time it's needed if
it isn't already on your PATH — there's nothing extra to install.
Host — ask Claude to open a tunnel with a goal:
"Open a tunnel to pair on debugging the checkout flow."
Claude calls tunnel_open({ goal }) and hands back a ready-to-forward
invite — one plain-text message containing the one-time setup command and
the join link. Paste it to the other developer over a trusted channel (Slack
DM, etc.) — the link is a secret, since it contains the encryption key for
the session. It is single-use and expires after ~10 minutes
(tunnel_open reports joinLinkExpiresInSec), so share it promptly.
Guest — paste the link and ask Claude to join:
"Join this tunnel:
<link>"
Claude calls tunnel_join({ joinLink }), learns the goal, and the session is
now locked to just the two of you.
Both — the agents converse turn-by-turn using tunnel_say to send and
tunnel_listen to wait for the next reply, checking in with their humans as
needed.
Either side ends the session with tunnel_close, which tears down the relay
and destroys the session log.
| Tool | Who | Purpose |
|---|---|---|
tunnel_open({goal}) | host | Start the relay + Quick Tunnel and get back a join link. |
tunnel_join({joinLink}) | guest | Dial into a host's tunnel using the link and authenticate. |
tunnel_say({text}) | both | Send a message to the peer. |
tunnel_listen({sinceSeq?, timeoutMs?}) | both | Wait for the next message(s) from the peer. |
tunnel_status() | both | Inspect the current session (connected, idle, etc.). |
tunnel_close({summary?}) | both | End the session and tear down the relay. |
tunnel-mcp is a security-sensitive tool by nature — it opens a live channel between two AI agents. Here's exactly what it does and does not protect:
tunnel_say body is
sealed with NaCl secretbox (XSalsa20-Poly1305, via tweetnacl) before it
crosses the cloudflared pipe. The relay and the pipe only ever see
ciphertext for chat bodies.tunnel_open goal, each participant's name, and connection events
(joined/left/idle/closed) are sent as plaintext metadata — do not put secrets
in the goal string or a display name.cloudflared child process, and the on-disk log — on an explicit
tunnel_close, after 30 minutes of no messages (idle timeout), or when the
host's process exits.See SECURITY.md for the full threat model and how to report a vulnerability.
cloudflared — auto-installed to ~/.tunnel/bin on first use if not already
on your PATHnpm ci # install dependencies
npm test # run the test suite (159 tests, TDD)
npm run build # compile TypeScript
npm run lint # eslint
npm run format:check # prettier --check .
npm run test:coverage # vitest run --coverage
See CONTRIBUTING.md for how to propose changes.
tunnel-mcp / npx tunnel-mcp "does nothing". It's a stdio MCP server, not
an interactive CLI — with no arguments it starts and waits for an MCP client to
connect over stdin/stdout. That's working as intended. Register it with a client
(above), or run tunnel-mcp --help.
Guest join fails with getaddrinfo ENOTFOUND …trycloudflare.com. A
cloudflared quick tunnel prints its URL a few seconds before the per-tunnel DNS
record has propagated. If anything looks the name up too early it gets an
NXDOMAIN that the resolver negative-caches for up to 30 minutes — breaking the
join even after the tunnel is live. tunnel-mcp avoids this: tunnel_open waits
for the record to actually resolve (via DoH to Cloudflare's 1.1.1.1, an IP that
never touches — and so never poisons — your system resolver) before returning the
link, and the guest resolves system-first with a DoH fallback. So a fresh join
should just work; if you hit ENOTFOUND, an earlier attempt likely poisoned the
cache — wait for it to expire, or flush DNS (sudo dscacheutil -flushcache on
macOS). Set TUNNEL_DOH=off only on networks that block DoH (1.1.1.1) and where
system DNS already resolves *.trycloudflare.com.
This is an MVP. The following are explicitly out of scope for now:
MIT — see LICENSE.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.