Install ngrok on Linux ARM64 devices
In this guide, you'll learn how to install ngrok on any Linux ARM64 device to forward traffic from public endpoints to your upstream services or for remote management. You'll also create some a traffic policy to protect your device from unauthorized traffic.
This guide is specific to ARM64 devices on Linux—if you're using a different device or CPU architecture, first check whether your platform meets the ngrok agent's system and resource requirements. We also have other guides that may fit your use case more precisely:
Prerequisites
To follow this guide, you need:
- An ngrok account (some features require a pay-as-you-go plan)
- Any ARM64 device running Linux (see our system requirements for all supported architectures)
Step 1: Install the ngrok Agent
-
Open a shell session with your remote ARM64 device.
-
Download the latest ngrok agent binary for ARM64 devices.
wget https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-arm64.tgz
-
Unzip the file and move it to a directory in your
PATH
, like/usr/local/bin
.sudo tar xvzf ./ngrok-v3-stable-linux-amd64.tgz -C /usr/local/bin
-
Link the ngrok agent to your ngrok account with your authtoken, replacing
{NGROK_AUTHOKEN}
with the value found in your ngrok dashboard.ngrok authtoken {NGROK_AUTHTOKEN}
Step 2: Enable SSH access
If you want to perform remote administration on your ARM64 device using a reserved TCP address and an encrypted tunnel, instead of relying on IP addresses, you can create a TCP tunnel at port 22
on your ARM64 device.
-
Start the TCP tunnel with
ngrok
.warningTCP endpoints are only available on a free plan after adding a valid payment method to your account. If you get a different error, ensure your authtoken is configured correctly.
ngrok tcp 22
When the ngrok agent starts, you'll see a
Forwarding
line with similar information about the public endpoint for the TCP tunnel to your device:Forwarding tcp://4.tcp.us-cal-1.ngrok.io:16420 -> localhost:22
-
On your local workstation, SSH into your ARM64 device with the command below, replacing the variables with the following:
{NGROK_PORT}
The port number assigned to your ngrok agent (e.g. if the agent shows tcp://4.tcp.us-cal-1.ngrok.io:12345
, your port number is12345
).{USER}
An existing user on your remote device. {NGROK_TCP_ADDRESS}
The address of the ngrok agent (e.g. if the agent shows tcp://4.tcp.us-cal-1.ngrok.io:12345
, your TCP address is4.tcp.us-cal-1.ngrok.io
).ssh -p {NGROK_PORT} {USER}@{NGROK_TCP_ADDRESS}
Step 3: Enable ingress to a service on your ARM64-based Linux device
Separately from SSH access, you can also use ngrok to create an HTTP tunnel to route traffic to specific applications or services running on your ARM64 device's localhost
network.
If you already established a TCP tunnel for SSH access, you'll either need to create a second tunnel for the HTTP tunnel, or use the agent configuration file to define multiple tunnels.
-
Use ngrok to create an HTTP tunnel at the port on which your service operates, e.g. port
8080
.ngrok http 8080
When the ngrok agent starts, you'll see a
Forwarding
line with similar information about the public endpoint for the HTTP tunnel to your device:Forwarding https://12345.ngrok.app -> http://localhost:8080
-
Optionally, you can reserve a static subdomain on
ngrok.app
orngrok.dev
like so:ngrok http 8080 --domain example.ngrok.app
-
Open a browser and navigate to the endpoint, e.g.
https://12345.ngrok.app
, to access the service from any remote system.
Step 4: Add a Traffic Policy to restrict IPs
Now that you have SSH tunneling and service ingress handled via ngrok, you may also want to protect those services from unknown and untrusted users. You'll use the Traffic Policy module and the Restrict IPs action, which works with both HTTPS and TCP tunnels.
-
Create a new file on your ARM64 device, where you create ngrok tunnels, named
policy.yml
. -
Open the file for editing and paste in the following contents, replacing
1.1.1.1
with the public IP of the workstation you use to access your ARM64 device:---
on_tcp_connect:
- actions:
- name: "Restrict all IPs except trusted CIDRs"
type: "restrict-ips"
config:
enforce: true
allow:
- "1.1.1.1/32"notengrok's IP Restriction action uses CIDRs to specific IPs or IP ranges. The
/32
notation refers to a single IPv4 address, like ` -
Restart any existing tunnels, or create new ones, referencing the
policy.yml
file you just created, choosing between a TLS and HTTP tunnel below.- TLS tunnel
- HTTP tunnel
ngrok tcp 22 --traffic-policy-file /path/to/policy.yml
ngrok http 8080 --traffic-policy-file /path/to/policy.yml
-
When you re-establish your TLS or HTTP tunnels, ngrok will proxy requests from your allowed IP/CIDR through to your ARM64 device and reject all others at its network edge, preventing your device from being constantly bombarded with automated and malicious attacks.
What's next?
Now that you can create ngrok tunnels on your Linux ARM64 device and understand the fundamentals of managing traffic with policies, you can extend your usage to make your device—or even a fleet of them—ready for production usage.
- Bring a custom domain to ngrok to create static endpoints.
- Learn how to write an agent configuration file to define and create multiple tunnels from a single command line.
- Install ngrok as a service to start after your ARM64 device boots and automatically restart after crashes.