10 min read

Expose Your MCP Gateway to the Internet with Localtonet (2026)

Run McpNet Gateway locally and expose it publicly in minutes with Localtonet's dedicated MCP Gateway tunnel. No port forwarding, no static IP needed.

MCP Gateway ยท Tunneling ยท AI Agent Infrastructure ยท 2026

Expose Your MCP Gateway to the Internet Without Port Forwarding

Getting a remote AI agent, a teammate, or a cloud hosted Claude instance to reach your MCP tools used to mean juggling a separate gateway install, router config, and TLS. Localtonet collapses all of that into one client. McpNet Gateway runs automatically the moment you install Localtonet, already secured, with the admin token set through Localtonet's own settings. Point the built in MCP Gateway tunnel at it and you have a public HTTPS endpoint in a couple of minutes.

๐Ÿ”’ Secured by default, admin token set in Settings ๐ŸŒ Public HTTPS endpoint in under 5 minutes

Why Self Hosted MCP Gateways Are Hard to Reach

McpNet Gateway sits between your AI agents and every upstream MCP server you run, exposing all of them through one authenticated endpoint at /mcp. That's exactly what you want when Claude, Cursor, or a custom agent needs a single place to discover tools. The problem shows up the moment that agent lives somewhere other than your machine. By default the gateway binds locally and listens on port 5050. Nothing outside your LAN can see it.

Port forwarding used to be the answer, but most home and office connections now sit behind CGNAT, so there's no public IP to forward to in the first place. Even where a static IP exists, TLS still needs to be handled by something in front of the gateway.

A tunnel gives McpNet Gateway a public HTTPS address without opening an inbound port on your router, and without you having to run a separate reverse proxy for TLS.

The Simple Version: It's Already Built In, Already Secured

There is no separate McpNet Gateway install to worry about. Once you install the Localtonet client, McpNet Gateway runs automatically alongside it on port 5050, and it never starts in the unauthenticated Dev mode. The admin token is set directly through Localtonet's own settings, there's no config file to edit and nothing extra to lock down before you tunnel. The fastest way to get started is to go straight to localtonet.com/tunnel/mcpgateway. That single page lets you download the latest Localtonet client and, once it's installed and you're logged in, shows the exact same MCP Gateway creation screen you'll use to launch your tunnel.

๐Ÿ“ฆ No separate gateway install McpNet Gateway ships inside the Localtonet client and starts automatically. Install once and both pieces are ready.
๐Ÿงฉ Open source under the hood McpNet Gateway itself is open source, the code is on GitHub. Localtonet just bundles and runs it for you, no build step required.
๐Ÿ” Secured out of the box The bundled gateway never runs in Dev mode. Set or change the admin token in Localtonet's Settings, no appsettings.json or environment variables to touch.
โšก One tunnel type, one endpoint MCP Gateway tunnels forward to the gateway's /mcp and /dashboard routes without any manual host or port entry.
๐Ÿ”’ HTTPS by default Every localto.net subdomain is served over TLS automatically, so there's no reverse proxy to set up yourself.
๐ŸŒ Region aware servers Pick the Localtonet server closest to wherever your AI agents run, UK London and TR among the available regions, to cut round trip latency on tool calls.
๐Ÿ”Œ Custom domains supported Swap localto.net for your own domain through the Domain dropdown if you've added one via DNS Manager.

How to Expose McpNet Gateway with Localtonet: Step by Step

1

Get the Localtonet client

Go to localtonet.com/tunnel/mcpgateway and download the latest Localtonet client for your platform, Windows, Linux, macOS, or Docker. McpNet Gateway comes bundled with it, there is nothing extra to install. If you don't have a Localtonet account yet, sign up first, no credit card required.

2

Install the client and log in with your token

Install the client and open it. Log in using the token from localtonet.com/usertoken.

3

Fill in four fields and hit Create

Back on the MCP Gateway page, you'll see the same screen as the dashboard's My Tunnels โ†’ MCP Gateway section. Four fields, no host or port to type by hand:

Process Type: Random SubDomain is fine for testing. If your plan supports a fixed subdomain, use it instead, since every AI client config hardcodes your MCP server URL and a changing subdomain means updating that config everywhere.

Auth Token: Default Token works for a single machine. If you're tunneling from more than one server, generate and select the token tied to that specific client from localtonet.com/usertoken.

Server: pick the region closest to wherever your AI agents actually run, not where you personally sit. Available regions include UK London and TR.

Domain: leave this as localto.net for a quick setup, or select a custom domain you've already added through DNS Manager.

Click Create, then click the green Start button next to your new tunnel. Your gateway is now live at a URL like https://brlgqocwsk.localto.net, or your chosen fixed subdomain.

4

Connect your MCP client to the public URL

Point every agent config at your tunnel URL:

MCP client config
https://your-gateway.localto.net/mcp
Authorization: Bearer YOUR_CLIENT_TOKEN
First tool call after tunneling might time out, and that's expected

If any upstream server runs through npx, its package downloads on first connect, which can take 60 to 120 seconds. McpNet uses a 120 second per server timeout and the tool list fills in on the next background refresh about 60 seconds later. A slow first call through the tunnel is McpNet warming up, not a tunnel problem. Give it one retry before troubleshooting.

Running McpNet Gateway Standalone (NuGet or GitHub)

Everything above assumes you're using the McpNet Gateway that ships inside Localtonet, which is the fastest path and needs no configuration. If instead you'd rather run McpNet Gateway on its own, outside of Localtonet, by installing it from NuGet or building it from the GitHub repository, that standalone build does start in Dev mode by default, with no authentication. In that case you're responsible for switching it to Enterprise mode and setting your own admin token before exposing it:

appsettings.json or env var (standalone installs only)
McpGateway__Mode=Enterprise
McpGateway__AdminToken=your-strong-admin-token

You can still tunnel a standalone install with Localtonet's MCP Gateway tunnel type, it just points at whatever port your standalone instance is listening on instead of the bundled one.

Tips for Running MCP Gateway Behind a Tunnel

๐Ÿ”‘ Scope clients with ACLs before you expose McpNet's AllowedServerIds and AllowedGroupIds fields let you hand a remote agent a token that only sees the tools it needs. Leaving both empty grants access to everything, so set this up before the tunnel goes live.
๐Ÿ“ก Use a fixed subdomain for production agents Random subdomains are fine for testing, but any agent config you don't want to update weekly should use a reserved subdomain or your own domain.
๐Ÿ›  Watch the audit log through the tunnel Once exposed, check the dashboard Activity tab or hit GET /api/audit regularly. It logs every tool call with client, duration, and success, making it the fastest way to notice a leaked token being misused.
๐Ÿ’พ Back up dp-keys before you forget McpNet encrypts bearer tokens and OAuth secrets at rest under mcp-data/dp-keys/. Losing that folder makes every encrypted secret unrecoverable, tunnel or not.
๐Ÿšซ Set rate limits before agents hammer the tunnel McpNet enforces limits per client, per tool call, returning JSON RPC error -32029 when exceeded. Set a sane global RateLimitPerMinute so a misbehaving agent can't flood your upstream servers through the public URL.

Localtonet vs Alternatives for Exposing MCP Gateways

FeaturengrokCloudflare TunnelLocaltonet
Gateway bundled with the clientโœ˜โœ˜โœ”
Secured by default, no Dev moden/an/aโœ”
Dedicated MCP Gateway tunnel typeโœ˜โœ˜โœ”
Free HTTPS subdomainโœ”โœ”โœ”
Fixed subdomain on free planโœ˜โœ”โœ”
Requires a registered domainโœ˜โœ”โœ˜
Multi region server selection~โœ”โœ”
Setup time for a gateway tunnel~5 min~15 min~1 min
Price$0 to $10+/mo$0$0 to $2/tunnel/mo

Frequently Asked Questions

Do I need to install McpNet Gateway separately from GitHub or NuGet?

No, not if you're using Localtonet. McpNet Gateway is bundled with the Localtonet client and starts automatically once you install it. GitHub and NuGet installs exist for people who want to run McpNet Gateway completely standalone, outside of Localtonet.

Do I need to enter a host or port when creating the MCP Gateway tunnel?

No. The MCP Gateway tunnel type only asks for Process Type, Auth Token, Server, and Domain. It's already wired to forward to the bundled gateway, unlike a generic HTTP tunnel where you manually specify host and port.

Do I need to switch anything from Dev mode to Enterprise mode before tunneling?

Not with the bundled Localtonet version, it never runs in Dev mode and the admin token is already set through Localtonet's Settings. The Dev to Enterprise mode switch only matters if you installed McpNet Gateway standalone via NuGet or GitHub, where Dev mode with no authentication is the default.

Can I use a custom domain instead of localto.net?

Yes. The Domain dropdown on the MCP Gateway tunnel page accepts custom domains you've added through DNS Manager.

Will remote AI agents see all my upstream MCP servers through the tunnel?

Only if you let them. Set AllowedServerIds or AllowedGroupIds on each client's bearer token. Leaving both empty grants access to everything, so scope it deliberately.

Why is the first tool call slow right after I open the tunnel?

If an upstream server runs via npx, its package downloads on first connect, which can take 60 to 120 seconds. This is a McpNet startup cost, not tunnel latency, and resolves on the next background refresh about 60 seconds later.

Does the tunnel handle McpNet's session header correctly?

Yes. Localtonet forwards all headers transparently, including Mcp-Session-Id, which McpNet uses for its 24 hour session TTL. No special configuration is needed on either side.

Can I run multiple MCP Gateway tunnels on separate machines?

Yes. Install Localtonet on each machine and create a separate MCP Gateway tunnel for each, each with its own subdomain and auth token.

What happens if an agent exceeds the rate limit through the tunnel?

McpNet returns JSON RPC error code -32029. The tunnel itself has no separate rate limiting, so this is entirely controlled by McpNet's RateLimitPerMinute settings.

Ready to Expose Your MCP Gateway?

Go to the MCP Gateway page, grab the latest Localtonet client, and get your public endpoint in minutes. No credit card required.

Get Started Free โ†’

Localtonet is a secure multi-protocol tunneling and proxy platform designed to expose localhost, devices, private services, and AI agents to the public internet supporting HTTP/HTTPS tunnels, TCP/UDP forwarding, mobile proxy infrastructure, file server publishing, latency-optimized game connectivity, and developer-ready AI agent endpoint exposure from a single unified control plane.

support