Skip to content

Your localhost, over the internet.

Give anything on your machine a secure public link in one command. HTTP, TCP, TLS, and mTLS tunnels that work behind NAT, CGNAT, and corporate firewalls. No port forwarding. No router config. No exposed IP.

localport
$

Private by default

Your traffic is yours. Three ways we prove it.

Most tunnels either read your traffic or hide what runs on your machine. Localport does neither, and you don't have to take our word for it.

Open-source agent

The agent that runs on your machine is open source. Read it, build it yourself, and see what touches your network before you trust it.

View the agent

Locked tunnels

Turn on mutual TLS in one click. Only devices holding a certificate you issued get in, every request is verified, and you revoke any one of them in seconds.

How it works

Zero inspection

We never read your payloads, log them, or train on them. Traffic passes straight through and stays yours, in the region you choose.

Our privacy stance

Made for individuals, teams, and enterprises.

Developers

Share what you build in one command.

Test Stripe and Twilio webhooks against the code on your laptop, no staging deploy. Share a feature branch or a vibe-coded prototype over a live link anyone opens on their phone, and give every pull request its own preview URL in CI.

IoT and device teams

Reach every device by name.

Give a whole fleet one token and reach each device by name, even behind CGNAT, double NAT, or cellular. Lock every device with its own mTLS certificate and revoke access in one click.

Homelabbers

Your homelab, reachable from anywhere.

No port forwarding, no dynamic DNS, no exposed home IP. Point your own domain at Jellyfin, Proxmox, or Home Assistant and get HTTPS every browser trusts. Works behind CGNAT and double NAT.

Enterprises

Zero trust tunnels. Flat team pricing.

Mutual TLS locks tunnels to trusted devices: no certificate, no connection. Your security team can read the open-source agent before it reaches a single machine. One flat $20/mo billed yearly covers the whole team, 5 developers or 50, and we never inspect your traffic.

Standard

A public HTTPS link for anything you run.

Name Data Endpoint My App 15 MB https://myapp.eu.localport.dev Copied Ollama 712 MB Connect Minecraft 5 GB Connect
Region EU Custom Domain None
Inbound IP Whitelist 203.0.113.4, 198.51.100.0/24
HTTP Protection
Force HTTPS Basic Auth
localport
https://myapp.eu.localport.dev → localhost:3000

Run anything on a local port and get a public HTTPS link you control. It carries HTTP, TCP, and TLS with browser-trusted certificates out of the box, and you gate access with IP rules and a password. The address stays yours between restarts, so webhooks and teammates never hit a dead URL.

IP allowlistBasic authForce HTTPSCustom domainPick your region
Learn more

Locked · mTLS

Only the devices you trust get in. Pro

Server
Firmware Update
Laptop
SSH Session
Mutual TLS (mTLS) Enabled
Enable mTLS
CA Fingerprint b55277a731a901e8b3c1… Active Certs 0 1 2 Issue Certificate
Name Status Actions Deployment Server Active Revoke Laptop Active Revoked Revoke
localport
3 Devices Connected

Each tunnel gets its own certificate authority. Hand a certificate to every device you trust, and everyone else is turned away before they reach your service. Localport checks the certificate on every request, and you revoke a device in one click. No SDK, no code changes.

Private CA per tunnelVerified every requestRevoke in one click

Mesh

Every device gets its own address.

PLC TCP tcp://plc.warehouse.mydomain.com:44021 Disconnect
Temperature Sensor HTTP https://temp.warehouse.mydomain.com Disconnect
MQTT Broker TLS tls://mqtt.warehouse.mydomain.com:47810 Disconnect
Sound Sensor TCP tcp://sound.warehouse.mydomain.com:52114 Disconnect
localport
PLC
localport
Connected
localport
SCADA

One token serves a whole fleet. Attach a wildcard domain once and every device answers at its own name on your domain — even behind CGNAT or a cellular modem, HTTP, TCP and TLS alike. One box can run several devices, and adding one never touches a router or a config file.

One token, whole fleetYour domain, every deviceMixed protocols
Learn more

Shared

One URL for the whole team. It never moves.

POST /webhooks/payment
https://mywebhook.eu.localport.dev Disconnect all
alice-mac Disconnect
bob-pc Set Primary Disconnect
chad-linux Set Primary Disconnect
localport
Alice's terminal Webhook received
localport
Bob's terminal Webhook received
localport
Chad's terminal Webhook received

Register the webhook once and never touch it again. A shared tunnel hands your whole team one permanent URL, so every teammate receives the same request the moment it lands. No per-developer tunnels, and no replaying events to chase.

One permanent URLSame payload to everyoneLive for every teammate
Learn more

What's included on every plan.

Flat team pricing from $5/mo billed yearly ($6 month-to-month). No per user fees. No surprise overages.

HTTP, TCP, TLS Tunnels
Forward web apps, APIs, databases, SSH, game servers, and custom sockets over HTTP, TCP, or TLS. Add mutual TLS on Pro.
Automatic HTTPS
Every web tunnel gets a real certificate that every browser trusts. No Let's Encrypt configs. No certificate warnings.
Inspectable Agent
The binary that runs on your machine has its source on GitHub. Read it, build it from scratch, verify what touches your network.
Live Dashboard
Watch tunnels come online. See connections, bandwidth, and live activity without opening an SSH session.
No Port Forwarding
Your machine makes one outbound connection, so your router stays closed and your home IP stays hidden. Works behind office firewalls, CGNAT, double NAT, and cellular hotspots. If it lets you browse the web, it lets you tunnel.
Static Subdomains and Reserved Ports
Reserve a name and a port so your address never changes between sessions. Webhooks, teammates, game clients, and database tools all reconnect to the same place after every restart.
IP Allowlist
Restrict a tunnel to the IP ranges you trust. Everyone else is turned away before they reach your service.
Password Protection
Put a username and password in front of any HTTP tunnel. Visitors sign in before they reach your app. Included on every plan.
Force HTTPS
Send every visitor to the secure https:// address automatically. One toggle, no config.

Honest comparison

Everything included. Nothing metered.

One flat price buys your whole team real tunnels with nothing metered by usage. HTTP, TCP, TLS, mesh and shared tunnels, generous bandwidth, and every teammate are included, with mutual TLS on Pro. We skip the free tier and spend that money on the paid plans instead. Here is how that stacks up against ngrok, Cloudflare Tunnels, and AWS IoT Core.

Same $20/mo as ngrok, billed yearly. Far more in the box.

Localport Pro gives you 30× the included bandwidth (150 GB vs 5 GB), 50 team members at one flat price instead of $5 per extra seat, and no per-endpoint-hour billing. Even Hobby starts at $5 with 4× the bandwidth of ngrok’s $8 tier.

Swipe to compare →

Feature comparison: Localport vs ngrok, Cloudflare Tunnels, and AWS IoT Core. The feature and Localport columns stay fixed while the others scroll.
LocalportngrokCloudflare TunnelsAWS IoT Core
PricingFlat $5 to $20/mo yearly$8 to $20/mo + usageFree HTTP, then enterprisePer message
Monthly bandwidth20 to 150 GB included1 to 5 GB, then $0.10/GBUnlimited (HTTP)Per message
Team members5 to 50, one flat price1 to 3, then $5/userPer seatIAM users
HTTP, TCP & TLSIncludedTLS on $20 tierHTTP, TCP, SSHMQTT, HTTP
Mutual TLS (mTLS)On Pro, $20/mo$20 tier + usageZero Trust add-onBuilt in
Mesh tunnelsIncludedNot supportedNot supportedThing shadows
Shared tunnelsIncludedNot supportedNot supportedNot supported
Password & IP rulesIncludedPaid tiersZero Trust add-onIoT policies
Open-source agentYes, on GitHubClosed sourcecloudflared (OSS)SDKs only
Payload inspectionNeverOn by defaultProxiedLogged

Access your localhost over the internet. Keep your privacy while you're at it.

Flat team pricing from $5/mo billed yearly. HTTP, TCP, and TLS tunnels on every plan, with mutual TLS on Pro. Works straight through NAT, CGNAT, and corporate firewalls.

Start with a free trial. Cancel any time.

Inspect exactly what runs on your machine.

The Localport agent is the binary that connects your services to our network. Its source lives on GitHub, so you can read every commit, build it from scratch, and verify what touches your network before you ever trust it.