Ship local services. Public, secure, instant.
One command turns any localhost port into a globally-routable, TLS-terminated, auth-gated endpoint. No firewall changes. No DNS dance. No bastion hosts.
From a port number to a public URL — in under a second.
No configs to write. No certs to renew. No tunnels to babysit. t-Gates negotiates TLS at the edge, registers the route in our control plane, and propagates it to every PoP before your terminal prompts you again.
- ✓Auto TLSLet's Encrypt + custom CAs. Wildcard, SAN, ACME-DNS — all handled.
- ✓Sticky URLsRe-running tgate keeps your old URL. CI hashes stay stable.
- ✓Connection drainingRoll restarts without dropping in-flight requests.
nginx -c /etc/nginx/proxy.conf
certbot --nginx -d api.example.com
ufw allow 80,443
systemctl restart nginx
HTTP, gRPC, WebSocket, raw TCP — same single binary.
Most tunneling tools punt on anything that isn't HTTP/1.1. t-Gates speaks HTTP/3 with QUIC, terminates mTLS, proxies raw TCP and UDP, and passes through Postgres, Redis and MySQL wire protocols without surprises.
- ✓HTTP/3 firstQUIC by default; fall back to /2 and /1.1 transparently.
- ✓Bidirectional streamsWebSockets and gRPC streams up to 24 hours.
- ✓TCP + UDPTunnel non-HTTP services with the same auth & policy stack.
Replace 80 lines of YAML with one CLI invocation.
No more bastion hosts, reverse-proxy configs or cert-manager incantations.
apiVersion: v1
kind: Service
metadata:
name: api-proxy
spec:
type: LoadBalancer
ports:
- port: 443
targetPort: 3000
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata: { name: api-tls }
spec:
secretName: api-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames: [api.example.com]
# ...60 more lines$ tgate run :3000 \
--domain api.t.gate \
--auth oidc
✓ Tunnel live · TLS · OIDC
https://api.t.gate → :3000
Press Ctrl+C to stop.Production-grade by default.
Every tunnel ships with the full edge feature set — no add-ons, no surprise bills.
mTLS everywhere
Mutual TLS between client, edge, and origin. Rotate certs without downtime.
tgate run :3000 --mtlsEdge cache
Cache GET responses at the PoP closest to each user. Purge by tag in < 50ms.
Cache-Control: edge-max-age=60DDoS shield
L3/4 absorption + L7 rate limiting. Includes WAF rule pack.
policy: shield/strictGeo routing
Pin tunnels to regions or split traffic by user country.
regions: [fra1, iad1]Replay & inspect
Every request is loggable, replayable and diffable from the dashboard.
tgate replay rq_8x2...Traffic mirroring
Fork live prod traffic to staging without affecting users.
mirror: staging-tunnel38 PoPs, single anycast IP.
Tunnels surface on the same /24 anycast IP everywhere. Your users hit the closest PoP via BGP — no GeoDNS, no broken IP allowlists, no surprise re-routes during failover.
- ✓Single IP for allowlistsOne CIDR for your customers' firewalls forever.
- ✓Sub-50ms to 95% of usersBacked by direct peering with Tier-1 carriers.
- ✓Automatic failoverRegion degradation drains in 4s and shifts traffic up-stack.
We replaced 4 ngrok subscriptions, 2 LBs, our cert-manager setup and 600 lines of Terraform with t-Gates. Onboarding for new engineers went from a half-day to one command.
Tunnel anything. Ship everywhere.
Start with a single command. Scale to a multi-region production deploy without changing it.