Secure remote access.
Zero trust. One binary.
Manage any remote site or infrastructure without VPN, open ports, or complex setup. saveme agents call home through any network over a battle-hardened SSH tunneling infrastructure, giving you secure terminal, RDP, and web access wherever the machine is. OIDC authentication with MFA and role-based access control keep every session tied to an identity and limited to what that user is allowed to reach.
- 1Your identity provider confirms who you are, MFA included
- 2A temporary key is issued just for this session
- 3Full shell access through the secure tunnel, session is recorded
- 1Log in once through your company SSO, MFA enforced
- 2Secure tunnel established to the remote site
- 3Remote desktop port forwarded and your RDP client opens automatically
- 1Authenticate via your identity provider, no credentials to remember
- 2Secure tunnel established to the remote site
- 3A clean browser session opens, nothing saved to disk
Everything you need for secure remote access
Agents call home through any firewall. No open ports, no VPN, no infrastructure to manage on the remote side. Just authenticate and connect.
Multi-Protocol
SSH, RDP, and HTTPS web consoles through a single encrypted tunnel. One tool for everything.
OIDC + RBAC
Log in once via your identity provider with MFA enforced. Roles control exactly who can reach which host and by which protocol. Revoke access instantly.
Named Connections
Connect to any host by name. Your team manages the list centrally and everyone gets access the moment they log in.
Ephemeral Certificates
Each session gets a unique key that expires automatically. Stolen credentials are worthless the moment the session ends.
Zero Disk Persistence
No credentials are ever stored on the machine. Close the session and there is nothing left to find.
Session Audit
Every session is recorded with the user's identity and timestamp. Know exactly who did what and when.
Built for real-world constraints
Reverse tunnels solve problems that VPNs and static IPs can't. Here's where saveme fits when conventional remote access fails.
Behind CGNAT or no static IP
No static IP, no port forwarding, no dynamic DNS. If you have outbound internet, you have remote access.
Restricted countries
Where VPNs are blocked, SSH still gets through. Connect to your company resources from anywhere, no matter the local network restrictions.
Break-glass incident response
When your primary access path is down, you still need a way in. A separate agent on a different connection gives you access to the very systems you need to fix.
Vendor and contractor access
Give a vendor access to exactly one service, nothing more. Every session is logged under their identity. Revoke it instantly when the work is done.
Retail and franchise locations
Ship a Pi with each store opening. No IT staff needed on-site, no per-location VPN configuration. POS systems, security cameras, and back-office servers are all reachable the moment the Pi powers on.
Medical devices and clinical sites
Regulations often prohibit opening inbound connections to medical devices. An outbound-only agent satisfies isolation requirements while still enabling remote support.
Disaster recovery built in
The reverse tunnel reconnects automatically over any IP link. Plug in a 4G/5G dongle or a Starlink terminal and your infrastructure stays reachable even when the primary connection is down.
ISP outage
Primary internet goes down. The Pi automatically fails over to 4G/5G and re-establishes the reverse tunnel. You stay connected.
Remote site with no fixed line
Construction sites, pop-up offices, industrial equipment. A Pi with a 4G/5G dongle gives you full remote access anywhere with cellular coverage.
Satellite connectivity
Starlink, OneWeb, or any satellite uplink. The Pi maintains a persistent reverse tunnel over any IP-capable link, even from the middle of the ocean.
Dual-path redundancy
Run two Pi agents, one on wired ethernet and one on cellular. If either path drops, the other keeps the tunnel alive. Zero downtime.
saveme vs Hardware KVM
Different tools for different problems. saveme excels at secure daily operations at scale. Hardware KVM excels at bare-metal recovery.
| Feature | saveme | KVM Hardware |
|---|---|---|
| Deployment | Software agent, installs in minutes | Dedicated appliance per machine |
| Cost at scale | Flat, one agent per site | Grows with machine count |
| Access type | OS-level: SSH, RDP, web console | Hardware-level: BIOS, boot, pre-OS |
| Authentication | Zero-trust, short-lived credentials | Shared password or web login |
| Multi-user access | Per-user policies and groups | Typically a single shared account |
| Audit trail | Full session audit log | None |
| Network | Works over any outbound connection | Requires inbound access or VPN |
| Pre-boot / BIOS | No | Yes |
| Remote power control | No | Yes |
Deployment
saveme
Software agent, installs in minutes
KVM Hardware
Dedicated appliance per machine
Cost at scale
saveme
Flat, one agent per site
KVM Hardware
Grows with machine count
Access type
saveme
OS-level: SSH, RDP, web console
KVM Hardware
Hardware-level: BIOS, boot, pre-OS
Authentication
saveme
Zero-trust, short-lived credentials
KVM Hardware
Shared password or web login
Multi-user access
saveme
Per-user policies and groups
KVM Hardware
Typically a single shared account
Audit trail
saveme
Full session audit log
KVM Hardware
None
Network
saveme
Works over any outbound connection
KVM Hardware
Requires inbound access or VPN
Pre-boot / BIOS
saveme
No
KVM Hardware
Yes
Remote power control
saveme
No
KVM Hardware
Yes
Security first
Built on zero-trust principles. No secrets on disk, no static credentials, no long-lived keys.
OIDC + RBAC
Users log in through your identity provider with MFA enforced. Roles control exactly who can reach which host and by which protocol. Onboard or offboard anyone in seconds.
Ephemeral certificates
Each session gets a unique key that expires on its own. There are no long-lived credentials to leak or rotate.
Zero disk writes
Sensitive data never touches disk. When the session ends, everything disappears with it.
HTTPS enforcement
Web access is restricted to encrypted connections only. Unencrypted targets are rejected before the session opens.
RAM-backed browser profiles
Web sessions run in an isolated browser profile kept only in memory. Cookies, history, and cached data are wiped when the session closes.
Session audit trail
A full record of every session is kept with the user's identity, source, and timestamp. Ready for compliance and incident review.