Four scenarios where remote machines sit behind networks you don’t control.
One account for every client. Hundreds of machines grouped by organization, granular rights, full audit log — no VPN per site.
Servers in cloud, datacenter or behind corporate networks. Open tunnels on demand — no port forwarding, no network changes.
Manage branch infrastructure from one place. No mesh-VPN between sites, no dedicated links — every office reachable from the same panel.
Controllers, terminals and cameras on factories and retail sites. Configure and troubleshoot without travelling to the site.
Everything you need for secure remote access to your machines.
Session keys between agents. Even the server can’t see your data — only the encrypted stream.
A single lightweight agent for Linux, Windows and macOS. One-line install, no dependencies.
Invite colleagues, group agents into organizations, manage access rights from a single panel.
Allow tunnels to specific endpoints and ports, restrict by IP, track everything in the audit log.
Package-based plans, per-user and per-organization limits, transparent spending history.
Agent, tunnel and traffic status update instantly. No lag, no manual refreshes.
Subscriptions and traffic are priced in coin; top up coin with euro.
Loading pricing…
Three steps from signup to a working connection.
lro from the panel or install with a single command.
curl -fsSL https://lro.link/install.sh -o lro-install.sh
sh lro-install.sh
Linux and macOS. After exiting the menu, just re-run step 2 — no need to download again. For Windows or offline install, pick an archive below.
Step-by-step guide
lro-linux-x86_64.tar.gz.
Raspberry Pi 4/5 or ARM cloud server: lro-linux-aarch64.tar.gz.
Older Raspberry Pi (Pi 1/2/3, Zero): lro-linux-armv7.tar.gz.
~/Downloads) and extract it.
cd ~/Downloads && tar -xzf lro-linux-*.tar.gz
You will get two files: lro (the agent) and install.sh (the installer).
lro into /usr/local/bin/.
sudo ./install.sh
An interactive menu opens. Pick 1) Install / update binary.
2) Register agent, paste the token, press Enter.
3) Install as service, then 5) Start service. The agent will now start with the system.
lro-macos-aarch64.tar.gz.
Intel Mac: lro-macos-x86_64.tar.gz.
Apple menu → About This Mac shows the chip name.
⌘ Space, type «Terminal»). Go to the folder and extract.
cd ~/Downloads && tar -xzf lro-macos-*.tar.gz
lro can't be opened because the developer can't be verified». Close the dialog, open System Settings → Privacy & Security, scroll to Open anyway, click it, and re-run the installer.
2) Register agent with the token from Agents → New agent.
3) Install as service. On macOS this writes a launchd unit; option 5) Start service brings it up.
lro-windows-x86_64.zip from the link above. 64-bit Windows 10/11 only.
lro.exe. Move it to a permanent folder, e.g. C:\Program Files\LRO\ (you may need to confirm a UAC prompt).
powershell, press Enter.
Or: Shift + right-click on the folder → «Open PowerShell window here».
credentials file is created next to lro.exe.
Desktop app with a GUI — register and run from a window, no terminal needed. On macOS first launch: right-click lro-gui → Open (the binary isn't signed, Gatekeeper blocks a plain double-click).
General information, common scenarios and the questions our users ask first.
VPN gives you a whole network — heavier setup, network changes on every client. LRO opens an on-demand TCP tunnel from a server-side panel to a specific endpoint.
TeamViewer / AnyDesk are built for showing a desktop to a human; LRO is built for tunneling protocols (SSH, RDP, web, databases) to administrators managing many machines.
ngrok is a dev tool for exposing one local port to the internet. LRO is a multi-tenant platform with organizations, granular permissions and audit log.
No. The agent makes an outbound connection to the LRO core and keeps it open. From the firewall's point of view it looks like ordinary outbound web traffic.
You don't add inbound rules, you don't expose anything to the public internet, you don't touch NAT. If the machine can reach the public internet, LRO works.
Yes. Both agents dial out to the public LRO core. The core relays the encrypted stream between them. Neither side needs a public IP, port forwarding or hole-punching.
Anything that talks TCP: SSH (22), RDP (3389), VNC, HTTP / HTTPS web interfaces of switches / routers / NAS, PostgreSQL / MySQL / Redis, internal APIs, custom binary protocols. The tunnel is a raw TCP pipe — the protocol on top doesn't matter.
No. When end-to-end encryption is enabled for a tunnel, the agents exchange X25519 session keys directly; the core relays an opaque ciphertext between them. Server operators (us) cannot decrypt the payload — only route the encrypted bytes.
The control channel itself is also encrypted (Noise XK / ChaCha20-Poly1305), independently of the tunnel.
You pay for the bytes that pass through the relay. Pricing is denominated in coin — an internal unit that you top up with real currency. You buy a subscription plan with an included traffic bucket and top up extra coin for any overflow. Every transaction is visible in the panel's billing history.
Idle agents and idle tunnels cost nothing — only actual bytes are counted. Current plans and coin rates are shown in the pricing section above.
The agent reconnects automatically with exponential backoff. Tunnels reopen once the agent is back online; active streams that were interrupted return errors to their TCP clients (just like any short network blip would).
The panel shows the agent's online/offline status in real time — you see the drop and the recovery without refreshing.
The idle footprint is small: a few MB of RSS and effectively no CPU when no tunnel is active. Under traffic, CPU scales with throughput (Noise + relay framing). A Raspberry Pi 3 / Zero handles tens of Mbit/s comfortably; on a normal x86 server the agent is rarely the bottleneck.
Every panel action is recorded in an immutable audit log: who signed in, who opened or closed which tunnel, who changed permissions, when. Combined with end-to-end encryption (we can't see your traffic) and granular per-user / per-endpoint access rights, LRO fits the usual SOC-2 / ISO-27001 access-control requirements your auditor will ask about.
The hosted SaaS at app.lro.link covers most teams and is the fastest way to start. Self-hosting (on-prem core for closed organisations or high-volume MSPs) is on the roadmap — write to info@lro.link with your use case and we'll discuss timeline and licensing.