NFLTR is an encrypted tunnel relay on nfltr.xyz. Services behind NAT and firewalls reach the internet without a VPN. With E2EE enabled by default, the relay never sees your data. Deploy agents at client sites to reach on-premise networks securely.

Does NFLTR work behind CGNAT or strict firewalls?

Yes. The NFLTR agent connects outbound over gRPC (port 443). No inbound ports, no static IP, no firewall changes required. Works behind CGNAT, hotel Wi-Fi, and corporate firewalls.

Is NFLTR end-to-end encrypted by default?

Yes. Tunnel commands run end-to-end encrypted by default. The agent terminates TLS and the relay routes by SNI without decrypting in verified mode. You can opt out with --e2ee=false for inspectable debugging mode. P2P features remain end-to-end encrypted.

End-to-end encrypted tunnels on nfltr.xyz

One command.
Encrypted by default.
Relay stays blind in verified mode.

Start a public tunnel in seconds while keeping TLS termination on your agent. Use proof endpoints and fingerprint checks to verify what mode your route is running in.

Download Agent Verify E2EE

Terminal - encrypted tunnel via nfltr.xyz

# E2EE is enabled by default for tunnel commands

$ nfltr http 8080

nfltr latest

Mode verified (agent terminates TLS)

Server nfltr.xyz:443 (routes by SNI)

Forwarding https://abc123.nfltr.xyz/ -> http://localhost:8080

Connected - waiting for requests...

Default verified mode for
tunnel commands

Blind relay does not read
HTTP bodies in verified mode

1 cmd from localhost to
public encrypted URL

How encrypted routing works

The trust boundary is simple: your agent handles TLS identity, the relay handles routing.

Agent keeps the TLS key

Your agent serves the certificate and terminates TLS for the tunnel route.

Relay routes by hostname

The relay uses SNI and forwards opaque traffic to the connected agent.

Inspectable mode is explicit

Use --e2ee=false only when you want traffic inspection for debugging.

Proof over promises

Verify route mode with public artifacts

Check mode labels, proof JSON, and fingerprint matches to confirm what is running in production.

Check mode label

Dashboard and agent output should show Verified for blind relay routing.

Open proof JSON

Confirm blind_relay: true for the route you exposed.

Match fingerprints

Ensure the agent fingerprint matches the public proof entry.

These checks give you concrete evidence that the route is running in verified mode with agent-held TLS identity.

Verify E2EE

Quickstart in three steps

Start local, publish encrypted, then verify mode.

1. Download

# macOS (Apple Silicon)
curl -fsSL https://storage.googleapis.com/nfltr-downloads/latest/nfltr-darwin-arm64 \
  -o nfltr && chmod +x nfltr

# Linux (x86_64)
curl -fsSL https://storage.googleapis.com/nfltr-downloads/latest/nfltr-linux-amd64 \
  -o nfltr && chmod +x nfltr

2. Run a tunnel

# Verified mode by default
nfltr http 8080

# Optional stable endpoint
nfltr http 8080 --name my-api --api-key $NFLTR_API_KEY

3. Verify behavior

# Inspect proof artifacts
open https://nfltr.xyz/proof/my-api.json

# Compare fingerprint from agent output
# with tls_fingerprint in proof JSON

Download Agent Verify E2EE

Download the agent

Single binary for Linux, macOS, Windows, ARM, and WASM.

Latest: latest

Platform	Architecture	Download
Linux	x86_64 (amd64)	Download
Linux	ARM64 (aarch64)	Download
macOS	Apple Silicon (arm64)	Download
macOS	Intel (amd64)	Download
Windows	x86_64 (amd64)	Download
Windows	ARM64	Download
WebAssembly	WASI (sandboxed)	Download

Ship your first encrypted tunnel now

Start fast, then verify exactly how the route is handled.

Download Agent Verify E2EE

One command.Encrypted by default.Relay stays blind in verified mode.

How encrypted routing works

Agent keeps the TLS key

Relay routes by hostname

Inspectable mode is explicit

Verify route mode with public artifacts

Check mode label

Open proof JSON

Match fingerprints

Quickstart in three steps

1. Download

2. Run a tunnel

3. Verify behavior

Download the agent

Ship your first encrypted tunnel now

One command.
Encrypted by default.
Relay stays blind in verified mode.