Home Agent
Runs beside Tater on the user's home machine. It owns pairing, approved devices, route targets, and the local relay to approved Tater or app services.
macOSWindowsLinuxDocker path later
Secure relay + mobile VPN
Tater Tunnel
Bring your home Tater setup and approved local apps with you through your own VPS, without opening inbound ports at home.
Home Agent -> VPS Agent
WireGuard QR for phones
Approved routes only
What it does
A simple path from phone to your home apps.
Tater Tunnel splits the problem into two easy pieces: the home computer makes an outbound relay connection, and mobile devices use a normal WireGuard profile to reach approved app routes through the VPS side.
VPS Agent
Runs on the user's VPS. It gives the Home Agent a public rendezvous point, hosts WireGuard device peers, and relays approved requests.
Caddy HTTPSWireGuardNo home ports
Remote Devices
Phones and laptops scan a WireGuard QR, connect to the VPS, and open approved relay URLs like 10.88.0.1:4174/relay/tater/.
QR setupRevokableMobile friendly
Traffic shape
The VPS relays. The Home Agent owns trust.
PhoneWireGuard app
->
VPS10.88.0.1 relay
->
Home Agentapproved routes
->
Approved appslocal targets
One-command VPS setup
Blank VPS users get Caddy, WireGuard, firewall rules, and the service.
The interactive installer has a friendly terminal menu with update, blank VPS, advanced VPS, and setup-notes paths. Running the same command later lets users update an existing install.
Run on the VPS
curl -fsSL https://raw.githubusercontent.com/TaterTotterson/Tater_Tunnel/main/scripts/tater-vps-setup.sh \
-o /tmp/tater-vps-setup.sh && sudo bash /tmp/tater-vps-setup.sh
Mobile path
Phones use the familiar VPN flow.
The Home Agent generates a device profile, the VPS Agent installs the WireGuard peer, and the user scans a QR in the WireGuard app. Revoking a device removes the VPS peer and the Home Agent record.
Common route URL
http://10.88.0.1:4174/relay/tater/