Product Overview
Larktun is a SaaS zero-trust networking platform for secure device and service access. It unifies network onboarding, access control, audit, and remote access in one control plane for personal home networks, engineering, operations, and enterprise remote-work teams.
Positioning
- A remote networking and access governance platform for both individuals and enterprises
- One user can be one tenant, so individual users can build home and office networks freely
- Enterprises can map tenants and policy boundaries to organizations, departments, or projects
- One control plane for devices, users, policies, and audit trails
- Stable, low-disruption, and scalable cross-network access
Core capabilities
1. SaaS and multi-tenant isolation
- SaaS delivery enables fast onboarding and lower maintenance cost
- Individual users get an independent tenant by default and can build private networks out of the box
- Each tenant has an isolated network boundary
- Device inventory, access records, and security events remain separated between tenants
2. Independent ACL per tenant
- ACL is configured and enforced with tenant scope
- Fine-grained authorization by user group, device tag, and time window
- Optional approvals, temporary grants, and automatic expiration to reduce permission sprawl
3. Custom private network IP ranges
- Default overlay range is
100.64.0.0/16 - Can be changed to custom ranges such as
192.168.6.0/24 - Helps avoid overlap with existing home, office, or datacenter subnets
4. Custom device naming
- Rename devices by owner, location, or purpose
- Improve readability in large endpoint lists
- Reduce operational mistakes in multi-device environments
5. User-managed relay servers
- Shared relay for fast initial rollout
- Dedicated relay for stronger path control
- User-managed relay for region, performance, or compliance-specific requirements
6. Subnet Router
- Publish private subnets into a tenant network even when target devices do not run the client agent
- Control reachability and ACL scope at subnet granularity
- Suitable for branch offices, datacenter networks, and industrial on-site environments
7. Exit Node
- Designate specific devices as exit nodes for unified internet egress
- Remote endpoints can use the exit node for fixed egress IP and consistent network policy
- Combine with ACL and approval flow to control who can use egress capability
8. Magic DNS
- Provide stable private DNS names for devices inside each tenant network
- Access endpoints by device or service names instead of memorizing IP addresses
- Reduce operational impact when endpoint IP addresses change
9. Customized clients and notification integration
- Customized desktop clients for Windows, macOS, and Linux
- Mobile apps for Android and iOS
- Notification integration with third-party clients, for example Tailscale login notifications
10. Low memory, non-intrusive, stable
- Low memory footprint for long-running background sessions
- Non-intrusive behavior that does not interrupt daily endpoint use
- Stable connectivity and auto-recovery in cross-region and NAT-heavy environments
Common scenarios
- Personal and enterprise NAS access
- Accessing home office computers remotely
- Secure server access for engineering and operations
- Server networking with permission control (tenant isolation + ACL)
- CCTV and monitoring camera access
- Industrial on-site device networking
- Remote device control and maintenance
- Secure connections for AI Agents to internal resources
Enterprise custom application development
- Support custom application development on top of Larktun for enterprise-specific business and security workflows
- Integrate with existing enterprise systems such as identity platforms, asset management, approval workflows, and operations tools
- Extend access policies, automation flows, and operational controls based on enterprise requirements for faster, more consistent rollout