private mesh networking

One private network
for everything you run.

0am links your laptops, servers, containers, and teammates into a single encrypted mesh. One command to join, peer-to-peer under the hood, access controlled down to the port. Wherever your machines live, they're on the same network.

free for solo + small projects - $10/user/mo for teams
~ 0am
# join a machine to your network
$ 0am up
signed in - this machine is now db-1 @ 100.64.0.7
finding peers... 5 candidates, punching through NAT
[net] DIRECT to web-1, api-2, laptop  (0 relayed)
connected - 4 machines, all peer-to-peer

$ ssh web-1            # allowed by your access policy
$ psql api-2            # blocked - api-2 isn't in db-1's grants
psql: error: connection timed out
what it does

Networking that gets out of the way.

The hard parts of private networking - encryption, NAT, access control - handled, so you can forget they exist.

>_ Join in one command

Run 0am up and the machine is on your network - a stable private IP, instantly reachable by name. No firewall rules, no port forwarding, no config files to babysit. Laptops, cloud VMs, containers, CI runners, a Pi in a closet - same one command.

~ Direct, encrypted, everywhere

Every connection is a WireGuard tunnel, punched straight through NAT so traffic goes peer-to-peer - not bounced through us. When a network is too locked down for direct, an encrypted relay carries it. No kernel module, no root.

# Access control that holds

Write who-can-reach-what as a simple policy. 0am turns it into real enforcement: a machine only sees what it's allowed to, and traffic to a port you didn't grant is dropped in the data path - even from a peer that already has the keys.

* Built for fleets

Tag machines, group them, and let policy follow the tags as the fleet changes. Pre-shared keys bring up headless servers and CI without a human in the loop. It scales from your two laptops to a few hundred nodes without changing how it feels.

how it works

Three steps. Then it's just there.

No portal to babysit, no agent zoo. Add a machine, set a policy, work.

Add your machines

Install the agent and sign in. Each machine gets a stable private IP and a name.

curl -fsSL 0am.sh/get | sh 0am up

Set who reaches what

One small policy file, by tag and group. It enforces, it doesn't just advise.

allow tag:dev -> tag:db:5432

Just connect

Reach any machine by name from anywhere - encrypted, direct, no VPN ritual.

ssh web-1 psql db-1
pricing

Free to start. $10 a user when it's a team.

No credit card to begin. Bring as many machines as you want - you only ever pay per person.

free

Solo

$0
1 user, 3 machines
  • The full mesh - direct, encrypted
  • NAT traversal + relay fallback
  • Access policies + enforcement
  • Pre-shared keys for headless + CI
  • Community support
Get started
for teams

Team

$10/user/mo
unlimited machines
  • Everything in Solo
  • SSO + your identity provider
  • Admin console + audit log
  • Roles + shared policy management
  • Private DNS for your network
  • Priority support
Start free trial

0am is the hour the rest of the internet goes quiet and you're still shipping. Your network shouldn't be the thing that's down. So we built one that just stays up - and gets out of your way.

Put your machines on one network.

Install the agent and you're on. Free for solo, $10 a user when it's a team - every machine included.

$ curl -fsSL https://0am.sh/get | sh