every container,
addressable.
A WireGuard relay across six regions. Dedicated IPv6 for every Docker container — IPv4 on Pulse+IPv4 and Relay tiers. No NAT. All protocols. No bandwidth caps, ever — we never charge you for data.
✓ no credit card · ✓ free tier never expires · ✓ cancel anytime
Stop maintaining a server just to maintain an IP.
Every DIY relay is three outages and a kernel upgrade away from becoming your problem at 2am.
VPS + WireGuard + cron + hope
- ✗ Monthly bill for something that just forwards ports
- ✗ Kernel upgrades break WireGuard config
- ✗ Dynamic IP means constant DNS updates
- ✗ No PTR / rDNS control for mail servers
- ✗ You wake up when it goes down
One container. Real IP. Zero ops.
- ✓ Static public IP — it's yours, forever
- ✓ IP never changes when you restart the container
- ✓ No server to maintain, no cron jobs to babysit
- ✓ PTR / rDNS control per-IP, included
- ✓ We wake up when it goes down
- ✓ Unlimited bandwidth — no GB caps, ever
Three steps. Then you forget about us.
Your container behaves like it has a public IP — because it does. Every protocol, every port, inbound and outbound, behind any NAT.
Install the agent
One command pulls and starts the sidecar agent. It registers with the nearest relay and stays running in the background.
$ curl sidecar.network/install | sh # agent starts, connects to relay-us-east
docker run --network sidecar
Any container on the sidecar network gets a dedicated public IPv6 (and IPv4 on Pulse+IPv4 / Relay). No labels, no compose changes — just one flag.
$ docker run -d --name app \
--network sidecar nginx
sidecar | app → live
Your container has a public IPv6
Every plan includes a dedicated IPv6. Pulse+IPv4 and Relay tiers also include a public IPv4 — add sidecar.ipv4=true to claim one. Run curl from inside the container to verify.
$ docker exec app curl -s ifconfig.me 2001:db8:1::42 # reachable on every port, every protocol
9-layer defense. Zero tolerance. Privacy by construction.
Every layer of the stack is built so that a warrant, a subpoena, or a compromised relay yields nothing useful — and so noisy abusers get evicted before they affect your latency. see the full security stack →
● auto-takedown SLA: < 60 s · NRD blocklist: 2.7M domains, refreshed hourly · relay state: RAM-only, nothing on disk to seize
Nobody can profile your DNS lookups
- ✓ Oblivious DNS forwarding on every query
- ✓ Upstream resolver sees the query, not who asked
- ✓ Sidecar sees who asked, not the query
- ✓ Proxy-target unlinkability by construction
Two relays. Two independent keys.
- ✓ Per-container opt-in:
sidecar.relay-mode: onion - ✓ Hop through two relays in different regions
- ✓ Independent post-quantum key at each hop
- ✓ Neither relay alone can read your traffic
No talking to brand-new phishing infra
- ✓ Domains registered ≤ 7 days are blocked at DNS
- ✓ 2.7M domain blocklist refreshed hourly
- ✓ Default-on for Free / Spark / Launch
- ✓ Toggleable on Pulse and above
Bad actors evicted in < 60 seconds
- ✓ Known-bad URLs and IPs pushed to the automated egress firewall
- ✓ Verified report → peer disabled within 60 s
- ✓ Measured 481 ms in production
- ✓ Auto-drafted CyberTipline report on takedown
Noisy abusers caught by behaviour, not signatures
- ✓ Streaming behavioral safety detection
- ✓ Hourly sweep of per-peer in-kernel safety telemetry
- ✓ Catches cryptojacking, low-and-slow C2 beaconing
- ✓ Two-tick debounce keeps false-positive rate ~0.1%
Faster legitimate appeals. Humans still decide.
- ✓ On-relay LLM extracts IP + category + severity
- ✓ Fully offline — no third-party API calls
- ✓ AI abuse review with operator confirmation defends against prompt injection
- ✓ Advisory only; never autonomous revocations
Post-quantum on every connection
- ✓ Hybrid post-quantum encryption — classical + lattice
- ✓ Harvest-now-decrypt-later resistant
- ✓ Mandatory since initial release — not optional
Traffic shape protection + per-peer isolation
- ✓ Packet sizes obfuscated to resist fingerprinting
- ✓ Each container is isolated on its own network segment
- ✓ Traffic cannot cross peers at the relay
Nothing on disk to seize
- ✓ All peer state lives in memory
- ✓ Relay restart clears the slate
- ✓ Encrypted off-site backup — we hold the keys
No managed service gives Docker containers a real public IP with full protocol support at consumer prices.
Every managed competitor routes around the problem rather than solving it. Self-hosting a VPS works but costs more, requires you to maintain the server, and is your problem at 2am.
Start free. Pay when you're convinced.
Free tier never expires. No credit card required. No per-GB billing, no port taxes, no surprises. Pay with PayPal, card, or Bitcoin Lightning ⚡ (annual plans).
7 self-serve plans from $0.99 to $39.99/mo — Micro to Relay. Dedicated IPv4 from $29.99/mo (Pulse+IPv4). see the full pricing ladder →
All paid plans include: unlimited bandwidth · $0/GB · all TCP + UDP + ICMP · per-peer isolation · PTR/rDNS control
FAQ
Is this a real IP?
Yes. On Pulse+IPv4 ($29.99/mo) and Relay ($39.99/mo) tiers your container gets a dedicated IPv4 /32. All other tiers (Micro / Free / Spark / Launch / Pulse) include public IPv6 only. Every IP — IPv4 or IPv6 — is static and doesn't change when you restart the container. PTR/rDNS control included on IPv4 tiers.
What about abuse?
SMTP port 25 blocked at the relay kernel. CSAM → immediate token revoke + CyberTipline report within 24h. DDoS → same. AUP §10 is not a suggestion.
What if my connection goes down?
Stateless failover — the agent reconnects to any relay in our fleet across all 6 regions. Your PSK is derived from a cluster key, not per-relay state, so reconnecting to any relay restores your session without manual intervention.
Is there a free tier?
Yes. The Free plan is $0 forever — no trial expiry, no credit card. It gives you IPv6 connectivity at 2 Mbps sustained (10 Mbps burst) on our shared network. Upgrade to a paid plan when you need IPv4, more speed, or an isolated environment.
What's the bandwidth limit?
None. Every paid tier — including Launch at $9.99/mo — includes unlimited bandwidth. btc-full-node users have pushed 14 TB in a month. Bill didn't move.
What is post-quantum encryption?
Every connection is encrypted with a post-quantum algorithm that resists harvest-now-decrypt-later attacks — meaning traffic captured today cannot be decrypted even if classical cryptography is broken in the future. This is mandatory on all connections since initial release and cannot be downgraded.