TunnelTug scales from a single developer tunnel to geo-distributed anycast production ingress β with multi-PoP product stacks and kernel replication so every edge keeps local data and stays in sync. QUIC and HTTP/3 end to end. No VPN for users. No open inbound ports on your laptop.
Run a client on your machine. Share a public HTTP/3 URL for demos, webhooks, mobile testing, and pair programming, without punching holes in your network.
Grow into load-balanced tunnel barges on k3s. Rolling updates keep capacity online while you ship. Snapshots restore tunnel inventory after restarts.
Geo-distributed anycast: health-gated BGP, split-horizon DNS, and multi-region ingress. Same product model, production footprint.
Multi-PoP stacks keep local embeds for speed. Kernel replication peers stream service data across regions β scale ingress, not a single remote DB.
Point a client at your local port and open myapp.tunneltug.com. Ideal from first demo through production cutover.
A QUIC control channel and streaming-friendly HTTP/3 keep long-lived connections, uploads, SSE, and WebSockets working the way you expect.
Public edges speak HTTP/3 where available, with automatic certificates in production so you spend time on the app, not TLS plumbing.
Add capacity behind a load balancer. Tunnel servers register themselves; traffic spreads across the fleet as demand grows.
Tunnel engines and product barges as managed k3s fleets. Stack YAML or site config β no kubectl required.
Multi-region production ingress with health-gated BGP announce and withdraw. When a PoP is unhealthy, traffic shifts with no manual DNS surgery.
Describe multi-PoP sites in YAML or Junos-like set language. One -config file wires domain, stack, anycast, and kernel peers.
ultimate_db / keystore barges are replication peers. Products keep local embeds; AddPeer for live sync across global ingresses.
Publish and pull images from hub.tunneltug.com. Public pull; authenticated push. Config builder on each catalog card.
Fleet configurations and image digests are cryptographically bound so you can confirm capacity is running the build you intended.
The dashboard uses 0Trust identity with passkeys and device-bound sessions. Tunnel secrets are generated for you, never pasted in by hand.
HA barge fleets, global anycast + multi-PoP mesh, vhost failover, and image integrity patterns β see Architectures.
1 tunnels registered Β· edge control at tunnel.tunneltug.com
Visitors hit a public HTTP/3 edge. TunnelTug carries the request over a QUIC control tunnel to your laptop in development, or through fleets and anycast edges in production. Multi-PoP stacks replicate service data through the kernel mesh.

Public face on tunneltug.com Β· control at tunnel.tunneltug.com Β· images at hub.tunneltug.com Β· site config for multi-PoP Β· anycast when you need global ingress
Create an account, copy your tunnel secret from the dashboard, and pick a subdomain.
Open dashboardtunneltug -mode client \\ -server tunnel.tunneltug.com \\ -domain tunneltug.com \\ -subdomain myapp \\ -local 3000 \\ -token \"$TUNNELTUG_TOKEN\"
Then open https://myapp.tunneltug.com. Grow into fleets, site config, and anycast when you are ready. Read the docs β Β· Architectures β Β· Hub config builder β