How Remote.It makes secure connections
A global control plane, a tiny outbound-only agent, and a direct peer-to-peer tunnel — so you can reach any device without opening a port.
Three parts, one private path.
Remote.It brokers trust in the cloud, but your data never flows through it. The connection is direct and encrypted end-to-end.
A global SaaS control plane in AWS that authenticates every request and brokers connections. It knows who is allowed to connect — never your traffic.
A ~500 KB agent on each device advertises specific services — SSH, HTTPS, a database — for authorized initiators to reach. Outbound-only, with no inbound ports.
The desktop app, CLI, mobile app, or browser an authorized user or script connects from. Your application just sees localhost.
Four steps to a direct tunnel.
Each target sends a small UDP packet outbound about every two minutes to keep its NAT mapping alive — the same technique that punches through CGNAT, 5G, and Starlink.
An initiator authenticates through Remote.It Cloud and signals which service it wants. Authorization is evaluated against your policies before anything connects.
The target answers with UDP so both peers learn how to reach each other directly — no port forwarding, no public IP, nothing exposed.
A direct, end-to-end-encrypted peer-to-peer tunnel forms. Traffic flows device-to-device and Remote.It steps out of the path.
However the network is shaped, it connects.
A direct encrypted tunnel between initiator and target — the default, lowest-latency path.
When a direct path is blocked, traffic routes through a proxy in Remote.It Cloud so the connection still succeeds.
Reach a target through another Remote.It-enabled device on its network — a jump host without the exposed jump host.
Share a service to other initiators on the same local network, without each one installing an agent.