Expose local services to the internet.
No firewall changes needed.

A bidirectional proxy that connects agents behind NAT and firewalls to the public internet through secure encrypted tunnels. Single binary. Zero configuration.

Download Agent See How It Works
10Communication Patterns
6Auth Methods
7Platforms
0External Deps Required

How It Works

Agents behind firewalls connect outbound to the NFLTR server. The server proxies inbound HTTP requests through the established gRPC tunnel — no port forwarding needed.

PUBLIC INTERNET NFLTR SERVER BEHIND FIREWALL / NAT Browser / API Client Webhook Provider Another Agent (A2A) HTTP Ingress Public traffic in Secure Tunnel Encrypted gRPC channel Authentication & Routing Admin Dashboard Tunnel Agent localhost:3000 Embedded SDK Your application IoT / Edge Device Sensor fleet WASM Agent Sandboxed (Wasmer/Wazero) Firewall
1

Agent Connects Out

The agent initiates an encrypted connection outbound to the NFLTR server. No inbound ports or port forwarding needed. Works behind NAT, CGNAT, and corporate firewalls.

2

Server Proxies Traffic

HTTP requests to <agent-id>.nfltr.xyz are dispatched through the encrypted tunnel to the agent. The agent forwards them to your local service and returns the response.

3

Instant Public URL

Your local service is now accessible from the internet with a stable subdomain or a temporary share link like swift-bay.nfltr.xyz.

10 Communication Patterns

One platform, many patterns. NFLTR handles everything from simple HTTP proxying to agent-to-agent messaging, file streaming, and IoT command-and-control.

NFLTR Server HTTP Proxy gRPC Tunnel Agent-to-Agent File Streaming TCP Tunnel Pub/Sub Broadcast Webhook Relay IoT Control E2EE Messaging SSH Tunnel
HTTP

HTTP Reverse Proxy

Requests to <agent>.nfltr.xyz are proxied through the tunnel to your local web server. Low-latency direct mode or durable async delivery.

gRPC

gRPC Bidirectional Streaming

Full bidirectional streaming between cloud services and on-premise agents. Agent-initiated or cloud-initiated connection patterns.

A2A

Agent-to-Agent

Agents communicate directly with each other through the server relay. Build distributed systems, chat apps, or peer-to-peer file sharing.

FILE

File Streaming

Transfer files between agents with chunked streaming and SHA-256 integrity verification. Large file support with progress tracking.

TCP

TCP & SSH Tunneling

Raw TCP frame forwarding for SSH, RDP, database connections, and any TCP-based protocol. Access remote machines as if they were local.

IoT

IoT Command & Control

Send commands to device fleets and receive telemetry. Label-based routing with fleet tokens lets you target specific device groups.

WHK

Webhook Relay

Receive webhooks from GitHub, Stripe, Slack and relay them to local development servers. Built-in HMAC signature verification.

E2E

End-to-End Encrypted

Agent-native encryption where the server only sees opaque bytes. Build secure messaging, private data transfer, and zero-knowledge applications.

Built for Every Use Case

From a Raspberry Pi in your garage to 10,000 IoT sensors across a factory floor.

🏠

Homelab & Self-Hosted

  • Expose Jellyfin, Home Assistant, Nextcloud to the internet
  • Works behind CGNAT — no port forwarding needed
  • Single binary, zero external dependencies
  • Built-in storage and messaging — nothing else to install
  • Share links for temporary access: swift-bay.nfltr.xyz
./nfltr-agent --api-key KEY --routes http://localhost:8096
🔧

Developer Tunnels

  • Share localhost with teammates for review or pairing
  • Receive webhooks from Stripe, GitHub, Slack on your machine
  • Multi-route support: /api→:3000, /web→:5173
  • Auto-generated agent ID from hostname
  • Word-pair share codes — human-readable, DNS-safe
./nfltr-agent --api-key KEY \
  --routes /api=http://localhost:3000,/=http://localhost:5173
🏢

Enterprise & Fleet Management

  • Manage thousands of on-prem agents from a control plane
  • Fleet tokens with Kubernetes-style label selectors
  • Fan-out commands to device groups: fleet=hvac,zone=building-a
  • API key rotation, audit logging, and policy-based authorization
  • Horizontally scalable for multi-instance deployments
# Target specific fleet members
curl -H "X-Fleet-Selector: zone=building-a" \
  https://nfltr.xyz/api/v1/fleet/invoke
📡

IoT & Edge Computing

  • Command/telemetry patterns for sensor networks
  • Agent runs on ARM devices (Raspberry Pi, Jetson Nano)
  • Agent-to-agent messaging for edge mesh networks
  • WASM agent for sandboxed, minimal-footprint deployment
  • Persistent endpoints: offline agents return 503, not 404
# Run sandboxed WASM agent on edge device
wasmer run --net nfltr-agent.wasm -- \
  --api-key KEY --routes http://localhost:8080

Multiple Agent Types

Choose the agent that fits your deployment. From a CLI binary to an embedded Go SDK to a sandboxed WASM module.

CLI Agent nfltr-agent binary • Single binary, zero deps • Multi-route support • Auto-generated ID • Share URL requests • Health checks Linux • macOS • Windows Embedded SDK Go library • Import into Go apps • Fleet label support • Share URL built-in • All auth methods • Kubernetes ready Any Go application WASM Agent nfltr-agent.wasm • Sandboxed execution • Wasmer / Wazero runtimes • Fine-grained permissions • No filesystem access • Minimal attack surface Any WASI runtime Custom Agent Build your own agent • Full protocol control • Build any protocol • Agent-to-agent • Encrypted messaging • IoT telemetry 22+ sample agents

Security at Every Layer

Six authentication methods, policy-based authorization, and end-to-end encryption support.

LAYERED SECURITY mTLS Certificates JWT Token-based API Key Simple & portable Fleet Token Device groups OAuth / SSO Google login Session Browser cookie AUTHORIZATION Policy-based access control NETWORK IP Allowlist RATE LIMIT Per-agent throttling
🔐

Verified Identity

Agent identity is derived from authentication credentials, not headers. Prevents spoofing. Each auth method maps to a unique, verifiable agent identity.

🛡️

Policy-Based Authorization

Fine-grained access control policies define who can access which agents, which routes, and which operations. Flexible rules for any security requirement.

🔑

Webhook Signature Verification

Built-in signature verification for GitHub, Stripe, and Slack webhooks. Replay detection with timestamp validation. Extensible for custom providers.

Deploy Anywhere

From a single binary on a Raspberry Pi to a horizontally-scaled multi-pod Kubernetes cluster.

Self-Hosted

Zero Dependencies
Built-in Storage
Built-in Messaging
Built-in Cache
  • Single binary — download and run
  • No external databases or message brokers required
  • mTLS or API key auth — no external identity provider
  • Bundled authorization policies
  • Runs on Linux, macOS, ARM, x86

Cloud / SaaS

Horizontally Scalable
External Database
Distributed Cache
Message Broker
  • Multi-instance with intelligent agent routing
  • Shared state across all server instances
  • Durable async messaging for high throughput
  • JWT + OAuth + fleet tokens at scale
  • Kubernetes-native with autoscaling

Runs On

GKE EKS AKS Docker Bare Metal Raspberry Pi Hetzner DigitalOcean Cloudflare

Full Observability

📊

Rich Metrics

Request latency, agent connection counts, throughput, fleet operations, and rate limiting. Prometheus-compatible with pre-built Grafana dashboards.

🖥️

Admin Dashboard

Built-in web dashboard for agent management, API key rotation, server metrics, connection analytics, and fleet operations. OAuth-protected with Google SSO.

📝

Structured Logging

JSON-formatted structured logs with audit trail for security events. Compatible with any centralized log aggregation platform.

Download the Agent

The tunnel agent is a single binary. Download for your platform, make it executable, and connect.

Latest version: v1.0.8

PlatformArchitectureDownload
Linuxx86_64 (amd64)Download
LinuxARM64 (aarch64)Download
macOSApple Silicon (arm64)Download
macOSIntel (amd64)Download
Windowsx86_64 (amd64)Download
WebAssemblyWASI (sandboxed)Download

Quick Start

# Make executable (Linux/macOS)
chmod +x nfltr-agent-*

# Connect to this server
./nfltr-agent-linux-amd64 \
  --api-key YOUR_API_KEY \
  --routes http://localhost:8080

What happens next?

The agent connects outbound to the server over gRPC. Your local service becomes accessible at:

  • https://<agent-id>.nfltr.xyz/ — direct subdomain (auto-generated from hostname)
  • Or request a share link for a temporary URL like swift-bay.nfltr.xyz

No inbound ports, no firewall changes, no static IP needed.

Contact Us

Have questions, feedback, or need help getting started? Drop us a message.

Ready to get started?

Sign in with your API key or Google account to manage agents and create share links.

Sign in