HTTP, TCP, TLS, and mTLS tunnels with three routing modes, automatic HTTPS,
reserved addresses, IP allow lists, and password protection. The agent is open
source, we never inspect your traffic, and your tunnels stay in the region you choose.
Everything below is included on a flat team plan. No per-seat fees, no metered surprises.
Security & compliance
Multi-Region
Servers in multiple regions, so you can run tunnels close to you and your users.
EU Data Residency
Account, billing, and tunnel data is stored in the EU. Traffic stays in the region you pick.
Mutual TLS
Lock a tunnel to devices holding a certificate you issued. Revoke any of them instantly.
IP Allowlist
Restrict a tunnel to the IP ranges you trust. Everyone else is turned away before they reach your service.
Addresses & encryption
Custom Domains
Point your own domain at a tunnel. CNAME it once and traffic flows to your machine.
Automatic HTTPS
Every HTTP tunnel gets a real certificate every browser trusts. No setup, no Let's Encrypt config.
Static Subdomains
Reserve a subdomain so your URL stays the same across every session and restart.
Reserved Ports
TCP and TLS tunnels keep a dedicated port, so clients always reconnect to the same address.
Operations & team
Password Protection
Put a username and password in front of any HTTP tunnel. Visitors sign in before they reach your app.
Force HTTPS
Send every visitor to the secure https:// address automatically with one toggle.
Auto Reconnect
Network drops? The agent reconnects and reclaims its address automatically.
Live Dashboard
Watch connections, bytes transferred, and request counts per tunnel in real time.
Team Management
Organise tunnels by team, invite members, and control who can access what.
Cross-Platform
One binary for macOS, Linux, and Windows, across Intel, Apple Silicon, and ARM.
Protocol support
Tunnel anything you run.
Web apps, databases, game servers, encrypted sockets. Pick the protocol that fits and keep the same command.
HTTP & HTTPS
Most used
Web apps and APIs, live in one command.
A real TLS certificate every browser trusts, issued automatically. Both HTTP and HTTPS URLs out of the box. Works with React, Next.js, Django, Rails, Flask, and anything else that serves HTTP.
Databases, game servers, SSH, Redis, MQTT, custom protocols. Each tunnel gets a dedicated port you can reserve, so clients always reconnect to the same address.
tcp://abc123.tunnel.localport.dev:47266
Game serversDatabase accessSSHHome automation
TLS
End-to-end encrypted passthrough.
Traffic reaches your service fully encrypted. Localport never sees the plaintext. Ideal when your service owns its own certificates, runs mTLS, or has compliance rules to meet.
tls://abc123.tunnel.localport.dev:47266
Own your certsZero trustComplianceService mesh
Routing modes
One device or a thousand.
Choose how traffic reaches your clients, from one public URL to a whole fleet of named devices. Same agent, same command, three ways to route.
Default
Standard
One tunnel, one URL. The fastest way to share a dev server, demo an app you vibe-coded with Cursor or v0, test a webhook, host a game server, or preview a pull request.
One command, one public link
HTTP, TCP, and TLS with automatic HTTPS
Static subdomain keeps the URL stable
Reserved port for TCP and TLS tunnels
HTTPSHTTPSTCPTLSTCP
IoT & fleets
Mesh
One tunnel, a whole fleet. Connect your devices under one token and reach any of them by name from anywhere, even behind CGNAT or a cellular modem. Built for IoT and distributed hardware.
One URL, the whole team. Point a single webhook at a shared tunnel and every teammate gets the same request at once, with no per-developer tunnels and no replaying events to chase.
All clients get the same request live
Stable subdomain keeps the webhook URL fixed
Pick the active responder from the dashboard
IP rules control who can join and who can send
SENSORGATEWAYSERVERMUTUAL TLS · ECDSA P-256
Server pushes a Firmware Update
Laptop opens an SSH session
Invalid cert, No Connection
Your Hub behind NAT
Pro
Only the devices you trust get in.
Turn on mutual TLS and lock every tunnel to the devices you trust, all managed
from one dashboard. Localport gives each tunnel its own certificate authority, so
only a device holding a certificate you issued can connect, and everyone else is
refused before they reach your service. Onboard a new device, verify it
cryptographically on every request, or revoke its access the moment you need to.
Each tunnel gets its own private certificate authority
Issue a certificate per device, revoke any one instantly
No valid certificate, no connection. Verified on every request
The Localport agent is the binary that runs on your machine and tunnels your
traffic. Its source lives on GitHub, so you can read it, build it from scratch,
and audit the protocol before it ever connects.
When a tool sits between your machine and the internet, transparency matters.
We run the hosted side as a managed service so your tunnels just work.