The agent dials out from inside the closed network — no inbound ports, no VPN, no network changes. Manage every device from a single panel. Traffic between agents is end-to-end encrypted.
Five scenarios where remote machines sit behind networks you don’t control.
One account for every client. Hundreds of machines grouped by organization, granular rights, full audit log — no VPN per site.
Servers in cloud, datacenter or behind corporate networks. Open tunnels on demand — no port forwarding, no network changes.
Manage branch infrastructure from one place. No mesh-VPN between sites, no dedicated links — every office reachable from the same panel.
Controllers, terminals and cameras on factories and retail sites. Configure and troubleshoot without travelling to the site.
Hardware keys, licence dongles, lab instruments and meters bound to a machine you can’t reach. Expose the device over the network and connect through an encrypted tunnel — as if it were plugged in locally.
Everything you need for secure remote access to your machines.
Session keys between agents. Even the server can’t see your data — only the encrypted stream.
A single lightweight agent for Linux, Windows and macOS. One-line install, no dependencies.
Invite colleagues, group agents into organizations, manage access rights from a single panel.
Allow tunnels to specific endpoints and ports, restrict by IP, track everything in the audit log.
Package-based plans, per-user and per-organization limits, transparent spending history.
Agent, tunnel and traffic status update instantly. No lag, no manual refreshes.
Subscriptions and traffic are priced in coin; top up coin with euro.
Loading pricing…
Three steps from signup to a working connection.
lro from the panel or install with a single command.
curl -fsSL https://stg.lro.link/install.sh -o lro-install.sh
sh lro-install.sh
Linux and macOS. After exiting the menu, just re-run step 2 — no need to download again. For Windows or offline install, pick an archive below.
Step-by-step guide
lro-linux-x86_64.tar.gz.
Raspberry Pi 4/5 or ARM cloud server: lro-linux-aarch64.tar.gz.
Older Raspberry Pi (Pi 1/2/3, Zero): lro-linux-armv7.tar.gz.
~/Downloads) and extract it.
cd ~/Downloads && tar -xzf lro-linux-*.tar.gz
You will get two files: lro (the agent) and install.sh (the installer).
lro into /usr/local/bin/.
sudo ./install.sh
An interactive menu opens. Pick 1) Install / update binary.
2) Register agent, paste the token, press Enter.
3) Install as service, then 5) Start service. The agent will now start with the system.
lro-macos-aarch64.tar.gz.
Intel Mac: lro-macos-x86_64.tar.gz.
Apple menu → About This Mac shows the chip name.
⌘ Space, type «Terminal»). Go to the folder and extract.
cd ~/Downloads && tar -xzf lro-macos-*.tar.gz
lro can't be opened because the developer can't be verified». Close the dialog, open System Settings → Privacy & Security, scroll to Open anyway, click it, and re-run the installer.
2) Register agent with the token from Agents → Register.
3) Install as service. On macOS this writes a launchd unit; option 5) Start service brings it up.
lro-windows-x86_64.zip from the link above. 64-bit Windows 10/11 only.
lro.exe. Move it to a permanent folder, e.g. C:\Program Files\LRO\ (you may need to confirm a UAC prompt).
powershell, press Enter.
Or: Shift + right-click on the folder → «Open PowerShell window here».
credentials file is created next to lro.exe.
Desktop app with a GUI — register and run from a window, no terminal needed. On macOS first launch: right-click lro-gui → Open (the binary isn't signed, Gatekeeper blocks a plain double-click).
Hands-on walkthroughs, every step shown on real screens — from your first tunnel to access control for a whole team.
Sign up, install two agents, create an endpoint and reach a service end to end.
What each agent role means, which one a machine needs, and how to switch live.
A shell on a box with no public IP, from your laptop — no port forwarding, no VPN.
Turn your account into an org, add teammates and grant access per endpoint.
Attach a flash drive, dongle or hardware key from a remote machine over the network.
General information, common scenarios and the questions our users ask first.
VPN gives you a whole network — heavier setup, network changes on every client. LRO opens an on-demand TCP tunnel from a server-side panel to a specific endpoint.
TeamViewer / AnyDesk are built for showing a desktop to a human; LRO is built for tunneling protocols (SSH, RDP, web, databases) to administrators managing many machines.
ngrok is a dev tool for exposing one local port to the internet. LRO is a multi-tenant platform with organizations, granular permissions and audit log.
No. The agent makes an outbound connection to the LRO core and keeps it open. From the firewall's point of view it looks like ordinary outbound web traffic.
You don't add inbound rules, you don't expose anything to the public internet, you don't touch NAT. If the machine can reach the public internet, LRO works.
Yes. Both agents dial out to the public LRO core. The core relays the encrypted stream between them. Neither side needs a public IP, port forwarding or hole-punching.
Anything that talks TCP: SSH (22), RDP (3389), VNC, HTTP / HTTPS web interfaces of switches / routers / NAS, PostgreSQL / MySQL / Redis, internal APIs, custom binary protocols. The tunnel is a raw TCP pipe — the protocol on top doesn't matter.
No. When end-to-end encryption is enabled for a tunnel, the agents exchange X25519 session keys directly; the core relays an opaque ciphertext between them. Server operators (us) cannot decrypt the payload — only route the encrypted bytes.
The control channel itself is also encrypted (Noise XK / ChaCha20-Poly1305), independently of the tunnel.
Two parts. First, a subscription per agent — a recurring fee that keeps the agent active for a period and includes a traffic bucket; without it the agent cannot open tunnels. Second, traffic beyond that bucket, billed by the byte (about 0.1 coin per GB) from your coin balance or a traffic package.
Pricing is in coin, topped up with real currency. Idle time adds no per-byte traffic cost, but the subscription still applies. Current plans and rates are in the pricing section above.
The agent reconnects automatically with exponential backoff. Tunnels reopen once the agent is back online; active streams that were interrupted return errors to their TCP clients (just like any short network blip would).
The panel shows the agent's online/offline status in real time — you see the drop and the recovery without refreshing.
The idle footprint is small: a few MB of RSS and effectively no CPU when no tunnel is active. Under traffic, CPU scales with throughput (Noise + relay framing). A Raspberry Pi 3 / Zero handles tens of Mbit/s comfortably; on a normal x86 server the agent is rarely the bottleneck.
Panel actions are recorded in an append-only audit log: who opened, changed or closed which tunnel, who granted or revoked which permission, and when — each with the acting user and their IP. Combined with end-to-end encryption (we can't see your traffic) and granular per-user / per-endpoint access rights, LRO supports the usual SOC-2 / ISO-27001 access-control requirements your auditor will ask about.
The hosted SaaS at app.lro.link covers most teams and is the fastest way to start. Self-hosting (on-prem core for closed organisations or high-volume MSPs) is on the roadmap — write to info@lro.link with your use case and we'll discuss timeline and licensing.