Quick Start
Get started in a few minutes — here's the universal first step, then pick what you want to do.
Add a device
Sign in
Sign in at hostanywhere.io with Google, GitHub, Microsoft, Apple, email, or SSO.
Install the agent
Download for Mac, Linux, or Windows from the Download page, or get the mobile app from the App Store or Google Play. Your device joins your private mesh automatically. More about adding devices →
Connect your devices privately
Install the agent on each device
Each device — laptop, phone, server — gets a private mesh IP (in the 100.64.x.x range) and can reach every other device on your account directly.
SSH, RDP, or browse — like they're on the same LAN
Works behind NAT, CGNAT, and corporate Wi-Fi without port forwarding. More about the private mesh →
Expose a local service to the internet
Create a public service
Click + Add Service. Choose a subdomain (e.g. myapp) and your local address (e.g. localhost:3000).
Done
Your service is live at https://myapp.hostanywhere.io. No router config, no static IP. More about exposing services →
Bridge a private network into the mesh
Install the agent on a device that's already on that private network
e.g. a Raspberry Pi on your home LAN, a server in your office network, or a small VM in a datacenter VPC.
Enable VPN Gateway and add the subnet(s)
Open that device's detail page, toggle VPN Gateway on, and add the CIDR(s) it can route to (e.g. 192.168.1.0/24). Other mesh peers can now reach printers, NAS, internal apps — anything on those subnets — without running the agent on each one. More about VPN Gateway →
Route internet traffic through another device
Pick a gateway device
Open the device detail page for an always-on device (home server, NAS, cloud VPS) and set its Internet Gateway priority to Primary.
Your laptop now exits via that device
Sites you visit see the gateway's public IP — like a personal VPN you fully own. Add Secondary and Tertiary gateways for automatic failover. More about Internet Gateway →
Back up your phone to your own storage
Enable Storage Server on a desktop device
Open the device detail page for a Mac, Linux, or Windows machine you own and toggle Storage Server on.
Install the mobile app and pick categories
Get HostAnywhere from the App Store or Google Play. In the Backups tab, toggle Photos, Contacts, etc. Everything is end-to-end encrypted on the phone before upload. More about Storage Server & Backups →
How It Works
HostAnywhere has four features that work independently or together:
- Public Services — expose any local port to the internet via a
*.hostanywhere.iosubdomain. No router config, no static IP needed. - Private Mesh Network — all your devices (and your team's devices) get a private IP and can reach each other directly, from anywhere, as if they were on the same LAN.
- Internet Gateway — route a laptop's outbound internet traffic through your home or office connection, like a personal VPN you fully own.
- Storage Server & Backups — back up your phones (Photos, Contacts, Calendars, more) to one of your own devices, end-to-end encrypted before upload.
The agent handles all of them. Install it once on a device and it manages public services, the private mesh network connection, and (optionally) a storage server for backups.
Add a Device
Install the agent on any device to connect it to your private mesh network and expose local services.
Windows
Install
Download HostAnywhere for Windows and run the installer — click Yes on the UAC prompt.
Sign in
Connect using QR code, token, or your account (Google, GitHub, Microsoft, Apple, email, or SSO).
You're connected
The HostAnywhere tray icon appears — your device is now connected.
macOS
Install
Download HostAnywhere for macOS, double-click the installer, and follow the steps. If macOS blocks it, go to System Settings → Privacy & Security and click Open Anyway.
Sign in
Connect using QR code, token, or your account (Google, GitHub, Microsoft, Apple, email, or SSO).
You're connected
The HostAnywhere menu bar icon appears — your device is now connected.
Linux
Install
Run the one-line installer — downloads the binary and installs the daemon.
curl -fsSL https://hostanywhere.io/install.sh | sh
Sign in
Run hostanywhere login — opens a browser automatically, or generates a unique sign-in URL to paste in your browser. Connect using QR code, token, or your account (Google, GitHub, Microsoft, Apple, email, or SSO).
hostanywhere login
You're connected
Your device is now live on the mesh. Verify with hostanywhere status.
iOS
Install
Install HostAnywhere from the App Store on your iPhone or iPad.
Sign in
Open HostAnywhere and sign in with Apple, Google, GitHub, Microsoft, or email.
You're connected
Your phone joins the mesh and can securely reach every other device on your account.
Android
Install
Install HostAnywhere from Google Play.
Sign in
Open HostAnywhere and sign in with Google, GitHub, Microsoft, Apple, or email.
You're connected
Your phone joins the mesh and can securely reach every other device on your account.
Expose a Service
Expose a Service creates a public URL for something running on your local machine — a dev server, a self-hosted app, a webhook receiver, a media server — without opening ports on your router or having a public IP. The agent on your machine opens an outbound connection to the HostAnywhere relay; visitors hit the relay over HTTPS at your chosen subdomain (e.g. https://myapp.hostanywhere.io), and the relay forwards the request through that tunnel to your local port.
Typical use cases:
- Sharing a dev preview with a teammate or client without deploying anywhere.
- Receiving webhooks during development.
- Sharing a self-hosted app with family or friends without setting up a VPN for them.
- Letting a phone reach a local app on a desktop when off the same Wi-Fi.
- Quick demos that need a real public URL.
Why it works:
- The agent only makes outbound connections, so there's nothing to configure on your router — works behind NAT and CGNAT.
- HTTPS is built in. Every subdomain lands on
*.hostanywhere.iowith a valid TLS certificate, no configuration needed. - Multiple services per machine — one tunnel per service.
How to expose a service
From the dashboard, click + Expose a Service and fill in:
- Subdomain — the public URL prefix, e.g.
myapp→https://myapp.hostanywhere.io - Local address — where the traffic should go on your machine, e.g.
localhost:3000
Private Network
Every device running the agent is assigned a private IP address and can reach any other device on your network directly — no VPN setup, no configuration required.
- Devices get a stable private IP in the
100.64.x.xrange. - Any port on any device is accessible from other devices on the same network.
- Works even if devices are behind different routers, carriers, or on different continents.
- When you invite teammates, their devices automatically join the same private network.
Finding your private IP
Your device's private IP appears in the dashboard under Devices — click a device card to see it. It's also shown in the Windows tray or macOS menu bar icon.
VPN Gateway
A VPN Gateway lets one device act as a bridge between your mesh and a private network the mesh can't reach directly — your home LAN, an office network, or a datacenter subnet. Any mesh peer can then reach resources on those networks (printers, NAS, servers, cameras, management interfaces) without running the HostAnywhere agent on each one.
This is useful when:
- You have legacy devices (printers, IoT, IPMI/iDRAC consoles) that can't run an agent.
- You want one device to tunnel your mesh into a corporate LAN.
- You're bridging a datacenter subnet or VPC range into the mesh.
How it works
Designate any device as a VPN Gateway and tell it which private CIDRs it can route to (e.g. 192.168.1.0/24, up to 10 subnets per gateway). Other mesh peers learn those routes automatically and forward traffic for those ranges through the gateway. Peer-to-peer traffic between mesh devices continues to flow directly as before.
Enable a VPN Gateway
Open the device detail page
Sign in to the dashboard, go to Devices, and click the device you want to act as a gateway.
Toggle VPN Gateway on
Scroll to the VPN Gateway section and flip the toggle. You must be the network owner — members can see the section but can't configure it.
Add advertised subnets
Enter each private CIDR the gateway can reach — e.g. 192.168.1.0/24 for a typical home LAN, or 10.0.0.0/16 for a corporate network. Click Add subnet. You can add up to 10 subnets per gateway. CIDRs overlapping the mesh range 100.64.0.0/10 are rejected, and 0.0.0.0/0 is reserved for Internet Gateway — use that feature instead if you want to route all traffic through a device.
Other mesh peers pick up the new routes within seconds and can start reaching addresses in those ranges.
Multiple gateways
You can designate more than one device as a VPN Gateway — useful for bridging your mesh into multiple private networks (home, office, datacenter) at once. Each gateway advertises its own subnet list independently.
Internet Gateway
An Internet Gateway routes a device's entire outbound internet traffic (0.0.0.0/0) through another mesh peer — like a personal VPN that terminates on hardware you fully own. Where VPN Gateway gives mesh peers access to a private LAN, Internet Gateway routes a peer's web/app traffic out through another peer.
This is useful when:
- You're on hotel or coffee-shop Wi-Fi and want every packet to leave from your home connection instead.
- A region- or geo-blocked service should see you as connecting from a device in another region.
- You want an end-to-end-encrypted hop for all internet traffic from a laptop you don't fully trust the local network of.
How it works
Designate up to three devices on your mesh as gateways, ranked by priority: Primary, Secondary, and Tertiary. The agent on the gateway side enables IP forwarding and installs a NAT rule so mesh traffic exits through the gateway's WAN interface. On the client side, the agent installs a default route pointing at the chosen gateway. Failover is automatic — if the Primary goes offline, peers fall back to Secondary within seconds, then Tertiary if needed. Peer-to-peer traffic between mesh devices continues to flow directly as before.
Enable an Internet Gateway
Open the device detail page
Sign in to the dashboard, go to Devices, and click the device that should act as the gateway — the device whose internet connection other peers will route through.
Set its priority slot
Scroll to the Internet Gateway section and pick a priority: Disabled, Primary, Secondary, or Tertiary. You must be the network owner — members can see the section but can't configure it. Only one device can occupy each slot at a time; assigning a new device to a slot automatically unassigns whoever was there.
Verify on another device
Other mesh peers start routing through the Primary within ~10 seconds. From another device, visit a site that shows your public IP (e.g. ifconfig.me) — it should match the gateway device's WAN IP.
Multiple gateways & failover
The 3-slot priority system gives you redundancy without per-peer routing choices. The mesh always uses the highest-priority gateway that's currently online. A common pattern: Primary = your always-on home server, Secondary = your work device, Tertiary = a cloud VPS. If your home internet drops, traffic falls through automatically.
Storage Server, Backups & Library
HostAnywhere lets you back up your phones to your own hardware. Three pieces:
- Storage Server — a small encrypted-blob store the desktop agent runs on a Mac, Linux, or Windows device you own.
- Backups — the iOS and Android apps push selected categories (Photos, Contacts, Calendars, etc.) to your storage server.
- Library — a tab in the mobile app to browse and restore everything you've backed up, from any of your signed-in devices.
Every file is encrypted on your phone before it leaves the device. HostAnywhere's servers never hold your data.
Storage Server
A storage server runs as a background process inside the desktop agent. It listens on TCP port 36129 inside your private mesh, serves a self-signed TLS certificate (its SHA-256 fingerprint is pinned by the phones), and accepts encrypted blob uploads from your phones.
Enable a storage server
Open the device detail page
Sign in to the dashboard, go to Devices, and click a Mac, Linux, or Windows device you want to use for backups. Pick a device that's online often — a NAS, always-on server, or a desktop is ideal.
Toggle Storage Server on
Scroll to the Storage Server section and flip the toggle. Within a few seconds the badge changes from Starting… to Running, and the dashboard shows the mesh URL and (optionally) internet URL the phones will use.
(Optional) Adjust advanced settings
Open the Advanced disclosure to set a custom storage path, cap maximum disk usage (defaults to 50% of free space, capped at 500 GB), or change internet access mode (mesh-only, mesh + internet fallback, always internet).
Where backups are stored on disk
| Platform | Default path |
|---|---|
| Linux (systemd, as root) | /var/lib/hostanywhere/backups |
| macOS | ~/HostAnywhere/Backups (under the console user's home) |
| Windows | %LOCALAPPDATA%\HostAnywhere\Backups |
You can override the path under Advanced. Useful when you want backups on a specific external drive, a separate NAS volume, or a non-default partition.
Multiple storage servers
You can run storage servers on more than one device. Phones automatically pick the one with the lowest latency on each sync (mesh first, internet fallback). Each server keeps an independent copy of the data uploaded to it — handy if you want a primary at home plus a backup on a different drive or in a different location.
Backups (iOS & Android)
The mobile app's Backups tab is where each phone picks what to back up. Categories are off by default; you opt in per category, and each toggle prompts for the OS permission it needs the first time you enable it.
What can be backed up
| Category | iOS | Android |
|---|---|---|
| Photos | ✓ | ✓ |
| Videos | ✓ | ✓ |
| Contacts | ✓ | ✓ |
| Calendars | ✓ | ✓ |
| Health | ✓ | — |
| SMS messages | — | ✓ |
| Call log | — | ✓ |
| Installed app APKs | — | ✓ |
Enable a backup category
Open the app
Open HostAnywhere on the phone, sign in, and go to the Backups tab.
Toggle a category
Flip the switch next to a category. The OS prompts for the matching permission (Photos, Contacts, etc.) — tap Allow. You can toggle as many categories as you like; each prompts independently.
Tap Sync now
The first sync starts immediately and runs in the background. After that, the app re-syncs in the background as you add new photos, contacts, etc. Watch the status card for progress and the per-category counters for what's been backed up.
End-to-end encryption
Every file is encrypted on the phone before it's uploaded. AES-256-GCM with convergent encryption: the data-encryption key for a given file is derived from its own SHA-256 hash, then wrapped with a master key that exists only on your phones. Master keys are generated locally on first sync — escrowed via iCloud Keychain on iOS, stored in Android Keystore-backed encrypted preferences on Android. HostAnywhere has no copy and can't decrypt anything.
On iOS, encryption is always on (no toggle). On Android, encryption defaults to on with a Settings toggle for parity with iOS conventions.
Cellular vs Wi-Fi
By default backups only run on Wi-Fi to avoid surprise data usage. A "Back up over cellular" toggle in Settings flips that.
Library
The Library tab in the mobile app lists everything you've backed up, grouped by category, across all your storage servers. Each item shows its category, size, and the date it was backed up.
Restore from another device
Install HostAnywhere on the new device
Get HostAnywhere from the App Store or Google Play and sign in with the same account.
Open the Library tab
Everything you've backed up from your other phones shows up automatically — the app discovers your storage servers via the control plane and the master key is restored from iCloud Keychain (iOS) or your account (Android).
Tap to restore
Tap any item to download it. Photos and videos restore to the camera roll; contacts merge into the system address book; calendars merge into the system calendar; health records open in Apple Health (iOS).
Plan Limits
Limits apply to the whole network. The owner's plan determines the limits — members don't need their own paid plan.
| Free | Developer | Team | Enterprise | |
|---|---|---|---|---|
| Team members | 3 | 5 | 25 | Unlimited |
| Devices | 10 | 100 | 200 | Unlimited |
| Public services | 3 | 25 | 100 | Unlimited |
| Storage Server & Backups | ✓ | ✓ | ✓ | ✓ |
| Internet Gateway | — | ✓ | ✓ | ✓ |
| VPN Gateway | — | ✓ | ✓ | ✓ |
| SSO (SAML / OIDC) | — | — | ✓ | ✓ |
| Price | Free | $9 / mo | $25 / mo | Custom |
See the Pricing page for annual pricing and the Enterprise contact form.
Inviting Members
Open the Users section in the dashboard and click Invite User. You can invite someone two ways:
- Copy link — share a one-time invite link via any channel (Slack, email, etc.).
- Send email — enter their email address and HostAnywhere sends the invite for you.
Invite links are single-use and expire after 7 days. When the recipient opens the link and signs in, they are automatically added to your network.
Roles
| Role | What they can do |
|---|---|
| Owner | Invite members, remove members, manage network settings. One owner per network. |
| Member | Add their own devices and public services, view all devices on the network. Cannot invite or remove others. |
Members can see all devices on the network in the dashboard but can only edit or delete their own. Other members' devices are shown as read-only.
Removing Members
In the Users section, click the remove button next to any member. Only the owner can do this.
When a member is removed, their devices immediately disappear from the shared device list and they lose access to the private network. Their own account and any public services they created are not affected.
FAQ
Do I need to open any ports on my router?
No. The agent connects outbound — no router configuration, port forwarding, or firewall changes needed.
Can I expose multiple services from one machine?
Yes. A single agent handles every service you add to that device — you don't need to run multiple agents. Create each service in the dashboard (one subdomain → one local port); the agent picks them up on its next config poll (within ~10 s) and runs all of them concurrently.
Can I be in multiple networks?
Not currently. Each account belongs to one network at a time.
My invited user joined but I don't see their devices.
They need to install the agent and connect at least one device. Once they do, it appears in all team members' dashboards automatically.
Does the agent need admin / root access?
Admin access is needed when first setting up the private network interface — the Windows installer handles this automatically. For the macOS .pkg, the installer takes care of it. On Linux, the agent needs sudo or CAP_NET_ADMIN to create the network interface. Regular tunnel traffic does not need elevated privileges.
Is traffic secure?
Yes. Public services use HTTPS end-to-end. Private mesh traffic is encrypted between devices — the relay never sees the content.
What happens when I hit a plan limit?
The action that would exceed the limit (adding a device, inviting a user, creating a public service) is blocked with a clear message. Nothing existing is removed. Upgrade your plan to continue.
How is my backup encrypted?
Each file is encrypted on your phone before it's uploaded, using AES-256-GCM with convergent encryption. The data-encryption key is derived from the file's own SHA-256 hash, then wrapped with a master key that lives only on your phones (escrowed via iCloud Keychain on iOS, Android Keystore on Android). HostAnywhere has no copy of the master key and can't decrypt anything. See Storage Server & Backups for more.
Can I run multiple storage servers?
Yes. Run the storage server on as many devices as you like — phones automatically pick the one with the lowest latency on each sync. The storage servers also replicate to each other automatically in the background: a blob uploaded to one server propagates to the others within a few minutes via the mesh. You get geographic + drive redundancy for free — a primary at home, a second copy on a NAS, a third on a friend's machine — all stay in sync without manual intervention.
Can HostAnywhere see my internet traffic when I use Internet Gateway?
No. All traffic flows agent-to-agent over WireGuard, encrypted end-to-end. HostAnywhere's servers see only mesh metadata — which peers are online, peer counts, and so on — never the contents of the tunnels themselves.
What if my storage server is offline when a phone tries to back up?
The phone retries periodically. Nothing is ever uploaded to HostAnywhere as a fallback — your data only goes to storage servers you own. When the server comes back online, the queued items sync automatically. If you have multiple storage servers, the phone tries the others first before queuing.