Skip to content

Your localhost, on the internet.

HTTP, TCP, TLS, and mTLS tunnels that work behind NAT, CGNAT, and corporate firewalls. No port forwarding. No router config. No exposed IPs. One command and you're live.

Get Started Read the docs Star

macOS, Linux, Windows. Agent source on GitHub.

localport
$

Private by default

Your traffic is yours. Three ways we prove it.

Some tunnel services inspect your traffic by default. Others hide what runs on your machine. Localport never reads your payloads, and the agent source is public on GitHub so your security team can verify exactly what installs. The account and tunnel data we store to run Localport is kept in the European Union.

Inspectable

Public source code

The binary that runs on your machine has its source on GitHub. Read it, build it from scratch, verify exactly what touches your network before you trust it.

View the agent

mTLS

Locked tunnels

Mutual TLS in one click. Only devices holding a certificate you issued can connect. Every request is cryptographically verified, end to end.

How it works

No logs

Zero inspection

We don't read your payloads. We don't log them. We don't train on them. Traffic passes through and stays yours.

Our privacy stance

Who uses Localport

Made for individuals, teams, and enterprises.

Developers

Share a dev server in one command.

Test OAuth callbacks, demo branches to clients, wire up Stripe or Twilio webhooks without deploying to staging. Drop one step into CI to give every pull request a live preview URL. Shared tunnels deliver payloads to every teammate, and static subdomains keep webhook URLs stable across sessions.

IoT and device teams

Reach every device by name.

Mesh tunnels assign each device its own address, like sensor-01.tunnel.localport.dev. Works behind CGNAT, double NAT, and cellular networks. Lock access with mTLS certificates per device and revoke in one click.

Homelabbers

Your homelab, reachable from anywhere.

No port forwarding. No dynamic DNS. No exposed home IP. Point your domain at Jellyfin, Proxmox, or Home Assistant. HTTPS that every browser trusts on every tunnel. Works behind CGNAT and double NAT.

Enterprises

Zero trust tunnels. Flat team pricing.

Mutual TLS locks tunnels to trusted devices. No certificate, no connection. The agent source lives on GitHub so your security team can review what ships to your machines. $20/mo covers the whole team, 5 developers or 50. We never inspect your traffic.

Standard tunnel

A public link for anything you run.

One command turns any local port into a public HTTPS link. Share it, drop it in a webhook, or open it on your phone. The address stays yours, run after run.

  • HTTP, TCP, and TLS on every plan, with browser-trusted HTTPS out of the box.
  • Static subdomains and reserved ports keep the same address every session.
  • IP allow lists, password protection, and one-click mTLS limit who reaches your service.
Learn more
auto TLSallowlistencryptedusage capsmTLSHTTPSHTTPSTCPTCPTLSTLShttps://myapp.tunnel.localport.devtcp://myapp.tunnel.localport.devtls://myapp.tunnel.localport.devlocalhost

Mesh tunnel

Every device gets its own address.

auto TLSencryptedmTLSallowlistusage capsHTTPSHTTPSTCPTLSTCP

One tunnel, one token, a whole fleet. Every device that joins gets its own subdomain and port, reachable by name from anywhere. Grow to dozens of devices without touching config or opening a port.

  • Name a device once, like sensor-1, and reach it by that name for good.
  • One mesh, mixed protocols. Each device speaks HTTP, TCP, or TLS on its own.
  • Gate the mesh with mTLS, then revoke any device in a click.
Learn more

Shared tunnel

One webhook. Everyone on the team.

Point one webhook at a shared tunnel and the whole team gets every payload at once. No more copy-pasting JSON from Slack. One teammate sends the reply, and you choose who from the dashboard in a click.

  • Every teammate receives the same request in real time.
  • A static subdomain keeps your Stripe or GitHub webhook URL stable for good.
  • IP allow lists and mTLS keep out everyone but the provider you expect.
Learn more
auto TLSencryptedmTLSallowlistusage capshttps://notification.localport.dev/webhook/Developer 1Developer 2Developer 3

Locked tunnel

Only the devices you trust get in.

Your tunnel CA
issues certs
Edge verifies on every connection
laptop.cert
connected
sensor-01.cert
connected
old-laptop.cert
revoked
no certificate
blocked
client mTLS · ECDSA P-256 edge
New

Turn on mutual TLS with a single toggle. Each device carries a certificate you issued, and the edge checks it on every connection. No certificate, no connection. Lose a device and you revoke it in seconds.

  • Issue and revoke client certificates from the dashboard.
  • No certificate, no connection. Enforced at the edge.
  • No SDK and no code changes to your service.
  • Works on standard, mesh, and shared tunnels.
Learn more Talk to sales

Every plan

What's included on every plan.

Flat team pricing from $5/mo. No per user fees. No surprise overages.

HTTP, TCP, TLS tunnels
All four protocols, including mTLS. Web apps, APIs, databases, SSH, game servers, custom sockets. Every plan.
Automatic HTTPS
Every web tunnel gets a real certificate that every browser trusts. No Let's Encrypt configs. No certificate warnings.
Inspectable agent
The binary that runs on your machine has its source on GitHub. Read it, build it from scratch, verify what touches your network.
Live dashboard
Watch tunnels come online. See connections, bandwidth, and live activity without opening an SSH session.
No port forwarding
Your machine opens one outbound connection. Your router stays closed. Your home IP stays hidden.
Works behind anything
Office firewalls, dorm Wi-Fi, cellular hotspots, CGNAT, double NAT. If it lets you browse the web, it lets you tunnel.
Static subdomains
Reserve a name so your URL stays the same every session. Webhooks and clients keep working after every restart.
Reserved ports
TCP and TLS tunnels keep a fixed port, so teammates, game clients, and database tools always reconnect to the same address.
IP allow lists
Restrict a tunnel to the IP ranges you trust. Everyone else is turned away at the edge before they reach your service.
Password protection
Put a username and password in front of any HTTP tunnel. Visitors sign in before they reach your app. Free on every plan.
Force HTTPS
Send every visitor to the secure https:// address automatically. One toggle, no config, every plan.
See all plans

Honest comparison

How Localport compares.

Compared head to head with ngrok, Cloudflare Tunnels, and AWS IoT Core.

Feature comparison: Localport vs ngrok, Cloudflare Tunnels, and AWS IoT Core
LocalportngrokCloudflare TunnelsAWS IoT Core
PricingFlat $5 to $20/moFree + $8 to $20/moFree + enterprisePer message
Tunnels included3 to 15 per team1 free, 3+ paidUnlimitedN/A
HTTP, TCP, TLSAll plansTCP/TLS paid onlyHTTP, TCP, SSHMQTT, HTTP
Client transparencyAgent source on GitHubClosed sourceCloudflared on GitHubSDKs only
Mutual TLS (mTLS)Pro ($20/mo)$20/mo + usageZero Trust add onBuilt in
Password protectionAll plansPaid plansZero Trust add onN/A
Mesh tunnelsAll plansNot supportedNot supportedThing shadows
Shared tunnelsAll plansNot supportedNot supportedNot supported
Payload inspectionNeverBuilt inProxiedLogged
Full comparison → See real use cases →

Inspect exactly what runs on your machine.

The Localport agent is the binary that connects your services to the edge. Its source lives on GitHub. Read every commit, build the binary from scratch, and verify what touches your network before you ever trust it. The hosted edge stays a managed service so your tunnels just work.

Star on GitHub Join the Discord

Put your localhost on the internet. Keep your privacy while you're at it.

Flat team pricing from $5/mo. HTTP, TCP, TLS, and mTLS tunnels on every plan. Works straight through NAT, CGNAT, and corporate firewalls.

Get Started Talk to sales

Cancel any time.