Quick Start
▶ Watch the overview for a quick, guided setup.
Get started in a few minutes — here's the universal first step, then pick what you want to do.
Add a device
Sign in
Sign in at hostanywhere.io with Google, GitHub, Microsoft, Apple, email, or SSO.
Install the agent
Download for Mac, Linux, or Windows from the Download page, or get the mobile app from the App Store or Google Play. Your device joins your private mesh automatically. More about adding devices →
Connect your devices privately
Install the agent on each device
Each device — laptop, phone, server — gets a private mesh IP (in the 100.64.x.x range) and can reach every other device on your account directly.
SSH, RDP, or browse — like they're on the same LAN
Works behind NAT, CGNAT, and corporate Wi-Fi without port forwarding. More about the private mesh →
Expose a local service to the internet
Create a public service
Click + Add Service. Choose a subdomain (e.g. myapp) and your local address (e.g. localhost:3000).
Done
Your service is live at https://myapp.hostanywhere.io. No router config, no static IP. More about exposing services →
Bridge a private network into the mesh
Install the agent on a device that's already on that private network
e.g. a Raspberry Pi on your home LAN, a server in your office network, or a small VM in a datacenter VPC.
Enable VPN Gateway and add the subnet(s)
Open that device's detail page, toggle VPN Gateway on, and add the CIDR(s) it can route to (e.g. 192.168.1.0/24). Other mesh peers can now reach printers, NAS, internal apps — anything on those subnets — without running the agent on each one. More about VPN Gateway →
Route internet traffic through another device
Pick a gateway device
Open the device detail page for an always-on device (home server, NAS, cloud VPS) and set its Internet Gateway priority to Primary.
Your laptop now exits via that device
Sites you visit see the gateway's public IP — like a personal VPN you fully own. Add Secondary and Tertiary gateways for automatic failover. More about Internet Gateway →
Back up your phone to your own storage
Enable Storage Server on a desktop device
Open the device detail page for a Mac, Linux, or Windows machine you own and toggle Storage Server on.
Install the mobile app and pick categories
Get HostAnywhere from the App Store or Google Play. In the Backups tab, toggle Photos, Contacts, etc. Everything is end-to-end encrypted on the phone before upload. More about Storage Server & Backups →
How It Works
HostAnywhere has four features that work independently or together:
- Public Services — expose any local port to the internet via a
*.hostanywhere.iosubdomain. No router config, no static IP needed. - Private Mesh Network — all your devices (and your team's devices) get a private IP and can reach each other directly, from anywhere, as if they were on the same LAN.
- Internet Gateway — route a laptop's outbound internet traffic through your home or office connection, like a personal VPN you fully own.
- Storage Server & Backups — back up your phones (Photos, Contacts, Calendars, more) to one of your own devices, end-to-end encrypted before upload.
The agent handles all of them. Install it once on a device and it manages public services, the private mesh network connection, and (optionally) a storage server for backups.
Add a Device
Install the agent on any device to connect it to your private mesh network and expose local services.
📺 Prefer to watch? Each platform below has a short walkthrough video.
Windows
▶ Add a Windows device — step-by-step walkthrough
Install
Download HostAnywhere for Windows and run the installer — click Yes on the UAC prompt.
Sign in
Connect using QR code, token, or your account (Google, GitHub, Microsoft, Apple, email, or SSO).
You're connected
The HostAnywhere tray icon appears — your device is now connected.
macOS
▶ Add a Mac — step-by-step walkthrough
Install
Download HostAnywhere for macOS, double-click the installer, and follow the steps. If macOS blocks it, go to System Settings → Privacy & Security and click Open Anyway.
Sign in
Connect using QR code, token, or your account (Google, GitHub, Microsoft, Apple, email, or SSO).
You're connected
The HostAnywhere menu bar icon appears — your device is now connected.
Linux
▶ Add a Linux device — step-by-step walkthrough
Install
Run the one-line installer — downloads the binary and installs the daemon.
curl -fsSL https://hostanywhere.io/install.sh | sh
Sign in
Run hostanywhere login — opens a browser automatically, or generates a unique sign-in URL to paste in your browser. Connect using QR code, token, or your account (Google, GitHub, Microsoft, Apple, email, or SSO).
hostanywhere login
You're connected
Your device is now live on the mesh. Verify with hostanywhere status.
iOS
▶ Add an iPhone (iOS) — step-by-step walkthrough
Install
Install HostAnywhere from the App Store on your iPhone or iPad.
Sign in
Open HostAnywhere and sign in with Apple, Google, GitHub, Microsoft, or email.
You're connected
Your phone joins the mesh and can securely reach every other device on your account.
Android
▶ Add an Android device — step-by-step walkthrough
Install
Install HostAnywhere from Google Play.
Sign in
Open HostAnywhere and sign in with Google, GitHub, Microsoft, Apple, or email.
You're connected
Your phone joins the mesh and can securely reach every other device on your account.
Expose a Service
Expose a Service creates a public URL for something running on your local machine — a dev server, a self-hosted app, a webhook receiver, a media server — without opening ports on your router or having a public IP. The agent on your machine opens an outbound connection to the HostAnywhere relay; visitors hit the relay over HTTPS at your chosen subdomain (e.g. https://myapp.hostanywhere.io), and the relay forwards the request through that tunnel to your local port.
Typical use cases:
- Sharing a dev preview with a teammate or client without deploying anywhere.
- Receiving webhooks during development.
- Sharing a self-hosted app with family or friends without setting up a VPN for them.
- Letting a phone reach a local app on a desktop when off the same Wi-Fi.
- Quick demos that need a real public URL.
Why it works:
- The agent only makes outbound connections, so there's nothing to configure on your router — works behind NAT and CGNAT.
- HTTPS is built in. Every subdomain lands on
*.hostanywhere.iowith a valid TLS certificate, no configuration needed. - Multiple services per machine — one tunnel per service.
How to expose a service
▶ Expose a local web app to the internet — step-by-step walkthrough
From the dashboard, click + Expose a Service and fill in:
- Subdomain — the public URL prefix, e.g.
myapp→https://myapp.hostanywhere.io - Local address — where the traffic should go on your machine, e.g.
localhost:3000
Private Network
Every device running the agent is assigned a private IP address and can reach any other device on your network directly — no VPN setup, no configuration required.
- Devices get a stable private IP in the
100.64.x.xrange. - Any port on any device is accessible from other devices on the same network.
- Works even if devices are behind different routers, carriers, or on different continents.
- When you invite teammates, their devices automatically join the same private network.
Finding your private IP
Your device's private IP appears in the dashboard under Devices — click a device card to see it. It's also shown in the Windows tray or macOS menu bar icon.
VPN Gateway
A VPN Gateway lets one device act as a bridge between your mesh and a private network the mesh can't reach directly — your home LAN, an office network, or a datacenter subnet. Any mesh peer can then reach resources on those networks (printers, NAS, servers, cameras, management interfaces) without running the HostAnywhere agent on each one.
▶ See VPN Gateway in action — advertising a subnet and reaching internal services.
This is useful when:
- You have legacy devices (printers, IoT, IPMI/iDRAC consoles) that can't run an agent.
- You want one device to tunnel your mesh into a corporate LAN.
- You're bridging a datacenter subnet or VPC range into the mesh.
How it works
Designate any device as a VPN Gateway and tell it which private CIDRs it can route to (e.g. 192.168.1.0/24, up to 10 subnets per gateway). Other mesh peers learn those routes automatically and forward traffic for those ranges through the gateway. Peer-to-peer traffic between mesh devices continues to flow directly as before.
Enable a VPN Gateway
Open the device detail page
Sign in to the dashboard, go to Devices, and click the device you want to act as a gateway.
Toggle VPN Gateway on
Scroll to the VPN Gateway section and flip the toggle. You must be the network owner — members can see the section but can't configure it.
Add advertised subnets
Enter each private CIDR the gateway can reach — e.g. 192.168.1.0/24 for a typical home LAN, or 10.0.0.0/16 for a corporate network. Click Add subnet. You can add up to 10 subnets per gateway. CIDRs overlapping the mesh range 100.64.0.0/10 are rejected, and 0.0.0.0/0 is reserved for Internet Gateway — use that feature instead if you want to route all traffic through a device.
Other mesh peers pick up the new routes within seconds and can start reaching addresses in those ranges.
Multiple gateways
You can designate more than one device as a VPN Gateway — useful for bridging your mesh into multiple private networks (home, office, datacenter) at once. Each gateway advertises its own subnet list independently.
Internet Gateway
An Internet Gateway routes a device's entire outbound internet traffic (0.0.0.0/0) through another mesh peer — like a personal VPN that terminates on hardware you fully own. Where VPN Gateway gives mesh peers access to a private LAN, Internet Gateway routes a peer's web/app traffic out through another peer.
▶ See Internet Gateway in action — picking where your traffic exits the internet.
This is useful when:
- You're on hotel or coffee-shop Wi-Fi and want every packet to leave from your home connection instead.
- A region- or geo-blocked service should see you as connecting from a device in another region.
- You want an end-to-end-encrypted hop for all internet traffic from a laptop you don't fully trust the local network of.
How it works
Designate up to three devices on your mesh as gateways, ranked by priority: Primary, Secondary, and Tertiary. The agent on the gateway side enables IP forwarding and installs a NAT rule so mesh traffic exits through the gateway's WAN interface. On the client side, the agent installs a default route pointing at the chosen gateway. Failover is automatic — if the Primary goes offline, peers fall back to Secondary within seconds, then Tertiary if needed. Peer-to-peer traffic between mesh devices continues to flow directly as before.
Enable an Internet Gateway
Open the device detail page
Sign in to the dashboard, go to Devices, and click the device that should act as the gateway — the device whose internet connection other peers will route through.
Set its priority slot
Scroll to the Internet Gateway section and pick a priority: Disabled, Primary, Secondary, or Tertiary. You must be the network owner — members can see the section but can't configure it. Only one device can occupy each slot at a time; assigning a new device to a slot automatically unassigns whoever was there.
Verify on another device
Other mesh peers start routing through the Primary within ~10 seconds. From another device, visit a site that shows your public IP (e.g. ifconfig.me) — it should match the gateway device's WAN IP.
Multiple gateways & failover
The 3-slot priority system gives you redundancy without per-peer routing choices. The mesh always uses the highest-priority gateway that's currently online. A common pattern: Primary = your always-on home server, Secondary = your work device, Tertiary = a cloud VPS. If your home internet drops, traffic falls through automatically.
Storage Server, Backups & Library
HostAnywhere lets you back up your phones to your own hardware. Three pieces:
- Storage Server — a small encrypted-blob store the desktop agent runs on a Mac, Linux, or Windows device you own.
- Backups — the iOS and Android apps push selected categories (Photos, Contacts, Calendars, etc.) to your storage server.
- Library — a tab in the mobile app to browse and restore everything you've backed up, from any of your signed-in devices.
Every file is encrypted on your phone before it leaves the device. HostAnywhere's servers never hold your data.
Storage Server
A storage server runs as a background process inside the desktop agent. It listens on TCP port 36129 inside your private mesh, serves a self-signed TLS certificate (its SHA-256 fingerprint is pinned by the phones), and accepts encrypted blob uploads from your phones.
Enable a storage server
▶ Enable Storage Server from the dashboard — step-by-step walkthrough
Open the device detail page
Sign in to the dashboard, go to Devices, and click a Mac, Linux, or Windows device you want to use for backups. Pick a device that's online often — a NAS, always-on server, or a desktop is ideal.
Toggle Storage Server on
Scroll to the Storage Server section and flip the toggle. Within a few seconds the badge changes from Starting… to Running, and the dashboard shows the mesh URL and (optionally) internet URL the phones will use.
(Optional) Adjust advanced settings
Open the Advanced disclosure to set a custom storage path, cap maximum disk usage (defaults to 50% of free space, capped at 500 GB), or change internet access mode (mesh-only, mesh + internet fallback, always internet).
Where backups are stored on disk
| Platform | Default path |
|---|---|
| Linux (systemd, as root) | /var/lib/hostanywhere/backups |
| macOS | ~/HostAnywhere/Backups (under the console user's home) |
| Windows | %LOCALAPPDATA%\HostAnywhere\Backups |
You can override the path under Advanced. Useful when you want backups on a specific external drive, a separate NAS volume, or a non-default partition.
Multiple storage servers
You can run storage servers on more than one device. Phones automatically pick the one with the lowest latency on each sync (mesh first, internet fallback). Each server keeps an independent copy of the data uploaded to it — handy if you want a primary at home plus a backup on a different drive or in a different location.
Backups (iOS & Android)
The mobile app's Backups tab is where each phone picks what to back up. Categories are off by default; you opt in per category, and each toggle prompts for the OS permission it needs the first time you enable it.
What can be backed up
| Category | iOS | Android |
|---|---|---|
| Photos | ✓ | ✓ |
| Videos | ✓ | ✓ |
| Contacts | ✓ | ✓ |
| Calendars | ✓ | ✓ |
| Health | ✓ | — |
Enable a backup category
▶ iPhone (iOS) — backup walkthrough
▶ Android — backup walkthrough
Open the app
Open HostAnywhere on the phone, sign in, and go to the Backups tab.
Toggle a category
Flip the switch next to a category. The OS prompts for the matching permission (Photos, Contacts, etc.) — tap Allow. You can toggle as many categories as you like; each prompts independently.
Tap Sync now
The first sync starts immediately and runs in the background. After that, the app re-syncs in the background as you add new photos, contacts, etc. Watch the status card for progress and the per-category counters for what's been backed up.
End-to-end encryption
Every file is encrypted on the phone before it's uploaded. AES-256-GCM with convergent encryption: the data-encryption key for a given file is derived from its own SHA-256 hash, then wrapped with a master key that exists only on your phones. Master keys are generated locally on first sync — escrowed via iCloud Keychain on iOS, stored in Android Keystore-backed encrypted preferences on Android. HostAnywhere has no copy and can't decrypt anything.
On iOS, encryption is always on (no toggle). On Android, encryption defaults to on with a Settings toggle for parity with iOS conventions.
Cellular vs Wi-Fi
By default backups only run on Wi-Fi to avoid surprise data usage. A "Back up over cellular" toggle in Settings flips that.
Library
The Library tab in the mobile app lists everything you've backed up, grouped by category, across all your storage servers. Each item shows its category, size, and the date it was backed up.
Restore from another device
Install HostAnywhere on the new device
Get HostAnywhere from the App Store or Google Play and sign in with the same account.
Open the Library tab
Everything you've backed up from your other phones shows up automatically — the app discovers your storage servers via the control plane and the master key is restored from iCloud Keychain (iOS) or your account (Android).
Tap to restore
Tap any item to download it. Photos and videos restore to the camera roll; contacts merge into the system address book; calendars merge into the system calendar; health records open in Apple Health (iOS).
Access Control
Access Control lets you decide who on your mesh can reach what. Every connection between two devices is checked against an ordered list of rules; the first rule that matches the connection decides whether to allow or deny it. By default a new network is fully open — every device can reach every other device on every port. Add rules to lock things down when you need finer control.
Typical use cases:
- Lock a home NAS so only your laptop and phone can reach it, even though other family members are on the same mesh.
- Allow contractors to reach a single dev server on port 22 and nothing else.
- Block a guest device from reaching anything except the internet gateway.
- Require devices to be currently compliant in Intune or have a CrowdStrike ZTA score above 75 before they can reach production systems.
▶ Follow this step-by-step guide to create an Access Control rule
How rules are evaluated
Rules have a priority (lower number = higher priority). For every connection, HostAnywhere walks the list in priority order and stops at the first rule whose source, destination, port, and protocol all match — that rule's action (allow / deny) decides the outcome. If no rule matches, the network's default policy applies.
- Default policy: allow (the default for new networks). The mesh is open; rules carve out specific denies or posture-gated allows.
- Default policy: deny. The mesh is locked down; everything you want to permit needs an explicit allow rule. This is the right stance for production / multi-user networks.
Rules have a direction — in (someone is dialing this device) or out (this device is dialing someone). A symmetric "X can talk to Y" usually needs both directions, or you can write one direction and let the default policy cover the return path.
Where it's enforced
Rules are resolved server-side and pushed to every device. Each platform enforces them with its native firewall, so there's no proxy / sidecar to install:
| Platform | Enforcer |
|---|---|
| Linux | iptables in the FORWARD chain, managed by the agent daemon |
| macOS | pf via a HostAnywhere-owned anchor under com.apple/* |
| Windows | NetFirewall rules in the HostAnywhere profile |
| iOS & Android | The agent filters out denied peers before they reach the mesh engine |
Writing a rule
Open the dashboard, click Access Control (under Users), then + New rule. Fill in:
- Action —
allowordeny. - Direction —
in(others dialing this device) orout(this device dialing out). - Source — a single device, a tag (the most common choice), the device's owner (any device they own), an OS family (Windows, macOS, Linux, iOS, Android), an address group, a CIDR, or All devices.
- Destination — same options as Source.
- Ports — a single port (
22), a list (80,443), a range (5000-5010), a port group (HTTPS,SSH, …), or All ports. - Protocol — TCP, UDP, both, or Any (Any covers ICMP — useful for a "no ping" rule).
- Priority — defaults to the next available number; drag rows in the list to reorder.
- Posture conditions (optional) — gate the rule on the connecting device's EDR / XDR / MDM state. See EDR, XDR & MDM Integrations.
Tags
Tags are labels you attach to devices to group them for access-control rules. They're the most common way to write rules: instead of naming individual devices, you tag the devices that share a purpose and then write rules against the tag. A device can wear any number of tags — your work laptop might be tagged engineering, production-access, and office at once.
Typical tags:
home,office— physical locationengineering,finance,support— team or departmentproduction,staging— environmentbyod,guest,contractor— device class or access level
Create and manage tags in the dashboard under Access Control → Tags. Each tag can have an optional description (so future-you remembers what it's for) and a color (so it's easy to spot in the rules list). Adding or removing a device from a tag instantly updates every rule that references the tag — there's no need to edit each rule when the membership changes.
Address groups and port groups
Address groups let you reuse a set of devices or CIDRs across many rules — "Engineering laptops", "Office subnet", "Production servers". Use them when you need to mix in raw IP ranges that aren't HostAnywhere devices (e.g. a corporate subnet or a cloud VPC). For pure device groupings, tags are simpler. Built-in groups always exist:
- All devices — every device on the network.
- All users — every device owned by any human member (excludes service / unattended hosts).
- My devices — the requesting device's own owner's devices. Useful for "let me reach my own machines from anywhere" rules.
Port groups are reusable port lists with a protocol — e.g. HTTPS = TCP 80,443 or SQL = TCP 1433,3306,5432. Both groups are managed under Access Control → Groups in the dashboard and selected by name in the rule editor.
Rule examples
- "Production servers can be reached by engineering only."
Default policy deny. Addallow in, source = tagengineering, destination = tagproduction, all ports. Adding or removing engineers from the team is just a matter of toggling the tag on their device — no rule edits. - "Only Intune-compliant devices can reach the database."
Default policy deny. Addallow inon devices taggeddatabase: source = All devices, ports = your database port (e.g.5432for PostgreSQL), protocol = TCP, posture condition = Intune: must be compliant. - "Engineering needs SSH everywhere, but only if Falcon ZTA ≥ 75."
allow out, source = tagengineering, destination = All devices, ports =22, protocol = TCP, posture condition = Falcon: score ≥ 75. - "Block guest phones from anything except the internet gateway."
Default policy deny. Oneallow outrule with source = tagguest, destination = Internet gateway (built-in role group), all ports.
allow with the condition you want and let default-deny catch everything else. Negative conditions tend to interact badly with rule ordering.
Posture conditions
A rule can optionally require the connecting device to be in a healthy state, as judged by an EDR, XDR, or MDM product you've connected to HostAnywhere. Set this up under EDR, XDR & MDM Integrations, then check the Device posture box in the rule editor and pick a provider with a minimum score (CrowdStrike) or required compliance (Intune).
EDR, XDR & MDM Integrations
Connect an external endpoint-protection (EDR / XDR) or device-management (MDM) product to HostAnywhere, and you can require a device to be in a healthy state — Intune-compliant, CrowdStrike ZTA score above a threshold — before it can satisfy an allow rule. HostAnywhere caches each device's latest state every 5 minutes.
Most teams connect one EDR / XDR provider and one MDM provider; together they cover laptops, desktops, and mobile devices with one posture story.
▶ Connect an EDR / XDR / MDM provider for posture-based access — step-by-step walkthrough
How matching works
HostAnywhere matches its device records to records from your endpoint-security tenant by case-insensitive hostname. This works well when devices keep their default OS-reported hostname; if you rename a device after installing the agent, its posture won't match until the new name also reaches your EDR, XDR, or MDM tenant.
If a device hasn't been scanned recently — for example, it's been offline, or it just enrolled and isn't visible to your provider yet — posture-gated allow rules don't apply to it. There's no way to accidentally bypass a posture check by going offline.
CrowdStrike Falcon
Falcon's Zero Trust Assessment score (ZTA) rates each device on a 0-100 scale based on sensor health, OS patch status, login behavior, and account hygiene. Higher is better.
Setup on the Falcon side
- Sign in to the Falcon console as a Falcon Administrator and go to Support & resources → API clients and keys → Create API client.
- Give the client a name (
HostAnywhere posture sync) and grant scopes:- Hosts — Read
- Zero Trust Assessment — Read (optional but recommended)
- Save and copy the Client ID, Secret, and Base URL (e.g.
https://api.crowdstrike.comor one of the regional variants).
Setup on the HostAnywhere side
- In the dashboard, open Integrations and click + Add provider.
- Pick CrowdStrike Falcon, paste the Base URL, Client ID, and Secret, and hit Test connection. A green check means the credentials work and at least one host is visible.
- Click Sync now to populate the score table immediately, or wait for the 5-minute background worker.
Score fallback
If the API client doesn't have Zero Trust Assessment Read permission, HostAnywhere falls back to a 0-100 score derived from Falcon's other health signals — whether the agent is enrolled, how recently it checked in, and whether Falcon reports the sensor as normal. Your rules don't need to know which path produced the score; they compare against a minimum score either way.
Microsoft Intune
Intune is a binary model — each device is either compliant or non-compliant against the compliance policies you've configured in Endpoint Manager. Devices in a remediation grace period are counted as compliant, the same way Microsoft's Conditional Access treats them.
Setup in Microsoft Entra ID
- Sign in to entra.microsoft.com as a Global Administrator.
- Applications → App registrations → + New registration. Name it
HostAnywhere posture sync, choose Single tenant, leave the Redirect URI blank. Click Register. - On the Overview page, copy the Application (client) ID and the Directory (tenant) ID.
- Certificates & secrets → + New client secret. Set the longest expiry your policy allows (Microsoft caps at 24 months). After clicking Add, immediately copy the Value column — it's only shown once.
- API permissions → + Add a permission → Microsoft Graph → Application permissions. Add
DeviceManagementManagedDevices.Read.All. Then click ✓ Grant admin consent for [your directory].
Setup on the HostAnywhere side
- In the dashboard, open Integrations and click + Add provider → Microsoft Intune.
- For Base URL / Tenant, paste the Directory (tenant) ID. For Client ID and Client Secret, paste the values from steps 3 and 4 above.
- Hit Test connection, then Sync now.
/deviceManagement/managedDevices. Verify the tenant has Intune-eligible licenses (e.g. Microsoft 365 Business Premium, EMS E3/E5, or Intune standalone) assigned to the users whose devices you want to gate.
Operations
- Sync cadence. Each provider syncs every 5 minutes in the background. Force an immediate sync from the provider row in Integrations.
- Last sync state. The Integrations page shows when each provider last synced and the most recent error (if any) — useful when an expired secret starts returning auth errors.
- Secret rotation. Azure caps client secrets at 24 months and CrowdStrike at 12. Rotate before the expiry and update the provider row; HostAnywhere will pick up the new secret on the next sync attempt without restarting.
- Encryption at rest. Client secrets are encrypted at rest with AES-256-GCM. Only the HostAnywhere control plane can decrypt them.
Next: wire these into rules under Access Control.
Plan Limits
Limits apply to the whole network. The owner's plan determines the limits — members don't need their own paid plan.
| Free | Developer | Team | Enterprise | |
|---|---|---|---|---|
| Team members | 3 | 5 | 25 | Unlimited |
| Devices | 10 | 100 | 200 | Unlimited |
| Public services | 3 | 25 | 100 | Unlimited |
| Access Control rules | 5 | 50 | 250 | Unlimited |
| Tags / address groups / port groups (each) | 5 | 25 | 100 | Unlimited |
| EDR, XDR & MDM integrations | — | ✓ | ✓ | ✓ |
| Storage Server & Backups | ✓ | ✓ | ✓ | ✓ |
| Internet Gateway | — | ✓ | ✓ | ✓ |
| VPN Gateway | — | ✓ | ✓ | ✓ |
| SSO (SAML / OIDC) | — | — | ✓ | ✓ |
| Price | Free | $9 / mo | $25 / mo | Custom |
See the Pricing page for annual pricing and the Enterprise contact form.
Inviting Members
▶ See how to invite a teammate to your network — by email or one-time link.
Open the Users section in the dashboard and click Invite User. You can invite someone two ways:
- Copy link — share a one-time invite link via any channel (Slack, email, etc.).
- Send email — enter their email address and HostAnywhere sends the invite for you.
Invite links are single-use and expire after 7 days. When the recipient opens the link and signs in, they are automatically added to your network.
Roles
| Role | What they can do |
|---|---|
| Owner | Invite members, remove members, manage network settings. One owner per network. |
| Member | Add their own devices and public services, view all devices on the network. Cannot invite or remove others. |
Members can see all devices on the network in the dashboard but can only edit or delete their own. Other members' devices are shown as read-only.
Removing Members
In the Users section, click the remove button next to any member. Only the owner can do this.
When a member is removed, their devices immediately disappear from the shared device list and they lose access to the private network. Their own account and any public services they created are not affected.
FAQ
Do I need to open any ports on my router?
No. The agent connects outbound — no router configuration, port forwarding, or firewall changes needed.
Can I expose multiple services from one machine?
Yes. A single agent handles every service you add to that device — you don't need to run multiple agents. Create each service in the dashboard (one subdomain → one local port); the agent picks them up on its next config poll (within ~10 s) and runs all of them concurrently.
Can I be in multiple networks?
Not currently. Each account belongs to one network at a time.
My invited user joined but I don't see their devices.
They need to install the agent and connect at least one device. Once they do, it appears in all team members' dashboards automatically.
Does the agent need admin / root access?
Admin access is needed when first setting up the private network interface — the Windows installer handles this automatically. For the macOS .pkg, the installer takes care of it. On Linux, the agent needs sudo or CAP_NET_ADMIN to create the network interface. Regular tunnel traffic does not need elevated privileges.
Is traffic secure?
Yes. Public services use HTTPS end-to-end. Private mesh traffic is encrypted between devices — the relay never sees the content.
What happens when I hit a plan limit?
The action that would exceed the limit (adding a device, inviting a user, creating a public service) is blocked with a clear message. Nothing existing is removed. Upgrade your plan to continue.
How is my backup encrypted?
Each file is encrypted on your phone before it's uploaded, using AES-256-GCM with convergent encryption. The data-encryption key is derived from the file's own SHA-256 hash, then wrapped with a master key that lives only on your phones (escrowed via iCloud Keychain on iOS, Android Keystore on Android). HostAnywhere has no copy of the master key and can't decrypt anything. See Storage Server & Backups for more.
Can I run multiple storage servers?
Yes. Run the storage server on as many devices as you like — phones automatically pick the one with the lowest latency on each sync. The storage servers also replicate to each other automatically in the background: a blob uploaded to one server propagates to the others within a few minutes via the mesh. You get geographic + drive redundancy for free — a primary at home, a second copy on a NAS, a third on a friend's machine — all stay in sync without manual intervention.
Can HostAnywhere see my internet traffic when I use Internet Gateway?
No. All traffic flows agent-to-agent over WireGuard, encrypted end-to-end. HostAnywhere's servers see only mesh metadata — which peers are online, peer counts, and so on — never the contents of the tunnels themselves.
What if my storage server is offline when a phone tries to back up?
The phone retries periodically. Nothing is ever uploaded to HostAnywhere as a fallback — your data only goes to storage servers you own. When the server comes back online, the queued items sync automatically. If you have multiple storage servers, the phone tries the others first before queuing.