diff --git a/tunnel.sh b/tunnel.sh
new file mode 100755
index 0000000..84b4c94
--- /dev/null
+++ b/tunnel.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+server=$1
+token=$2
+domain=$3
+localPort=$4
+
+api="https://$server/api"
+
+echo "Creating tunnel"
+
+json=$(curl -s -H "Authorization: bearer $token" -X POST "$api/tunnels?domain=$domain")
+
+serverAddress=$(echo "$json" | jq -r '.server_address')
+serverPort=$(echo "$json" | jq -r '.server_port')
+username=$(echo "$json" | jq -r '.username')
+tunnelPort=$(echo "$json" | jq -r '.tunnel_port')
+tunnelPrivateKey=$(echo "$json" | jq -r '.tunnel_private_key')
+
+# TODO: It would be nice if we could avoid writing the private key to disk.
+# I tried process substition but it didn't work.
+keyFile=$(mktemp)
+printf -- "$tunnelPrivateKey" > $keyFile
+chmod 0600 $keyFile
+
+echo "Connecting to tunnel"
+
+ssh -i $keyFile \
+    -NR 127.0.0.1:$tunnelPort:127.0.0.1:$localPort \
+    $username@$serverAddress -p $serverPort
+
+echo "Cleaning up"
+
+rm $keyFile
+curl -s -H "Authorization: bearer $token" -X DELETE "$api/tunnels?domain=$domain"