How does ngrok work behind a firewall?

Question

Ngrok (https://ngrok.com/) is supposed to allow you to expose local ports and services to the world wide web through forwarding. But if I open port 80 on my local machine like this:

ngrok 80

and I get back:

Tunnel Status                 online
Version                       1.3/1.3
Forwarding                    http://3a4bfceb.ngrok.com -> 127.0.0.1:80
Forwarding                    https://3a4bfceb.ngrok.com -> 127.0.0.1:80
Web Interface                 http://127.0.0.1:4040
# Conn                        0
Avg Conn Time                 0.00ms

I understand that any requests to http://3a4bfceb.ngrok.com will go to my local machine on port 80 but what if I am sitting behind a NAT/Firewall that's blocking incoming traffic (a very common scenario). Does ngrok initiate polling requests to determine when data has been received?

Answer 1

Because an ngrok tunnel is always initiated on the client-side first, this is how it can negotiate a secure channel with the server. It's a really slick solution to getting around conventional firewall configurations.

This is internally accomplished by the client opening up a single long-lived tcp connection where many logical sockets are created within one physical socket connection. This technique is called stream multiplexing. With this setup in place there is no need for any kind of polling because the client and server still have fully bi-directional communication in place.

The client and server then stay alive with a heartbeat mechanism that makes sure the connection is open and working appropriately and will even reconnect upon error or a lost/closed connection.

See this for more information: Developer Guide on github.com