A secure URL for every device.
Give every field device a cryptographic identity and a private or public URL — without opening a port.
- no inbound ports
- mutual TLS
- zero-knowledge relay
- one static binary
- Outbound only
- No firewall holes or exposed device ports.
- Per-device identity
- Each agent connects with its own certificate.
- Payload private
- The relay routes passthrough traffic without decrypting it.
TLS passthrough · payload private
mTLS edge rule · IP allowlist
Basic auth · audit logged
Online in three steps
Works behind NAT, CGNAT, and strict firewalls — no inbound ports, no runtime to install, one static binary.
Register the device
Add a device in the console and choose how its services are exposed.
Run the agent
Download a preconfigured agent or mint an enrollment token, run one installer, and the device connects itself.
Reach it anywhere
The device dials out to the relay; you reach it by hostname. It opens no inbound ports.
See a device come online — without touching the router.
Watch a device behind NAT dial out and get a working URL: no port forwarding, no VPN concentrator, and one managed route for exactly the service you expose.
- Why remote access breaks behind NAT and firewalls — in plain terms.
- Your device dials out, so nothing on your network becomes a public target.
- What the relay sees, and what it never can.
Watch 6 min
Boring where it counts. Sharp where it matters.
Per-device PKI
Every device holds its own CA-issued certificate. The private key is generated on the device and never leaves it.
Zero-knowledge passthrough
Passthrough traffic is never decrypted at the relay. We route by TLS SNI without reading a single byte of your payload.
Hostname routing
Many devices share one address, demultiplexed by hostname — no port-per-device sprawl.
Fast revocation
Revoke a device and its live tunnels drop in seconds — the relay re-checks certificate status continuously.
Isolated organizations
Every resource belongs to an organization, and the boundary is enforced and adversarially tested in CI.
Gateway fan-out
One agent can expose anything on the device network — cameras, PLCs, gateways — each service behind its own route.
Edge access rules
Attach IP allowlists, basic auth, or mutual-TLS to a route as edge access rules.
Account security
Console accounts get role-based access, optional TOTP two-factor, and an append-only audit trail.
Simple infrastructure
The relay avoids extra queueing layers and keeps the operating model straightforward.
Docs that read like an engineer wrote them
Quickstart, a full console guide, the wire protocol, and an ESP32/Arduino device library — all at docs.tollan.ie.
Ship your first tunnel
Register a device, install the agent, and expose a service end to end — in a few minutes.
embeddedESP32 & Arduino library
A device-side agent for microcontrollers, kept wire-compatible with the rest of the fleet.
protocolThe tollan.v1 wire protocol
One authenticated connection, a handful of frames. Every agent implements it for you.
The relay never reads your bytes
Passthrough traffic is never decrypted at the relay. We route by TLS SNI without reading a single byte of your payload.
Read the security modelSimple, device-based pricing
Transparent pricing for teams running remote access across real field fleets.