Locked Tunnels (mTLS)

A locked tunnel only accepts connections from devices you've personally approved. Every connection is verified with a cryptographic certificate — think of it as a keycard for your service. No keycard, no entry. Lose a laptop? Revoke its keycard from the dashboard and it's locked out instantly.

This is mutual TLS (mTLS), the same technology banks and governments use to secure their internal systems. Localport makes it a single toggle.

When to use a locked tunnel

Locked tunnels are for anything where "public URL plus a password" isn't enough:

Industrial IoT — Factory sensors and gateways that must only talk to your systems
Regulated data — Healthcare, finance, or any workflow that needs auditable device identity
Personal security — Your homelab, reachable only from devices you own
Shared services — A dev API that only teammates' laptops can hit, even when the URL leaks
Zero-trust setups — Replacing VPNs with identity-checked tunnels

How it works, in plain English

1. You create a trust anchor. Localport generates a private certificate authority for your tunnel — a digital seal only you control.

2. You issue certificates. For each device, laptop, or service that should have access, you issue a certificate signed by that authority. You download it once and install it on the device.

3. Only holders of a valid certificate connect. When a device tries to open the tunnel, Localport checks its certificate against your trust anchor. Match? Allow. No match? Rejected.

4. You can revoke anytime. If a device is lost, compromised, or retired, revoke its certificate from the dashboard. The next time it tries to reconnect, it's blocked — no matter what.

All of this happens at the tunnel gateway, before any traffic reaches your service. Your app doesn't need a single line of code changed.

Turning it on

1. Enable mTLS on a tunnel

In the dashboard, open your tunnel's settings and toggle Require client certificate. Localport generates a tunnel-specific certificate authority for you — the private key is encrypted at rest and never exposed.

2. Issue a certificate for each device

Click Issue certificate, give the device a name (e.g. alice-laptop, sensor-42), and pick how long it should be valid. Download the bundle — you'll get either:

A PEM bundle (client.crt + client.key), or
A PKCS#12 file (.p12) for platforms that prefer it

Install the certificate on the device. For the Localport CLI:

localport http 8080 \
  --token YOUR_TUNNEL_TOKEN \
  --client-cert ./client.crt \
  --client-key ./client.key

For third-party TLS clients, point them at the same files.

3. Revoke when needed

Go back to the dashboard and click Revoke on any certificate. The change is live immediately — if the device is currently connected, its next reconnect attempt fails. If it's offline, it will fail the moment it tries.

Certificates expire, and that's a feature

Short-lived certificates (30–90 days) mean a stolen credential doesn't stay useful forever. Rotate them routinely; the dashboard shows you what's expiring next.

Works with any service

Locked tunnels are transparent to your application. Your web server, database, IoT broker, or custom TCP service stays exactly as it is — Localport handles certificate verification at the tunnel edge.

Supported on:

HTTPS tunnels — Browsers and curl prompt for a client certificate; devices provide one automatically
TCP and TLS tunnels — Every connection must present a valid certificate before a single byte reaches your service

Requests without a valid certificate are refused at the gateway. Plain HTTP requests are rejected with a clear error. Revoked or expired certificates are denied even after a successful network handshake.

What you control

Your certificate authority stays yours. Localport never uses it for anything besides verifying connections to your tunnels. Private keys are encrypted with a key you can rotate.
Granular revocation. Revoke a single device without touching any other.
Audit trail. Every certificate issuance, connection, and revocation is logged in the dashboard.
Full lifecycle. Issue, download, expire, renew, revoke — all from one place.

Requirements

Pro plan or higher for locked tunnels
One certificate per device or client (issued in seconds from the dashboard)

Use cases

Homelab — Lock Home Assistant, Proxmox, or a private Jellyfin to your phone and laptop only
IoT fleets — Identify every device individually and revoke the ones you retire
Internal APIs — Expose a staging API to your team without exposing it to the internet
Partner integrations — Give a specific customer a certificate they can't share
Regulated workloads — Meet device-identity requirements without standing up a PKI

Next steps

HTTP & HTTPS Tunnels — Standard tunneling basics
Mesh Tunnels — Combine locked tunnels with per-device addressing for secure fleets
IoT Device Management — Deployment patterns for device fleets
Contact sales — For custom certificate authority requirements, dedicated infrastructure, or compliance reviews