> Connect and manage IoT device fleets with mesh tunnels. Raspberry Pis, sensors, cameras — each gets its own URL. No VPN or static IPs needed.

# IoT Device Management

You have devices in the field — sensors, cameras, Raspberry Pis, industrial controllers. Each runs a local service. You need to reach any specific device from your office or monitoring system, but every single one is behind NAT.

Localport's mesh tunnels give each device its own URL without VPNs, static IPs, or complex networking.

## Architecture

```
Your Dashboard / Monitoring System
    │
    ├─ https://sensor-1.fleet.tunnel.localport.dev  → Sensor 1 (warehouse A)
    ├─ https://sensor-2.fleet.tunnel.localport.dev  → Sensor 2 (warehouse B)
    ├─ https://camera-1.fleet.tunnel.localport.dev  → Camera 1 (entrance)
    └─ tcp://sensor-3.fleet.tunnel.localport.dev:25003  → Sensor 3 (loading dock)
```

One mesh tunnel. One token. Every device individually addressable.

## Deployment steps

### 1. Create a mesh tunnel

In the dashboard, create a mesh tunnel for your fleet. You get a single token that all devices share.

### 2. Install on each device

```bash
curl -fsSL https://get.localport.dev | sh
localport http 8080 --token FLEET_TOKEN --name $(hostname)
```

Using `$(hostname)` means each device automatically uses its hostname as its mesh name. You can also hardcode names if you prefer.

### 3. Set up as a system service

```bash
sudo tee /etc/systemd/system/localport.service << 'EOF'
[Unit]
Description=Localport IoT Tunnel
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/local/bin/localport http 8080 --token FLEET_TOKEN --name %H
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl enable --now localport
```

The `%H` in the systemd unit expands to the machine's hostname.

## Addressing devices

Each device gets:

- **HTTP URL**: `https://[name].[tunnel-subdomain].tunnel.localport.dev`
- **TCP port** (if using the `tcp` protocol): `tcp://[name].[tunnel-subdomain].tunnel.localport.dev:[port]`

Your monitoring system, scripts, or dashboards just need to know the naming convention. No IP tracking, no port spreadsheets.

## Reconnection behavior

Network hiccups happen in the field. When a device reconnects within 60 seconds, it gets the same address back — same port, same subdomain. Your monitoring dashboards don't need to update.

If the device is offline longer than 60 seconds, it gets a new port but keeps its name-based subdomain.

> [!TIP] Design for reconnection
> Name your devices predictably (by hostname, serial number, or location). Even if a port changes, the subdomain based on the name stays consistent.

## Security

- **No inbound ports** on devices — all connections are outbound
- **IP whitelisting** (all plans) — restrict who can reach your devices
- **Token-based auth** — revoke access from the dashboard without touching devices
- **URLs are not discoverable** — you need to know the address to connect

## Next steps

- [Mesh Tunnels](/docs/mesh-tunnels) — Technical details of mesh mode
- [Homelab Guide](/docs/homelab) — For self-hosted setups at home