Ship local services. Public, secure, instant.
One command turns any localhost port into a globally-routable, TLS-terminated, auth-gated endpoint. No firewall changes. No DNS dance. No bastion hosts.
From a port number to a public URL — in under a second.
No configs to write. No certs to renew. No tunnels to babysit. tGate negotiates TLS at the edge, registers the route in our control plane, and propagates it to every PoP before your terminal prompts you again.
- ✓Auto TLSLet's Encrypt + custom CAs. Wildcard, SAN, ACME-DNS — all handled.
- ✓Sticky URLsRe-running tgate keeps your old URL. CI hashes stay stable.
- ✓Connection drainingRoll restarts without dropping in-flight requests.
nginx -c /etc/nginx/proxy.conf
certbot --nginx -d api.example.com
ufw allow 80,443
systemctl restart nginx
HTTP, gRPC, WebSocket, raw TCP — same single binary.
Most tunneling tools punt on anything that isn't HTTP/1.1. tGate speaks HTTP/3 with QUIC, terminates mTLS, proxies raw TCP and UDP, and passes through Postgres, Redis and MySQL wire protocols without surprises.
- ✓HTTP/3 firstQUIC by default; fall back to /2 and /1.1 transparently.
- ✓Bidirectional streamsWebSockets and gRPC streams up to 24 hours.
- ✓TCP + UDPTunnel non-HTTP services with the same auth & policy stack.
Replace 80 lines of YAML with one CLI invocation.
No more bastion hosts, reverse-proxy configs or cert-manager incantations.
apiVersion: v1
kind: Service
metadata:
name: api-proxy
spec:
type: LoadBalancer
ports:
- port: 443
targetPort: 3000
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata: { name: api-tls }
spec:
secretName: api-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames: [api.example.com]
# ...60 more lines$ tgate run :3000 \
--domain api.t.gate \
--auth oidc
✓ Tunnel live · TLS · OIDC
https://api.t.gate → :3000
Press Ctrl+C to stop.Production-grade by default.
Every tunnel ships with the full edge feature set — no add-ons, no surprise bills.
mTLS everywhere
Mutual TLS between client, edge, and origin. Rotate certs without downtime.
tgate run :3000 --mtlsEdge cache
Cache GET responses at the PoP closest to each user. Purge by tag in < 50ms.
Cache-Control: edge-max-age=60DDoS shield
L3/4 absorption + L7 rate limiting. Includes WAF rule pack.
policy: shield/strictGeo routing
Pin tunnels to regions or split traffic by user country.
regions: [fra1, iad1]Replay & inspect
Every request is loggable, replayable and diffable from the dashboard.
tgate replay rq_8x2...Traffic mirroring
Fork live prod traffic to staging without affecting users.
mirror: staging-tunnel38 PoPs, single anycast IP.
Tunnels surface on the same /24 anycast IP everywhere. Your users hit the closest PoP via BGP — no GeoDNS, no broken IP allowlists, no surprise re-routes during failover.
- ✓Single IP for allowlistsOne CIDR for your customers' firewalls forever.
- ✓Sub-50ms to 95% of usersBacked by direct peering with Tier-1 carriers.
- ✓Automatic failoverRegion degradation drains in 4s and shifts traffic up-stack.
We replaced 4 ngrok subscriptions, 2 LBs, our cert-manager setup and 600 lines of Terraform with tGate. Onboarding for new engineers went from a half-day to one command.
Tunnel anything. Ship everywhere.
Start with a single command. Scale to a multi-region production deploy without changing it.