> Access Home Assistant, Plex, Jellyfin, Nextcloud, Pi-hole, and Grafana from anywhere. No VPN, no dynamic DNS, no exposed ports.

# Homelab Remote Access

You run services at home — Home Assistant, Plex, Jellyfin, Nextcloud, Pi-hole, Grafana. They work great on your local network. But the moment you leave your house, you're locked out.

Localport gives each service a public HTTPS URL with one command. No VPN, no dynamic DNS, no holes in your firewall.

## Why not port forward?

- Your ISP might use CGNAT — meaning you don't have a public IP at all
- Port forwarding exposes your home IP address to the internet
- You need to manage DNS, TLS certificates, and firewall rules yourself
- It breaks every time your ISP changes your IP

Localport handles all of this. The connection is outbound from your machine, so your firewall stays closed and your IP stays hidden.

## Service-by-service setup

### Home Assistant

```bash
localport http 8123 --token YOUR_TOKEN
```

Access your dashboard from your phone at `https://abc123.tunnel.localport.dev`.

### Plex / Jellyfin

```bash
# Plex (default port 32400)
localport http 32400 --token YOUR_TOKEN

# Jellyfin (default port 8096)
localport http 8096 --token YOUR_TOKEN
```

### Pi-hole Admin

```bash
localport http 80 --token YOUR_TOKEN
```

### Nextcloud

```bash
localport http 8080 --token YOUR_TOKEN
```

### Grafana

```bash
localport http 3000 --token YOUR_TOKEN
```

### SSH into your home machine

```bash
localport tcp 22 --token YOUR_TOKEN
```

Then from anywhere:

```bash
ssh user@abc123.tunnel.localport.dev -p 47266
```

## Running on a Raspberry Pi

Localport has native ARM64 builds for Raspberry Pi 4 and 5:

```bash
curl -fsSL https://get.localport.dev | sh
localport http 8123 --token YOUR_TOKEN
```

## Running as a system service

You probably don't want to keep a terminal open 24/7. Set up a systemd service so the tunnel starts on boot and reconnects automatically:

```bash
sudo tee /etc/systemd/system/localport.service << 'EOF'
[Unit]
Description=Localport Tunnel
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/local/bin/localport http 8123 --token YOUR_TOKEN
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl enable --now localport
```

> [!TIP] Multiple services
> Create a separate systemd unit for each service you want to expose. Each gets its own tunnel token and its own public URL.

## Security considerations

- **No inbound ports** — Localport connects outbound. Your firewall stays closed.
- **Home IP hidden** — Traffic goes through Localport's infrastructure. Your IP isn't in DNS records.
- **HTTPS by default** — Valid TLS certificates on every tunnel, no cert management.
- **Token rotation** — Rotate tokens from the dashboard without touching your server.
- **IP whitelisting** (all plans) — Restrict access to specific IPs, like your office or phone's carrier.

## Next steps

- [TCP Tunnels](/docs/tcp-tunnels) — For SSH, databases, and other TCP services
- [Mesh Tunnels](/docs/mesh-tunnels) — Access multiple devices through one tunnel
- [IoT Devices](/docs/iot-devices) — Manage a fleet of devices