Secure remote access.
Zero trust. One binary.
Manage any remote site or infrastructure without VPN, open ports, or complex setup. saveme agents call home through any network, giving you secure SSH, RDP, and web access to your infrastructure from our SaaS or installed in your own datacenter.
- 1A temporary key is issued just for this session
- 2Connected through the secure tunnel to the remote host
- 3Full shell access, session is recorded
- 1Secure tunnel established to the remote site
- 2Remote desktop port forwarded to your machine
- 3Your RDP client opens automatically
- 1Secure tunnel established to the remote site
- 2A clean browser session opens, nothing saved to disk
- 3Access the web interface as if you were on the local network
Everything you need for secure remote access
Agents call home through any firewall. No open ports, no VPN, no infrastructure to manage on the remote side. Just authenticate and connect.
Multi-Protocol
SSH, RDP, and HTTPS web consoles through a single encrypted tunnel. One tool for everything.
OIDC Authentication
Log in once via your company's identity provider. No passwords to share, no credentials to rotate.
Named Connections
Connect to any host by name. Your team manages the list centrally and everyone gets access the moment they log in.
Ephemeral Certificates
Each session gets a unique key that expires automatically. Stolen credentials are worthless the moment the session ends.
Zero Disk Persistence
No credentials are ever stored on the machine. Close the session and there is nothing left to find.
Session Audit
Every session is recorded with the user's identity and timestamp. Know exactly who did what and when.
Built for real-world constraints
Reverse tunnels solve problems that VPNs and static IPs can't. Here's where saveme fits when conventional remote access fails.
Behind CGNAT or no static IP
No static IP, no port forwarding, no dynamic DNS. If you have outbound internet, you have remote access.
Restricted countries
Where VPNs are blocked, SSH still gets through. Connect to your company resources from anywhere, no matter the local network restrictions.
Break-glass incident response
When your primary access path is down, you still need a way in. A separate agent on a different connection gives you access to the very systems you need to fix.
Vendor and contractor access
Give a vendor access to exactly one service, nothing more. Every session is logged under their identity. Revoke it instantly when the work is done.
Retail and franchise locations
Ship a Pi with each store opening. No IT staff needed on-site, no per-location VPN configuration. POS systems, security cameras, and back-office servers are all reachable the moment the Pi powers on.
Medical devices and clinical sites
Regulations often prohibit opening inbound connections to medical devices. An outbound-only agent satisfies isolation requirements while still enabling remote support.
Disaster recovery built in
The reverse tunnel reconnects automatically over any IP link. Plug in a 4G/5G dongle or a Starlink terminal and your infrastructure stays reachable even when the primary connection is down.
ISP outage
Primary internet goes down. The Pi automatically fails over to 4G/5G and re-establishes the reverse tunnel. You stay connected.
Remote site with no fixed line
Construction sites, pop-up offices, industrial equipment. A Pi with a 4G/5G dongle gives you full remote access anywhere with cellular coverage.
Satellite connectivity
Starlink, OneWeb, or any satellite uplink. The Pi maintains a persistent reverse tunnel over any IP-capable link, even from the middle of the ocean.
Dual-path redundancy
Run two Pi agents, one on wired ethernet and one on cellular. If either path drops, the other keeps the tunnel alive. Zero downtime.
saveme vs Hardware KVM
Different tools for different problems. saveme excels at secure daily operations at scale. Hardware KVM excels at bare-metal recovery.
| Feature | saveme | KVM Hardware |
|---|---|---|
| Deployment | Software agent, installs in minutes | Dedicated appliance per machine |
| Cost at scale | Flat, one agent per site | Grows with machine count |
| Access type | OS-level: SSH, RDP, web console | Hardware-level: BIOS, boot, pre-OS |
| Authentication | Zero-trust, short-lived credentials | Shared password or web login |
| Multi-user access | Per-user policies and groups | Typically a single shared account |
| Audit trail | Full session audit log | None |
| Network | Works over any outbound connection | Requires inbound access or VPN |
| Pre-boot / BIOS | No | Yes |
| Remote power control | No | Yes |
Security first
Built on zero-trust principles. No secrets on disk, no static credentials, no long-lived keys.
OIDC authentication
No passwords, no API keys. Users log in through the identity provider your company already uses.
Ephemeral certificates
Each session gets a unique key that expires on its own. There are no long-lived credentials to leak or rotate.
Zero disk writes
Sensitive data never touches disk. When the session ends, everything disappears with it.
HTTPS enforcement
Web access is restricted to encrypted connections only. Unencrypted targets are rejected before the session opens.
RAM-backed browser profiles
Web sessions run in an isolated browser profile kept only in memory. Cookies, history, and cached data are wiped when the session closes.
Session audit trail
A full record of every session is kept with the user's identity, source, and timestamp. Ready for compliance and incident review.