Skip to content
Every protocol. Every routing mode. Every plan.

One tool. Every protocol.

HTTP, TCP, and TLS tunnels. Three routing modes. Automatic HTTPS, reserved addresses, IP allow lists, password protection, and mutual TLS. The agent is open source, and we never read your traffic.

Get Started See pricing
  • Open-source agent
  • No payload inspection
  • EU data residency
  • Works behind CGNAT

Protocol support

Tunnel anything you run.

Web apps, databases, game servers, encrypted sockets. Pick the protocol that fits and keep the same command.

Most used

HTTP & HTTPS

Web apps and APIs, live in one command.

A real TLS certificate every browser trusts, issued automatically. Both HTTP and HTTPS URLs out of the box. Works with React, Next.js, Django, Rails, Flask, and anything else that serves HTTP.

$ localport http 3000 --token tok_abc123
https://abc123.tunnel.localport.dev
Client demosWebhook testingOAuth callbacksCI/CD previewsMobile QA

TCP

Anything that speaks raw TCP.

Databases, game servers, SSH, Redis, MQTT, custom protocols. Each tunnel gets a dedicated port you can reserve, so clients always reconnect to the same address.

$ localport tcp 5432 --token tok_abc123
tcp://abc123.tunnel.localport.dev:47266
Game serversDatabase accessSSHHome automation

TLS

End-to-end encrypted passthrough.

Traffic reaches your service fully encrypted. Localport never sees the plaintext. Ideal when your service owns its own certificates, runs mTLS, or has compliance rules to meet.

$ localport tls 443 --token tok_abc123
tls://abc123.tunnel.localport.dev:47266
Own your certsZero trustComplianceService mesh

Routing modes

One device or a thousand.

The same tunnel decides how traffic reaches your clients. Switch modes without changing your setup.

auto TLSallowlistencryptedusage capsmTLSHTTPSHTTPSTCPTCPTLSTLShttps://myapp.tunnel.localport.devtcp://myapp.tunnel.localport.devtls://myapp.tunnel.localport.devlocalhost

Default

Standard

One tunnel, one URL. The fastest way to share a dev server, test a webhook, or host a game server.

  • One command, one public link
  • Static subdomain keeps the URL stable
auto TLSencryptedmTLSallowlistusage capsHTTPSHTTPSTCPTLSTCP

IoT & fleets

Mesh

One tunnel, many devices. Every device that joins gets its own subdomain and port, reachable by name from anywhere.

  • Name a device once, reach it for good
  • Mixed protocols on a single mesh
auto TLSencryptedmTLSallowlistusage capshttps://notification.localport.dev/webhook/Developer 1Developer 2Developer 3

Teams & webhooks

Shared

One tunnel, the whole team. Every incoming request is broadcast to all connected clients at once. One responder you pick sends the reply.

  • Everyone gets the same payload live
  • Swap the active responder in a click
Your tunnel CA
issues certs
Edge verifies on every connection
laptop.cert
connected
sensor-01.cert
connected
old-laptop.cert
revoked
no certificate
blocked
client mTLS · ECDSA P-256 edge
Pro

Locked tunnels

Only the devices you trust get in.

Turn on mutual TLS with a single toggle. Each device carries a certificate you issued, and the edge checks it on every connection. No certificate, no connection. Lose a device and you revoke it in seconds.

  • Issue and revoke client certificates from the dashboard
  • No certificate, no connection. Enforced at the edge.
  • No SDK and no code changes to your service
  • Works on standard, mesh, and shared tunnels
How it works Talk to sales

Platform

Built to run in production.

Everything below is included on a flat team plan. No per-seat fees, no metered surprises.

Automatic HTTPS

Every HTTP tunnel gets a real certificate every browser trusts. No setup, no Let's Encrypt config.

Static subdomains

Reserve a subdomain so your URL stays the same across every session and restart.

Reserved ports

TCP and TLS tunnels keep a dedicated port, so clients always reconnect to the same address.

Custom domains

Point your own domain at a tunnel. CNAME it once and traffic flows to your machine.

IP allow lists

Restrict a tunnel to the IP ranges you trust. Everyone else is turned away at the edge.

Password protection

Put a username and password in front of any HTTP tunnel. Visitors sign in before they reach your app. Free on every plan.

Force HTTPS

Send every visitor to the secure https:// address automatically. One toggle, free on every plan.

Mutual TLS

Lock a tunnel to devices holding a certificate you issued. Revoke any of them instantly.

Auto reconnect

Network drops? The agent reconnects and reclaims its address automatically.

Live dashboard

Watch connections, bytes transferred, and request counts per tunnel in real time.

Team management

Organise tunnels by team, invite members, and control access from the dashboard.

Multi-region edge

Edge servers across regions. Connect to any one and get routed to the closest.

EU data residency

Account, billing, and tunnel data is stored in the EU. Traffic stays in the region you pick.

Cross-platform

One binary for macOS (Intel and Apple Silicon), Linux (x64 and ARM), and Windows.

Agent on GitHub

Read every line that touches your network.

The Localport agent is the binary that runs on your machine and tunnels your traffic. Its source lives on GitHub, so you can read it, build it from scratch, and audit the protocol before it ever connects.

When a tool sits between your machine and the internet, transparency matters. The hosted edge stays a managed service so your tunnels just work.

View on GitHub
$ git clone https://github.com/pvkas/localport
$ cd localport && go build ./cmd/client/
Single binary. Zero runtime dependencies. Reproducible builds.

Put it all to work.

Open-source agent. Flat team pricing from $5/mo. Upgrade to Pro when you need mutual TLS or higher limits. Cancel any time.

Get started free Compare plans Read the docs