secure remote access for field devices

A secure URL for every device.

Give every field device a cryptographic identity and a private or public URL — without opening a port.

  • no inbound ports
  • mutual TLS
  • zero-knowledge relay
  • one static binary
Outbound only
No firewall holes or exposed device ports.
Per-device identity
Each agent connects with its own certificate.
Payload private
The relay routes passthrough traffic without decrypting it.
Fleet live edge-north-01
camera.shopfloor.tollan.app

TLS passthrough · payload private

online
plc-gateway.tollan.app

mTLS edge rule · IP allowlist

guarded
diagnostics.tollan.app

Basic auth · audit logged

ready
mTLSagent control channel
SNIhostname routing
CI testedtenant isolation
Simple stackfewer moving parts
how it works

Online in three steps

Works behind NAT, CGNAT, and strict firewalls — no inbound ports, no runtime to install, one static binary.

01 — register

Register the device

Add a device in the console and choose how its services are exposed.

02 — install

Run the agent

Download a preconfigured agent or mint an enrollment token, run one installer, and the device connects itself.

03 — reach

Reach it anywhere

The device dials out to the relay; you reach it by hostname. It opens no inbound ports.

Internet users Relay zero-knowledge Device outbound only TLS / SNI mTLS (dials out)
watch the flow

See a device come online — without touching the router.

Watch a device behind NAT dial out and get a working URL: no port forwarding, no VPN concentrator, and one managed route for exactly the service you expose.

  • Why remote access breaks behind NAT and firewalls — in plain terms.
  • Your device dials out, so nothing on your network becomes a public target.
  • What the relay sees, and what it never can.
Watch 6 min
built for fleets, not demos

Boring where it counts. Sharp where it matters.

Per-device PKI

Every device holds its own CA-issued certificate. The private key is generated on the device and never leaves it.

Zero-knowledge passthrough

Passthrough traffic is never decrypted at the relay. We route by TLS SNI without reading a single byte of your payload.

Hostname routing

Many devices share one address, demultiplexed by hostname — no port-per-device sprawl.

Fast revocation

Revoke a device and its live tunnels drop in seconds — the relay re-checks certificate status continuously.

Isolated organizations

Every resource belongs to an organization, and the boundary is enforced and adversarially tested in CI.

Gateway fan-out

One agent can expose anything on the device network — cameras, PLCs, gateways — each service behind its own route.

Edge access rules

Attach IP allowlists, basic auth, or mutual-TLS to a route as edge access rules.

Account security

Console accounts get role-based access, optional TOTP two-factor, and an append-only audit trail.

Simple infrastructure

The relay avoids extra queueing layers and keeps the operating model straightforward.

your traffic is yours

The relay never reads your bytes

Passthrough traffic is never decrypted at the relay. We route by TLS SNI without reading a single byte of your payload.

Read the security model

Bring your first device online

Free tier, no card required.