Localtonet File Server: Turn Any Folder on Your PC Into a Secure, Publicly Accessible File Manager
Your files sit on your PC but you can never reach them from your phone at work. Cloud storage companies read your photos, scan your documents, and change their pricing whenever they feel like it. Localtonet's File Server solves all of this in minutes. Enter a local folder path on the File Server Tunnel page, press Start, and you have a full-featured web-based file manager available at a public HTTPS URL — with AES-256 folder encryption, an Immich-compatible mobile photo backup system, cloud backup to S3 and SFTP, a photo gallery that rivals dedicated media servers, and no file size restrictions on uploads. Your data never leaves your hardware. The encryption keys never leave your machine. No monthly storage fee. No vendor lock-in.
Why Cloud Storage Is the Wrong Answer for Private Files
Google Photos ended its free unlimited storage tier and now charges a recurring fee that grows as your library grows. Dropbox reduced its free quota. iCloud locks you into Apple's ecosystem. Every one of those services indexes your file names, reads metadata, and in some cases scans file contents for compliance and advertising. You agreed to it in the terms of service you didn't read.
The alternative — sharing files over a local network — breaks the moment you leave your home. VPNs require configuration on every device. Traditional port forwarding fails silently on CGNAT connections, which most residential ISPs now use by default. Sending files via messaging apps compresses your photos and imposes arbitrary size limits.
Localtonet's File Server feature removes every one of these barriers at once.
What the Localtonet File Server Actually Does
The File Server is one of Localtonet's tunnel types. You configure it from the File Server Tunnel page on the Localtonet dashboard — the same place you manage all your other tunnels. You pick a folder path on your local machine, choose a subdomain style, and press Start. Within seconds that folder is live at a public HTTPS URL.
The file manager that opens at that URL is not a stripped-down read-only viewer. It is a complete file management interface: upload, download, rename, move, copy, delete, create folders, search, preview, tag, archive, and share. The interface runs in the browser — your phone, your colleague's laptop, a shared computer at work. No app installation required on the client side.
The server runs entirely on your PC. Nothing is routed through Localtonet's infrastructure except the tunnel handshake. File bytes travel directly between the browser and your machine. Localtonet is the address book that tells the browser where to find you — nothing more.
How to Start the Localtonet File Server: Step-by-Step
Install the Localtonet app on your machine
Download and install the Localtonet app that matches your operating system. Windows, Linux, and macOS are all supported. The download page has platform-specific instructions. The app must be running on your machine for the tunnel to stay active.
Go to the File Server Tunnel page
Log in to your Localtonet account and navigate to localtonet.com/tunnel/fileserver. This is where all File Server tunnels are created and managed.
Select your Process Type
Choose how your public URL is structured. Random Sub Domain generates a unique subdomain automatically. Custom Sub Domain lets you pick a name under the Localtonet domain. Custom Domain uses your own registered domain. Pick whichever fits your use case — all three options serve the same file manager at a public HTTPS address.
Select your AuthToken and server
Pick the AuthToken you entered in the Localtonet app on your machine. You can manage tokens on the My Tokens page. Then select the Localtonet server region you want the tunnel to run on.
Enter the local folder path
Type the full path to the folder on your local machine that the File Server
will serve. On Windows this looks like C:\Users\Work.
On Linux or macOS it looks like /root or
/usr/share. Every file and subfolder inside this path
becomes accessible through the file manager.
Press Start
Click the Start button in the tunnel list. Localtonet activates the tunnel and your file manager is immediately live at the public HTTPS URL shown next to the tunnel entry. Share that URL with anyone who needs access.
The File Server tunnel is active only while the Localtonet app is running on the machine that holds the files. If the app closes, the public URL goes offline. Your files are untouched on disk, but nobody can reach them until the app restarts and the tunnel reactivates. For always-on access — a home server, a NAS, or a desktop that stays powered on — configure the Localtonet app to start automatically with the operating system.
How the Folder Encryption Actually Works
Most file-sharing tools encrypt data in transit: the connection between the browser and the server uses TLS. That protects your files from network interception. It does not protect them from someone who gains physical or remote access to your PC. Localtonet's File Server adds a second layer: files inside encrypted folders are encrypted on the disk itself, not just in transit.
🔒 The Vault Metadata File
When you create an encrypted folder, the server writes a hidden metadata file called
.fsvault inside it. This file stores the password verification data:
a randomly generated 32-byte salt and a hash derived from your password combined
with that salt. The actual AES-256 encryption key and your original password are
never stored anywhere on disk. The vault file only contains what is needed to
check whether a future password attempt is correct — nothing that could be used
to recover the original password.
🔒 How Files Are Encrypted
Every file uploaded into an encrypted folder goes through this process before touching the disk. First, a 256-bit AES key is derived from your vault password using PBKDF2 with SHA-256 and 100,000 iterations of hashing. Then, a fresh random 16-byte initialization vector is generated specifically for that file upload — a different value for every file, every time, even if you upload the same file twice. This vector is prepended to the ciphertext and the whole package is written to disk. Two identical files uploaded to the same vault produce completely different ciphertext on disk, which prevents any pattern analysis attack.
The 100,000 PBKDF2 iterations are the key protection against brute-force attacks. An attacker who steals your disk and wants to try password guesses can test roughly 10,000 guesses per second on professional hardware. A 12-character mixed-case alphanumeric password has more possible combinations than all the grains of sand on Earth — exhausting the search space at that rate would take longer than the age of the universe.
🔒 Unlock Tokens: Usability Without Compromise
Asking you to re-enter the vault password before every single file download would make the encrypted folder unusable. Instead, after a correct password verification the server issues a short-lived unlock token. That token is valid for 30 minutes and works for any file within the unlocked folder or any of its subfolders. The browser holds the token for the session. When it expires, the folder locks again and requires a fresh password entry. A background cleanup process runs every 5 minutes to evict expired tokens from memory.
Each encrypted folder has its own independent password and key. User A can have a /private/alice folder locked with one password, and User B can have a /private/bob locked with a completely different password. Even the server administrator needs the correct vault password to read the contents of each folder — there is no master override key.
The Mobile Photo Backup System: Your Own Immich, on Your Own PC
Immich is the most popular self-hosted photo backup application in the world right now. Its mobile client is polished, its deduplication is reliable, and it has become the default recommendation for anyone who wants to stop paying Google Photos. The problem: running a real Immich server requires a multi-container Docker setup, a Postgres database, Redis, and a machine with at least 4 GB of RAM kept permanently online.
The Localtonet File Server's mobile backup system is compatible with the Immich API. Mobile clients that speak the Immich backup protocol can point at your Localtonet public URL and start backing up immediately. The metadata, the deduplication logic, the album management — all of it runs on your own machine. Postgres and Redis are not required. The asset metadata is stored in a hidden folder as lean JSON files.
📱 Deduplication
Every photo uploaded from your phone carries a checksum. The server maintains an in-memory checksum index. Before storing any new upload, it checks whether that checksum already exists. If it does, the server returns the existing asset ID and discards the duplicate upload — saving bandwidth and disk space without any manual management on your part.
📱 At-Rest Encryption for Photos
Enable the mobile backup encryption option and every photo and video uploaded from your phone is encrypted on disk before being saved. The Localtonet client generates and manages the encryption keys automatically — you don't configure them manually. The important design choice here: the key is derived per user from a stable internal value, not from the login password. Changing your account password later never breaks access to your existing photo library — a common pitfall in systems that tie storage keys to login credentials.
📱 Memory Management for Low-End Hardware
The mobile backup system is designed to run on hardware with as little as 2 GB of RAM. The asset cache has a configurable memory budget — 96 megabytes under normal conditions, automatically reduced to 48 megabytes when available system memory drops below 1.5 gigabytes. On very constrained devices the system streams asset data from disk instead of keeping it in RAM. The server detects available memory at startup and applies conservative settings automatically if it determines the hardware is limited.
📱 Album Support
Albums created in your mobile client sync to the server. Each album carries its own metadata file. Changes made on the server — adding or removing photos from an album — sync back to the mobile client on the next backup run. Shared album links work the same way as regular public share links, with optional expiry and password protection.
The Photo Gallery: Date Grouping, Lightbox, and Full Encrypted Folder Support
Any folder in the file manager can be switched to gallery view. Right-click the folder, select Enable Gallery, and the UI transitions from a file list to a photo-first masonry grid where images and videos are sorted and grouped by date. The gallery supports JPEG, PNG, GIF, BMP, WebP, AVIF, HEIC, HEIF, TIFF, and SVG for images, and MP4, WebM, MOV, M4V, AVI, MKV, and OGV for video.
🖼 EXIF Orientation
Portrait photos taken on iPhone and modern Android phones carry EXIF orientation data that tells viewers to rotate the image before displaying. Many thumbnail generators ignore this and show photos sideways or upside-down. The Localtonet File Server reads the EXIF orientation tag and applies the correct rotation and flip transformation before generating the thumbnail. All eight EXIF orientation values are handled, including the unusual mirror-and-rotate combinations produced by some camera apps.
🖼 Video Thumbnails
Video thumbnails are extracted without requiring any external software installation. For MP4 and MOV files, the server first checks for an embedded cover art track — a feature many iPhone and Android videos include automatically. If no cover art is found, it scans the video file for the first JPEG frame stored in the media container. When both methods fail, FFmpeg is used as a fallback. FFmpeg can be installed manually or downloaded automatically by the server on first use. Thumbnail generation runs up to two concurrent jobs at a time to avoid saturating the CPU during bulk import operations.
🖼 Lightbox and Navigation
Clicking any photo opens a fullscreen lightbox with a filmstrip of adjacent images at the bottom for quick navigation. Keyboard arrow keys step through photos. Videos play inline inside the lightbox. Selecting multiple photos in gallery view works the same as in the file list — checkbox selection, then bulk download as a ZIP or bulk move to another folder.
🖼 Gallery Works Inside Encrypted Folders
After unlocking an encrypted folder with its vault password, gallery view works exactly the same as in a regular folder. The unlock token is automatically passed on every thumbnail request and every full-resolution download. You never re-enter the password to view individual photos — the session token handles authentication transparently until it expires.
Cloud Backup: S3, FTP, and SFTP with Encrypted Payloads
Running a file server on your own PC is great until the hard drive fails. The built-in backup engine is the answer to that problem. Configure a remote backup target and the server handles everything automatically — schedule, retry, change detection, and encryption of the backup payload before upload.
💾 Supported Targets
Three remote target types are supported: Amazon S3 (and any S3-compatible storage like Backblaze B2, Wasabi, or MinIO), FTP servers, and SFTP servers. You can configure multiple providers simultaneously — for example, a primary S3 backup and a secondary SFTP backup to a home NAS, running on the same schedule.
💾 Credential Protection
Backup provider credentials (your S3 access key, FTP password, SFTP private key) are stored on disk encrypted. If someone reads your configuration files they see only ciphertext — not your cloud storage credentials. The backup payload — the actual files being uploaded — is also encrypted before being sent to the remote. The remote storage provider stores encrypted blobs it cannot read. The Localtonet client manages all these keys automatically.
💾 Automatic Scheduling and Change Detection
The backup engine runs on two triggers. The first is a periodic full scan every 30 minutes: the engine walks every file in the root directory, computes checksums, and uploads any file that is missing or changed on the remote. The second is a change-event trigger: whenever a file is created, modified, or deleted, the engine waits 45 seconds to let activity settle, then runs an incremental backup immediately. A burst of 500 photo imports triggers a single backup run 45 seconds after the last import, not 500 individual runs.
💾 Retry with Exponential Backoff
Network errors during backup are handled automatically. When an upload fails, the engine waits before retrying, doubling the wait time on each attempt: 2 seconds after the first failure, 4 seconds after the second, 8 seconds after the third. After three failures, the file is logged as failed and the engine moves on rather than blocking the entire backup run. The job history retains the last 200 runs with per-file status, so you can see exactly which files failed and why.
💾 Snapshot Retention
The backup index on the remote stores snapshots — point-in-time records of what was backed up and when. The retention setting controls how many snapshots are kept in the restore list. The default is 10. Older snapshots are hidden from the restore UI, but the underlying files are not automatically deleted from the remote.
The Full File Management Interface
Beyond encryption and media backup, the core file management experience is what users interact with day to day. The interface runs entirely in the browser — nothing to install on the device accessing your files.
Permissions in Depth: Global Roles and Per-Path Overrides
Every user account has a set of global permission flags: Upload, Download, Delete, Create Folder, Move, and Share. These are the baseline for everything that user can do anywhere on the server.
Per-path overrides refine those baselines for specific directories. An override can grant permissions the user does not have globally, or revoke permissions they do have globally. The most-specific matching path wins.
| User | Global permissions | Path override | Effective result |
|---|---|---|---|
| Collaborator | Download only | /incoming — allow Upload | Can upload to /incoming, can download from everywhere else, cannot delete or move anything |
| Archive reader | No permissions | /archive — allow Download | Can only download from /archive, invisible everywhere else |
| Admin minus delete | Full access | /legal — deny Delete | Full access everywhere except cannot delete anything inside /legal |
| Drop-only guest | No permissions | /dropbox — allow Upload, deny Download | Can upload files to /dropbox but cannot see or download what others have uploaded |
Per-path rules are evaluated at request time and take effect immediately without restarting the tunnel.
Public Share Links: Controlled Access Without User Accounts
Not every recipient needs a permanent account. The public share link system generates a time-limited or use-limited URL for any file or folder. The recipient clicks the link and gets immediate access without logging in.
Webhook Events: Connect Your File Server to Any Automation
Register an HTTP endpoint and the file server fires a POST request to it every time a file event occurs: upload, deletion, rename, or move. Webhooks bridge your file server to any downstream automation — a notification script, a home automation trigger, a CI pipeline, or a custom workflow tool.
Each webhook registration carries three optional filters: an event type filter, a path prefix filter (fire only when the affected file is under a specific folder), and an HMAC secret for request signing. When a secret is set, every outgoing webhook request includes a signature header so your endpoint can verify the request came from your own file server. Webhook requests have a 10-second timeout and fire asynchronously — a slow endpoint does not block file operations.
Disk Spanning: Pool Multiple Drives Without Any RAID Setup
A single drive fills up eventually. RAID-0 doubles the risk: losing one drive loses everything. Disk spanning takes a simpler approach. You define a list of additional storage directories, each on a different drive. When the primary drive's free space drops below a configurable threshold (1 gigabyte by default), new file writes automatically route to the directory with the most available free space.
Reading is transparent. A file on the primary drive and a file on an overflow drive appear side by side in the same folder listing and download identically. Span directories can be added and removed at runtime through the admin panel without restarting the tunnel. The risk profile is better than RAID-0: losing one drive loses only the files on that drive, not the entire collection. Pair disk spanning with the cloud backup feature to cover individual drive failures.
Smart Collections: Virtual Folders That Always Stay Up to Date
A smart collection is a saved query that behaves like a regular folder. You define rules — file extension, path contains a specific string, name contains a specific string, minimum or maximum file size — and the collection automatically shows every matching file in your entire file tree. As new files arrive that match the rules, they appear in the collection without any action on your part.
| Collection name | Rule | What it shows |
|---|---|---|
| Large Videos | Extension: .mp4, .mkv — Size: > 500 MB | Every large video file anywhere in the tree |
| 2024 Invoices | Path contains: 2024 — Name contains: invoice — Extension: .pdf | All PDF invoices in any folder whose path includes "2024" |
| All RAW Photos | Extension: .cr2, .nef, .arw, .dng | Every RAW photo file regardless of location |
| Small Documents | Extension: .pdf, .docx — Size: < 1 MB | Lightweight documents easy to share via link |
Security: What the File Server Protects Against By Default
../../etc/passwd or any variant
is rejected with a 403 before any file system operation occurs. Users
cannot navigate above the root folder regardless of what they put in the URL.
.exe,
.bat, .cmd, .ps1, and .sh.
An allowlist mode is also available — configure an explicit list of permitted
extensions and everything else is rejected automatically.
Localtonet File Server vs. Nextcloud vs. Google Drive vs. Immich
| Feature | Google Drive | Nextcloud | Immich | Localtonet File Server |
|---|---|---|---|---|
| Data stays on your hardware | ✗ | ✔ | ✔ | ✔ |
| At-rest file encryption | Google-managed key | Plugin | ✗ | ✔ AES-256, your key |
| No monthly storage fee | ✗ | ✔ | ✔ | ✔ |
| No upload size limit | ✗ (15 GB total free) | ✔ | ✔ | ✔ |
| Mobile photo backup | ✔ | ✔ | ✔ (native) | ✔ (Immich-compatible) |
| Works behind CGNAT, no router config | ✔ (cloud) | ✗ | ✗ | ✔ Localtonet tunnel |
| No database required | N/A | ✗ | ✗ (Postgres + Redis) | ✔ |
| Setup time | Instant (cloud) | Hours (server stack) | Hours (Docker stack) | Under 2 minutes |
| Runs on low-end hardware | N/A | ~ | ✗ (4+ GB RAM) | ✔ low-memory mode, 1 GB RAM |
| Cloud backup with encrypted payload | ✗ | Plugin | ✗ | ✔ built-in S3/FTP/SFTP |
| Smart collections | ✗ | ~ | ✔ | ✔ |
| Webhook events | ✗ | ✔ | ✔ | ✔ |
| Per-path permission overrides | ✗ | ✔ | ✗ | ✔ |
| Price | Free 15 GB / paid above | Free (self-host) | Free (self-host) | Included in Localtonet plan |
The honest trade-off: Google Drive has a larger mobile app ecosystem and works without any server. Nextcloud has more third-party integrations. Immich's photo browsing UI is more polished for very large libraries. Localtonet File Server wins on zero-infrastructure setup, genuine at-rest encryption, CGNAT compatibility, no database dependency, and no upload size restrictions.
🛠 Tips for Getting the Most Out of the Localtonet File Server
Frequently Asked Questions
Do my files pass through Localtonet's servers?
No. Localtonet's infrastructure handles only the tunnel routing — the part that maps a public URL to your PC's local address. File bytes travel in a direct encrypted connection between the remote browser and your machine. Localtonet servers never see, store, or process your file contents.
Is there a file size limit on uploads?
No. The Localtonet File Server imposes no file size limit on uploads. You can upload files of any size — multi-gigabyte videos, large archives, raw disk images — without hitting an artificial cap. The practical limit is your available disk space and the speed of your internet connection.
What happens to my files when the Localtonet app is closed?
The tunnel goes offline and the public URL becomes unreachable. Your files are completely unaffected on disk — nothing is deleted or changed. When you restart the Localtonet app and activate the tunnel again, everything comes back exactly as you left it. For always-on access, configure the Localtonet app to start automatically with the operating system.
Can multiple people use the file server at the same time?
Yes. The server handles concurrent connections from multiple users simultaneously. Each user logs in with their own account and sees only what their permissions allow. Real-time updates mean all connected users see changes immediately — if one user uploads a file, all other connected browsers refresh their file list within seconds.
Can I use this to replace Google Photos for my family?
Yes, this is one of the primary use cases. Each family member gets their own account. The mobile backup system deduplicates photos automatically so if two family members photograph the same event, the duplicate is not stored twice. The photo gallery groups images by date and displays them in a grid similar to Google Photos. You keep full control over the data and pay no monthly fee.
What happens if I forget the password to an encrypted folder?
The files inside the folder are permanently inaccessible. There is no password reset, no admin override, and no recovery mechanism — this is intentional, because a backdoor would undermine the encryption guarantee. Store every vault password in a password manager entry before encrypting a folder.
Does the Immich mobile app work with the Localtonet File Server?
The Localtonet File Server implements the Immich-compatible backup API. Mobile clients that use the Immich backup protocol can point at your Localtonet public URL as the server address and back up photos and videos directly. Deduplication, album sync, and asset metadata all work. Immich app features that depend on Immich-specific server endpoints outside the backup and sync scope may not function.
Can I run the File Server on a Raspberry Pi?
Yes. The file server has a dedicated low-memory mode designed for hardware with 1 to 2 GB of RAM. In low-memory mode, the mobile asset cache is reduced to 48 MB, snapshot data is streamed from disk instead of held in memory, and expensive background operations are throttled. A Raspberry Pi 4 with 2 GB of RAM handles a household-sized photo library comfortably. For libraries above 20,000 photos, the 4 GB model is the better choice.
Which folder path should I enter — root or a specific subfolder?
Enter the exact folder you want to expose, not a broad system path.
On Windows, something like C:\Users\YourName\SharedFiles
is safer than C:\Users\YourName, which would expose your
entire user directory including application data and hidden folders.
On Linux, a dedicated directory like /srv/fileserver is
cleaner than /root or /home/username.
Everything inside the path you enter becomes browsable to anyone
with access to the tunnel URL.
What file types can be previewed in the browser?
Images (JPEG, PNG, GIF, WebP, AVIF, HEIC, HEIF, BMP, SVG, TIFF), videos (MP4, WebM, MOV, AVI, MKV), PDF files, Word documents, Excel spreadsheets, and PowerPoint presentations all open in the browser without downloading. Code and text files open in the integrated syntax-highlighted editor. Audio files play in an inline player. Any other type shows a download prompt.
Ready to Run Your Own File Server From Your PC?
Sign up free, download the Localtonet app, go to the File Server Tunnel page, enter a local folder path, and press Start. Your personal file manager is live at a public HTTPS URL in under two minutes. No credit card required.
Get Started Free →
