Why Linkvec
Full product.
Full choice.
Most connectivity tools make you pick one. Managed infrastructure means no control. DIY means no product. Linkvec doesn't ask you to choose.
Six layers of choice
Every layer of your connection is yours to configure.
Choose the broker, path, mode, relay, interface, and what to share. Change any layer independently. Nothing is locked in.
Your broker
Run linkvec-broker on any server you own, or use our hosted broker. The broker is the trust boundary — keep it on your hardware for maximum control.
Your connection path
Three-path fallback: direct peer-to-peer when possible, broker-routed when not, relay-assisted as a last resort. All automatic.
Your tunnel mode
TCP tunnel (Serverlet), HTTP-over-broker (Weblet), or WireGuard mesh (Netlet). Pick the right primitive for the use case, not the one your tool forces on you.
Your relay
Use community relay nodes or run your own. Relay nodes are infrastructure — they never see your cleartext traffic.
Your interface
CLI for scripting and automation. Web dashboard for visual management. API for integration. All backed by the same protocol.
What you share
A single port. An HTTP service. An entire mesh VPN. A hub of services shared with a team. Share exactly what you intend — nothing more.
Security model
Your broker is your network boundary.
SSH stays invisible
Your SSH daemon never binds to a public port. The broker is the only publicly reachable endpoint. A compromised broker cannot access your services without authentication.
Outbound-only from your machine
Serverlets open outbound connections to the broker. Your firewall never needs an inbound rule. Port forwarding is never required.
Self-host the broker, own the boundary
When you run linkvec-broker, you control the certificates, the authentication policies, and the audit log. No third-party sits in your trust chain.
Threat model
Least privilege by design.
No root required
The daemon and all tunnel types run as your user. Nothing is setuid. Nothing binds to privileged ports. A vulnerability in Linkvec cannot escalate to root.
Bounded blast radius
Each serverlet exposes exactly one port. Compromising one serverlet cannot reach other ports on the same machine. Services are isolated at the tunnel level.
Compare to root-daemon competitors
Tools that require root to run their agent give that agent (and any bug in it) full machine access. Linkvec deliberately avoids this design.
How we compare
Positioned between managed and DIY.
The gap Linkvec owns: a complete product where you still control the infrastructure.
ngrok is fast to start but you cannot run the broker yourself — all traffic goes through their infrastructure. Linkvec gives you the same zero-config experience with the option to self-host.
Cloudflare Tunnel is excellent for HTTP but requires Cloudflare as your broker. You cannot choose a different trust anchor. Linkvec decouples the product from the operator.
Tailscale is a polished mesh VPN but the coordination server is Tailscale's. Headscale exists but is unsupported. Linkvec's broker is a first-class self-hosted component, not an afterthought.
NetBird is close in philosophy but focused on the VPN mesh. Linkvec covers the full spectrum: TCP tunnels, HTTP-over-broker, and mesh VPN in one tool.
Raw WireGuard gives you maximum control but requires static IPs, manual key exchange, and firewall rules. Linkvec wraps WireGuard into a managed experience without taking control away.
SSH reverse tunnels work but have no lifecycle management, no named services, no hub sharing, and no relay fallback. Linkvec is what SSH tunnels would look like as a product.
FAQs
Competitive objections
Why not just use Tailscale?
Tailscale is a great product for mesh VPN. If that's all you need and you're comfortable with Tailscale as the coordination server, it's a fine choice. Linkvec is better when you need more than a VPN (TCP tunnels, HTTP services, hub sharing) or when you need to self-host every component.
How is Linkvec different from ngrok?
ngrok is primarily a tunnel-to-localhost tool for development. It is fast and easy, but you cannot run your own ngrok broker. With Linkvec you can use our hosted broker exactly like ngrok, or run linkvec-broker yourself. The choice is always yours.
Is Linkvec a VPN?
Linkvec includes a WireGuard-based mesh VPN (Netlet and BrokerMesh), but it is not only a VPN. It also provides named TCP tunnels (Serverlet/Clientlet) and HTTP-over-broker (Weblet/WebClientlet). Use the mode that fits the use case.
Is the broker a man-in-the-middle?
The broker handles signaling and routing, but it does not terminate your application traffic. End-to-end encryption is between the peers. The broker sees metadata (which hubs are connected) but not your cleartext data.
Try it free. No account required if you bring your own broker.
Get connected in under 60 seconds.