TunnelTug gives every developer a stable HTTPS URL for work running on their machine. No VPN install for your users. No open inbound ports on your laptop. Just a small client and a shareable link.
Point a client at your local port and open myapp.tunneltug.com. Ideal for demos, webhooks, mobile testing, and pairing with teammates.
A QUIC control channel and streaming-friendly HTTPS keep long-lived connections, uploads, and WebSockets working the way you expect.
Public edges speak HTTP/3 where available, with automatic certificates in production so you spend time on the app—not TLS plumbing.
Add capacity behind a load balancer. Tunnel servers register themselves and traffic spreads across the fleet.
Run tunnel capacity as a managed fleet on k3s. Rolling updates keep most of the fleet online while you ship a new release.
Publish and pull container images for TunnelTug and 0Trust services from hub.tunneltug.com. Anyone can pull; only signed-in operators can push.
Fleet configurations and image digests are cryptographically bound so you can confirm capacity is running the build you intended.
State snapshots help fleets recover tunnel inventory after restarts. Clients reconnect automatically.
The dashboard uses 0Trust identity with passkeys and device-bound sessions. Tunnel secrets are generated for you—never pasted in by hand.
1 tunnels registered · edge control at tunnel.tunneltug.com
Visitors hit a public HTTPS URL. TunnelTug carries the request over a QUIC control tunnel to the app running on your machine.

Public face on tunneltug.com · control at tunnel.tunneltug.com · images at hub.tunneltug.com
Create an account, copy your tunnel secret from the dashboard, and pick a subdomain.
Open dashboardtunneltug -mode client \\ -server tunnel.tunneltug.com \\ -domain tunneltug.com \\ -subdomain myapp \\ -local 3000 \\ -token \"$TUNNELTUG_TOKEN\"
Then open https://myapp.tunneltug.com. Read the docs →