Automatic HTTPS
Issued and renewed automatically for every served app. Assigned URLs are yours forever.
Fast, open source, and entirely under your control.
3 tunnels · 2 serving
A public edge server serves your domain and runs
every firewall rule and auth check.
Your app stays on
localhost, reached only through a tunnel it dials
out to.
Whether it's npm run dev or a Compose stack, one command puts the build on a real HTTPS URL that only invited teammates can open—WebSockets and server-sent events included, so hot reload and streaming just work.
$ npm run dev
ready in 312 ms
➜ Local: http://localhost:4321
Smart TVs, e-readers, a friend's phone—devices that can't run a VPN client still reach your apps. And each URL opens exactly one app, so untrusted devices never get whole-network access.
One app per URL—your network stays invisible.
Easier and more secure than accepting inbound connections to your local IP address. Built on the OpenTunnels protocol, with QUIC multiplexing with no head-of-line blocking; it stays fast and low-latency under heavy load.
Choose who can reach each app: people, teams, passwords, API keys, or trusted networks. Everything else stops at the edge.
Block exploit probes, abusive requests, and sensitive paths with reusable HTTP rules before requests reach your machine.
Challenge suspicious traffic at the edge without putting a CAPTCHA in front of every visitor. Set a challenge level per app—from invisible browser proof to a strict human check.
Four challenge levels are available per app: Off, Light adds an invisible browser proof, Standard adds browser-coherence checks, and Strict adds a human reaction test.
See bandwidth, service health, and blocked requests in one place. Know what is happening without assembling another stack.
Inspect live request and response bodies without sending payloads to a third party. Captures stay on your machine.
Attach your own domains to any tunnel and balance traffic across several connectors. DNS, certificates, and failover are handled at the edge.
Leave behind the hidden headaches of traditional reverse tunnel tools.
Issued and renewed automatically for every served app. Assigned URLs are yours forever.
WSS support by default, upgrade requests pass through without special proxy rules.
Durable SSE, live updates and AI responses stay connected from first event to last.
If it listens on a local HTTP port, it is ready for Uplink.
Uplink doesn't replace the stack you've already built—it publishes it, and stands guard in front of it. Your tailnet, Compose files, and services stay exactly as they are.
Your laptop, phone, and home server are meshed together inside a private Tailscale network. Docker keeps running the apps on the server. Uplink tunnels out of the tailnet to a public edge, and outside clients connect in through it.
Open source. MIT license. Host on your hardware or utilize our managed network.
Run your own edge on your own hardware.
Bring your own domain name, DNS configuration, and TLS certificates.
No built-in SSO authentication, bot protection, or advanced analytics.
Preconfigured with seamless SSO authentication and Clickhouse-powered observability.
Bring people in on top of any paid plan. Invite teammates and share your tunnels with the whole team in one click. No extra cost.
Seats are free. You only pay for the plan underneath.
For teams and businesses.
A modern open source transport protocol for secure, high-performance tunnels.
Install Uplink, point it at a local HTTP port, and publish. That's it.