> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Install ngrok on Linux (ARM64)

> Learn how to install ngrok on any Linux ARM64 device to tunnel traffic to your upstream services or remotely administer it.

In this guide, you'll learn how to install ngrok on any Linux ARM64 device to forward traffic from public endpoints to your upstream services or for remote management. You'll also create some a Traffic Policy to protect your device from unauthorized traffic.

This guide is specific to ARM64 devices on Linux—if you're using a different device or CPU architecture, first check whether your platform meets the ngrok agent's [system and resource requirements](/agent/#system-requirements). Other guides are also available that may fit your use case more precisely:

* [Linux AMD64 devices](/guides/device-gateway/linux/)
* [Raspberry Pi](/guides/device-gateway/raspberry-pi/)
* [Raspberry Pi OS](/guides/device-gateway/raspbian/)

## Prerequisites

To follow this guide, you need:

* An [ngrok account](https://dashboard.ngrok.com/signup) (some features require a [pay-as-you-go plan](https://ngrok.com/pricing))
* Any ARM64 device running Linux (see the [system requirements](/agent/#system-requirements) for all supported architectures)

## 1. Install the ngrok Agent

1. Open a shell session with your remote ARM64 device.

2. Download the latest ngrok agent binary for ARM64 devices.

   ```bash theme={null}
   wget https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-arm64.tgz
   ```

   <Note>
     Equinox is fully owned by ngrok and used exclusively for building and distributing ngrok binaries.
     See [the FAQ page](/faq#does-ngrok-own-bin-equinox-io) for more details.
   </Note>

3. Unzip the file and move it to a directory in your `PATH`, like `/usr/local/bin`.

   ```bash theme={null}
   sudo tar xvzf ./ngrok-v3-stable-linux-arm64.tgz -C /usr/local/bin
   ```

4. Link the ngrok agent to your ngrok account with your authtoken, replacing `{NGROK_AUTHOKEN}` with the value found in your [ngrok dashboard](https://dashboard.ngrok.com/get-started/your-authtoken).

   ```bash theme={null}
   ngrok authtoken {NGROK_AUTHTOKEN}
   ```

## 2. Enable SSH access

If you want to perform remote administration on your ARM64 device using a reserved TCP address and an encrypted tunnel, instead of relying on IP addresses, you can create a [TCP tunnel](/gateway/tcp/) at port `22` on your ARM64 device.

1. Start the TCP tunnel with `ngrok`.

   ::::warning
   TCP endpoints are only available on a free plan after [adding a valid payment method](https://dashboard.ngrok.com/settings#id-verification) to your account. If you get a different error, ensure your authtoken is configured correctly.
   ::::

   ```bash theme={null}
   ngrok tcp 22
   ```

   When the ngrok agent starts, you'll see a `Forwarding` line with similar information about the public endpoint for the TCP tunnel to your device:

   ```bash theme={null}
   Forwarding                    tcp://4.tcp.us-cal-1.ngrok.io:16420 -> localhost:22
   ```

2. On your local workstation, SSH into your ARM64 device with the command below, replacing the variables with the following:

   |                       |                                                                                                                                                        |
   | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
   | `{NGROK_PORT}`        | The port number assigned to your ngrok agent (for example, if the agent shows `tcp://4.tcp.us-cal-1.ngrok.io:12345`, your port number is `12345`).     |
   | `{USER}`              | An existing user on your remote device.                                                                                                                |
   | `{NGROK_TCP_ADDRESS}` | The address of the ngrok agent (for example, if the agent shows `tcp://4.tcp.us-cal-1.ngrok.io:12345`, your TCP address is `4.tcp.us-cal-1.ngrok.io`). |

   ```bash theme={null}
   ssh -p {NGROK_PORT} {USER}@{NGROK_TCP_ADDRESS}
   ```

## 3. Enable ingress to a service on your ARM64-based Linux device

Separately from SSH access, you can also use ngrok to create an [HTTP tunnel](/gateway/http/) to route traffic to specific applications or services running on your ARM64 device's `localhost` network.

<Note>
  If you already established a TCP tunnel for SSH access, you'll either need to create a second tunnel for the HTTP tunnel, or use the [agent configuration file](/agent/config/v3/) to define multiple tunnels.
</Note>

1. Use ngrok to create an HTTP tunnel at the port on which your service operates, for example, port `8080`.

   ```bash theme={null}
   ngrok http 8080
   ```

   When the ngrok agent starts, you'll see a `Forwarding` line with similar information about the public endpoint for the HTTP tunnel to your device:

   ```bash theme={null}
   Forwarding                    https://12345.ngrok.app -> http://localhost:8080
   ```

2. Optionally, you can reserve a [static subdomain](/gateway/domains/) like so:

   ```
   ngrok http 8080 --url https://example.ngrok.app
   ```

3. Open a browser and navigate to the endpoint, for example, `https://12345.ngrok.app`, to access the service from any remote system.

## 4. Add a Traffic Policy to restrict IPs

Now that you have SSH tunneling and service ingress handled via ngrok, you may also want to protect those services from unknown and untrusted users. You'll use the [Restrict IPs](/traffic-policy/actions/restrict-ips) Traffic Policy action.

1. Create a new file on your ARM64 device, where you create ngrok endpoints, named `policy.yml`.

2. Open the file for editing and paste in the following contents, replacing `1.1.1.1` with the public IP of the workstation you use to access your ARM64 device:

   ```yaml theme={null}
   on_tcp_connect:
     - actions:
       - name: "Restrict all IPs except trusted CIDRs"
         type: "restrict-ips"
         config:
           enforce: true
           allow:
            - "1.1.1.1/32"
   ```

   :::note
   ngrok's IP Restriction action uses [CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) to specific IPs or IP ranges. The `/32` notation refers to a single IPv4 address, like \`
   :::

3. Restart any existing tunnels, or create new ones, referencing the `policy.yml` file you just created, choosing between a TLS and HTTP tunnel below.

   <Tabs>
     <Tab title="TLS tunnel">
       ```bash theme={null}
       ngrok tcp 22  --traffic-policy-file /path/to/policy.yml
       ```
     </Tab>

     <Tab title="HTTP tunnel">
       ```bash theme={null}
       ngrok http 8080 --traffic-policy-file /path/to/policy.yml
       ```
     </Tab>
   </Tabs>

4. When you re-establish your TLS or HTTP tunnels, ngrok will proxy requests from your allowed IP/CIDR through to your ARM64 device and reject all others *at its cloud service*, preventing your device from being constantly bombarded with automated and malicious attacks.

## What's next?

Now that you can create ngrok endpoints on your Linux ARM64 device and understand the fundamentals of managing traffic with policies, you can extend your usage to make your device—or even a fleet of them—ready for production usage.

* Bring a [custom domain](/gateway/custom-domains/) to ngrok to create static endpoints.
* Learn how to write an [agent configuration file](/agent/config/v3/) to define and create multiple tunnels from a single command line.
* Install [ngrok as a service](/agent/#background-service) to start after your ARM64 device boots and automatically restart after crashes.
