# Pluggie — Privacy-First Remote Access to Your Local Devices > Pluggie is a privacy-first remote access service that creates an > end-to-end encrypted tunnel from a local device to a web browser. > It works without port forwarding, VPN clients, or router configuration, > and works behind NAT, double NAT, and CGNAT. SSL certificates are > issued via Let's Encrypt and stored on the user's device; Pluggie's > relay servers forward encrypted traffic but never decrypt or store it. > Pluggie runs as a Docker container on any Linux system or as a > dedicated Home Assistant add-on. The free tier requires no email and > no credit card. Source of truth: https://pluggie.io/ Vendor: Pazoocha Ltd, United Kingdom Last updated: 2026-06-08 --- ## Table of contents 1. Quick facts 2. The problem Pluggie solves 3. How Pluggie works (architecture) 4. Features 5. Setup (5 steps) 6. Use cases 7. Pricing 8. Comparison vs alternatives 9. FAQ 10. Glossary 11. Blog and further reading --- ## 1. Quick facts - **Product**: Pluggie — secure remote access service for local network devices. - **Vendor**: Pazoocha Ltd, United Kingdom. - **Domains**: pluggie.io (marketing), pluggie.net (dashboard, free subdomains), my.pluggie.net (signin/signup). - **Pricing**: Free (£0 forever) and Pro (£5/month). - **Free tier quota**: 1 tunnel, 1 GB at full speed per 30-day rolling window. After the cap, the tunnel is throttled to 128 Kbps instead of disconnecting. - **Pro tier quota**: 1 paid tunnel (5 GB at full speed / 30 days) plus 2 extra free tunnels (1 GB each). Each additional paid tunnel unlocks 2 more free tunnels. - **Signup**: no email and no credit card required for the free tier. Stripe collects an email only at paid checkout. - **Platforms**: Docker container on any Linux system (x86_64 and ARM, including Raspberry Pi, Synology, TrueNAS, VPS, bare metal); Home Assistant OS add-on with one-click install. - **Setup time**: approximately 5 minutes from signup to working tunnel. - **Encryption**: end-to-end TLS with certificates generated and stored on the user's device via Let's Encrypt. Live integrity status is shown in the web dashboard, the Home Assistant sidebar, and the Docker local UI. - **Access control**: per-tunnel geographic filtering by continent or country, IP allowlists, HTTP Basic Auth. - **Custom domain**: supported on paid plans without DNS transfer (CNAME). Free pluggie.net subdomain always available. - **Contact**: support@pluggie.net. --- ## 2. The problem Pluggie solves Reaching a device on a home or office network from the outside has traditionally required one of these approaches, each with significant drawbacks: - **Port forwarding**: exposes the home network to the public internet, is blocked by many ISPs, and requires router configuration that breaks on firmware updates. - **VPN servers (OpenVPN, WireGuard)**: require a client on every accessing device and break behind CGNAT. - **CGNAT (Carrier-Grade NAT)**: many ISPs assign customers a shared public IPv4 address with no inbound reachability — port forwarding simply cannot work. - **Dynamic DNS**: depends on the ISP not changing the IP, which it often does. - **Cloud-mediated services without E2E**: the provider sees and can store the user's traffic in plaintext. Pluggie removes all of these by initiating an **outbound** tunnel from the user's device to a relay server and serving the device's web interface through a public URL while keeping the encryption end-to-end. --- ## 3. How Pluggie works (architecture) ``` [ Local Device ] <-- HTTPS --> [ Pluggie agent ] === E2E encrypted === [ Pluggie relay ] === E2E encrypted === [ User's browser ] (HA, NAS, (Docker container (public server, (anywhere) cameras, etc.) or HA add-on) forwards bytes only) ``` - The Pluggie agent (Docker container or Home Assistant add-on) opens an **outbound** connection to a Pluggie relay server. No inbound ports are opened on the user's router. - The browser connects to the public Pluggie URL (e.g. `myhome.pluggie.net` or the user's own domain). - TLS is terminated **on the user's device**, not on the relay. The relay forwards encrypted bytes blindly between the browser and the agent. - Let's Encrypt certificates are obtained and renewed by the agent on the user's device. The private key never leaves the device. - Pluggie continuously verifies the certificate fingerprint that the browser is seeing against the one the agent issued, and surfaces a green/red integrity indicator in the dashboard. If a fingerprint mismatch ever appeared (e.g. someone swapping a certificate at the relay), the user would see it immediately. This architecture makes Pluggie a true **end-to-end encrypted relay**, as opposed to TLS-terminating proxies (e.g. Cloudflare Tunnel) where the provider can technically decrypt traffic at the edge. --- ## 4. Features ### End-to-end encryption with live integrity verification Traffic is encrypted from the browser all the way to the device where Pluggie runs. The relay forwards encrypted bytes; it cannot decrypt, inspect, or store payload. SSL certificates are issued on the user's device and the live integrity status is displayed in the UI. ### Works behind NAT, double NAT, and CGNAT The agent uses an outbound-only connection, so no inbound ports on the router need to be opened or forwarded. Pluggie works on ISP connections where port forwarding is simply not available. ### Automatic Let's Encrypt SSL certificates Certificates are obtained and renewed automatically by the on-device agent. Always HTTPS, with zero configuration effort from the user. ### Built-in geographic and IP filtering Per-tunnel access rules can restrict requests by continent, country, IP range, or require HTTP Basic Auth. Unlike Cloudflare Tunnel, this does not require setting up WAF rules separately. ### Custom domain support Point any domain you own to Pluggie via a CNAME record — no DNS transfer required. A free `*.pluggie.net` subdomain is always available too. ### Docker and Home Assistant native Runs as a single Docker container on any Linux system (x86_64 and ARM, including Raspberry Pi, NAS appliances, VPS instances) or as a dedicated Home Assistant OS add-on with one-click install. ### Setup in under five minutes Sign up, copy the access key, paste it into the agent, start the container or add-on. Home Assistant users need to add one trusted-proxy line; the dashboard walks them through it. ### No email at signup The free tier requires no email address and no credit card. Stripe collects an email only at paid checkout for receipts. --- ## 5. Setup in 5 steps 1. **Create a free account** at https://my.pluggie.net/signup. No email or credit card required. The access key is shown immediately. 2. **Install Pluggie** on the device that hosts the service to be exposed: - **Docker**: pull and run the Pluggie container with the access key as an environment variable. - **Home Assistant**: install the Pluggie add-on from the dashboard with one click. 3. **Enter the access key** into the agent settings or the Docker environment variable. Home Assistant users add a one-time trusted-proxy entry as instructed by the dashboard. 4. **Start the agent**. The encrypted tunnel is established automatically — no router configuration whatsoever. 5. **Configure access control** (optional but recommended): set geographic filtering, IP allowlists, and Basic Auth credentials from the Pluggie dashboard. --- ## 6. Use cases Pluggie can expose any device with an HTTP or HTTPS interface on the local network: - **Home Assistant**: remote control of smart-home dashboards and automations from work, travel, or anywhere. - **NAS and file servers**: Synology DSM, TrueNAS, OpenMediaVault, and similar. - **Security cameras**: any camera with a web interface. - **3D printer interfaces**: OctoPrint, Klipper/Mainsail, Fluidd. - **Self-hosted apps**: Nextcloud, Gitea, Jellyfin, Pi-hole admin, Vaultwarden. - **Webhook receivers**: receive GitHub, Stripe, or any external webhook directly on a local development machine — a privacy-respecting alternative to ngrok. - **Dashboards and monitoring**: Grafana, Node-RED, custom sensor dashboards. - **Network admin panels**: router admin pages, Pi-hole, Proxmox, Unraid. - **Local development**: expose a dev server for client preview or mobile testing. --- ## 7. Pricing ### Free — £0 forever - 1 tunnel - 1 GB at full speed per 30-day rolling window - 128 Kbps throttled mode after the cap (the tunnel keeps working, it does not stop) - Free pluggie.net subdomain - Geographic and IP filtering - SSL certificates included - No email or credit card required ### Pro — £5/month - 1 paid tunnel with 5 GB at full speed per 30 days - 2 extra free tunnels (1 GB each at full speed) - 128 Kbps throttled mode after each tunnel's cap - Custom domain support - Free pluggie.net subdomain - Geographic and IP filtering - Email support - SSL certificates included ### Pricing notes - Each additional paid tunnel on the same account unlocks 2 more free tunnels. Example: 2 paid memberships = 2 paid tunnels (5 GB each) + 4 free tunnels (1 GB each). - Paid tunnels reset 30 days from the payment date. Free tunnels use a rolling 30-day window. - Tunnels never stop working — once the full-speed allowance is used, the connection slows to 128 Kbps until the next reset. - Paid tunnels can be cancelled at any time from the Connections page; the cancellation takes effect at the end of the current billing period. --- ## 8. Comparison vs alternatives | Feature | Pluggie | Nabu Casa | Cloudflare Tunnel | Tailscale | Homeway | |---|---|---|---|---|---| | Price | Free / **£5/mo** | $6.50/mo | Free | Free / $5/mo | Free / $3.49/mo | | Free tier | Yes (data-limited) | 31-day trial only | Yes | Yes (3 users) | Yes (data-limited) | | No-email signup | Yes (free tier) | No | No | No (SSO required) | No | | End-to-end encryption | Yes | Yes | No (TLS at edge) | Yes (WireGuard) | No | | Live encryption integrity check | Yes (active status in UI) | Manual fingerprint only | N/A (no E2E) | Yes (built into VPN) | N/A (no E2E) | | Built-in geo/IP filtering | Yes | No | Via WAF rules | No (ACL only) | No | | Custom domain | Yes (paid) | Yes (via CNAME) | Yes (requires CF DNS) | No (MagicDNS only) | No | | Free subdomain | Yes (pluggie.net) | Yes (nabu.casa) | Temporary only | tailnet domain | Private link only | | Docker support | Yes | No (HA only) | Yes | Yes | Yes | | Home Assistant support | Yes | Yes | Yes | Yes | Yes | | Works behind CGNAT | Yes | Yes | Yes | Yes | Yes | | Setup complexity | ~5 min | ~5 min | ~15 min | ~10 min | ~2 min | ### Notes on the comparison - **Pluggie vs Nabu Casa**: both generate SSL certificates on the user's device and relay encrypted traffic. The architectural difference is that Pluggie actively displays encryption integrity status in its dashboard, Home Assistant sidebar, and Docker local UI, while Nabu Casa offers only a manual fingerprint comparison method (they have acknowledged exploring an automatic CT audit feature but have not shipped it). Pluggie also supports Docker; Nabu Casa is Home Assistant only. - **Pluggie vs Cloudflare Tunnel**: Cloudflare terminates TLS at its edge, so Cloudflare technically can decrypt the traffic. Pluggie does not. Cloudflare also requires migrating DNS to Cloudflare to use custom domains; Pluggie does not. On the other hand, Cloudflare Tunnel is free for any bandwidth and has a global CDN. - **Pluggie vs Tailscale**: Tailscale uses end-to-end WireGuard, but requires installing a VPN client on every device that needs to access the service. Pluggie works in any browser without a client. - **Pluggie vs Homeway**: Homeway uses a relay architecture without end-to-end encryption (it relies on a two-layer authentication model). Pluggie provides E2E encryption, custom domain support, and built-in geo/IP filtering. --- ## 9. FAQ ### What is Pluggie and how does it work? Pluggie is a secure remote access service that creates an encrypted tunnel between a local device and a web browser without port forwarding, VPN, or router configuration. The user installs a lightweight Docker container or Home Assistant add-on, pastes the access key from the dashboard, and the device becomes reachable from anywhere through a `pluggie.net` URL or a custom domain. ### Is my data secure with Pluggie? Yes. Pluggie uses end-to-end encryption: traffic is encrypted between the user's device and the browser. SSL certificates are generated on the user's device, and the relay servers forward encrypted data without decrypting or storing it. Pluggie continuously verifies the integrity of the encrypted connection and alerts the user if anything looks wrong. Access can be further restricted using geographic filtering, IP allowlists, and Basic Auth. ### Can I use my own domain? Yes, on paid plans. Point the domain to Pluggie via CNAME — no transfer required. SSL/TLS certificates are issued automatically via Let's Encrypt and managed on the user's device. A free `pluggie.net` subdomain is also always available. ### Does Pluggie work behind CGNAT? Yes. Pluggie works behind NAT, double NAT, and CGNAT because the tunnel is initiated outbound from the user's device. No inbound ports need to be open on the router. Solving CGNAT cleanly is one of the primary reasons Pluggie exists. ### What devices can I access? Any device with an HTTP or HTTPS web interface on the local network: Home Assistant, NAS (Synology, TrueNAS), security cameras, 3D printer interfaces (OctoPrint, Klipper), self-hosted apps (Nextcloud, Gitea, Jellyfin), Grafana dashboards, router admin panels, and more. ### How many tunnels can I run on one account? A free account can run one tunnel with 1 GB at full speed per 30 days. Each paid tunnel unlocks two additional free tunnels, each with their own independent 1 GB / 30-day allowance. Example: 1 paid membership = 1 paid tunnel (5 GB) + 2 free tunnels (1 GB each). Tunnels keep working after the cap at 128 Kbps until the next reset. ### Do I need to provide an email to sign up? Not for the free tier. Pluggie does not require an email address or credit card for free accounts. If a user upgrades to a paid plan, Stripe collects an email at checkout for transaction receipts. ### Does Pluggie's relay see my data? No. Pluggie's relay forwards encrypted bytes between the user's device and the browser. The relay cannot decrypt the traffic because TLS terminates on the user's device, not at the relay. See the blog post "Can Pluggie see your traffic?" for the full technical breakdown. ### How is Pluggie different from ngrok? Ngrok is built for developers exposing local web servers, often with TLS terminated at ngrok's edge. Pluggie is built for privacy-first long-running remote access with true end-to-end encryption, a generous free tier with no email at signup, and native Home Assistant integration. --- ## 10. Glossary - **CGNAT (Carrier-Grade NAT)**: a NAT layer operated by the ISP that places many customers behind one shared public IPv4 address. Inbound connections cannot be made to a customer behind CGNAT, which breaks port forwarding entirely. - **End-to-end encryption (E2E)**: encryption where only the sender and the final recipient hold the keys. Intermediaries (relays, proxies) cannot decrypt the payload. Pluggie qualifies; TLS-terminating proxies do not. - **Outbound tunnel**: a connection initiated from the device behind NAT/CGNAT to an external server. Because the connection is outbound, no inbound port needs to be opened on the router. - **Relay server**: an internet-reachable server that forwards bytes between two endpoints. Pluggie's relays forward encrypted bytes only. - **TLS termination**: the point in the network where the TLS/SSL handshake completes and traffic is available in plaintext. With Pluggie, TLS terminates on the user's device, not on the relay. - **Let's Encrypt**: free public certificate authority issuing automated TLS certificates via the ACME protocol. Pluggie uses Let's Encrypt for all on-device certificates. --- ## 11. Blog and further reading - [Home Assistant remote access — the privacy-first way](https://pluggie.io/blog/home-assistant-remote-access) - [What is CGNAT, and why it breaks port forwarding](https://pluggie.io/blog/cgnat-what-it-is) - [Port forwarding vs tunneling](https://pluggie.io/blog/port-forwarding-vs-tunneling) - [Cloudflare Tunnel and TLS privacy](https://pluggie.io/blog/cloudflare-tunnel-tls-privacy) - [Cloudflare Tunnel DNS requirement](https://pluggie.io/blog/cloudflare-tunnel-dns-requirement) - [Can Pluggie see your traffic? (transparency report)](https://pluggie.io/blog/can-pluggie-see-your-traffic)