Local development · Fleet scale · Global anycast

From localhost to global ingress

TunnelTug scales from a single developer tunnel to geo-distributed anycast production ingress. Start with a local demo; grow into multi-region edges and k3s fleets as traffic rises, all over QUIC and HTTP/3. No VPN for users. No open inbound ports on your laptop.

Get startedDocumentationContainer hubGitHub

One path from demo to production

Develop locally

Run a client on your machine. Share a public HTTP/3 URL for demos, webhooks, mobile testing, and pair programming, without punching holes in your network.

Scale the fleet

Grow into load-balanced tunnel barges on k3s. Rolling updates keep capacity online while you ship. Snapshots restore tunnel inventory after restarts.

Go global

Put geo-distributed anycast on the edge: health-gated BGP, split-horizon DNS, and multi-region ingress. Same product model, production footprint.

Built for the whole journey

🔗

Instant public URLs

Point a client at your local port and open myapp.tunneltug.com. Ideal from first demo through production cutover.

QUIC + streaming ingress

A QUIC control channel and streaming-friendly HTTP/3 keep long-lived connections, uploads, SSE, and WebSockets working the way you expect.

📡

HTTP/3 at the edge

Public edges speak HTTP/3 where available, with automatic certificates in production so you spend time on the app, not TLS plumbing.

⚖️

Load-balanced barges

Add capacity behind a load balancer. Tunnel servers register themselves; traffic spreads across the fleet as demand grows.

🧩

k3s fleets

Run tunnel and product capacity as managed fleets on k3s. Rolling updates keep most of the fleet online while you ship a new release.

🌐

Geo-distributed anycast

Multi-region production ingress with health-gated BGP announce and withdraw. When a PoP is unhealthy, traffic shifts with no manual DNS surgery.

📦

Private image hub

Publish and pull container images for TunnelTug and 0Trust services from hub.tunneltug.com. Public pull; authenticated push.

🔏

Signed fleet releases

Fleet configurations and image digests are cryptographically bound so you can confirm capacity is running the build you intended.

🔐

Passkey sign-in

The dashboard uses 0Trust identity with passkeys and device-bound sessions. Tunnel secrets are generated for you, never pasted in by hand.

1 tunnels registered · edge control at tunnel.tunneltug.com

How it works

Visitors hit a public HTTP/3 edge. TunnelTug carries the request over a QUIC control tunnel to your laptop in development, or through fleets and anycast edges in production.

How TunnelTug works: browser to edge to fleet to localhost

Public face on tunneltug.com · control at tunnel.tunneltug.com · images at hub.tunneltug.com · anycast when you need global ingress

Start in two steps

1. Sign in

Create an account, copy your tunnel secret from the dashboard, and pick a subdomain.

Open dashboard

2. Run the client

tunneltug -mode client \\
  -server tunnel.tunneltug.com \\
  -domain tunneltug.com \\
  -subdomain myapp \\
  -local 3000 \\
  -token \"$TUNNELTUG_TOKEN\"

Then open https://myapp.tunneltug.com. Grow into fleets and anycast when you are ready. Read the docs →