TCP & SSH Tunneling Core

Forward any TCP protocol — SSH, databases, RDP, custom protocols — through a secure gRPC tunnel. Access remote machines via native SSH or directly from your browser with the built-in terminal.

How TCP Tunneling Works

TCP tunneling wraps raw TCP connections inside NFLTR's encrypted gRPC transport. The agent listens on a local TCP port (e.g., SSH port 22) and relays all traffic through the tunnel. From the remote side, you use nfltr tcp-connect to establish a local listener that forwards to the remote service.

SSH Tunneling — Three Ways

1. Native SSH Proxy

Use NFLTR as an SSH ProxyCommand. This integrates seamlessly with your existing SSH configuration — agent forwarding, keys, configs all work normally:

# On the remote machine
nfltr tcp 22 --name raspberry-pi

# On your laptop — connect via native SSH
ssh -o ProxyCommand="nfltr ssh-proxy --name %h" pi@raspberry-pi

2. Browser SSH Terminal

Open the NFLTR dashboard, find the agent, and click ▶ Term. A full xterm.js terminal opens in your browser — no SSH client, no keys, no configuration needed. Learn more →

3. Port Forwarding

Forward any remote TCP port to a local port on your machine:

# On the remote server
nfltr tcp 5432 --name db-server

# On your laptop — PostgreSQL appears on localhost:5432
nfltr tcp-connect db-server 5432 --listen :5432
psql -h localhost -p 5432 -U myuser mydb

Supported Protocols

SSH Config Integration

Add NFLTR as a permanent SSH proxy for specific hosts in ~/.ssh/config:

# ~/.ssh/config
Host raspberry-pi
    HostName raspberry-pi
    User pi
    ProxyCommand nfltr ssh-proxy --name %h

Host office-server
    HostName office-server
    User admin
    ProxyCommand nfltr ssh-proxy --name %h

Now ssh raspberry-pi works from anywhere — no VPN, no port forwarding.

End-to-End Encryption (E2EE)

E2EE is enabled by default on all TCP tunnels. The agent terminates TLS locally using a self-signed certificate, so the NFLTR server only relays opaque ciphertext — it never sees your plaintext traffic.

Default Behaviour (Zero Config)

Just run nfltr tcp — E2EE is on with a self-signed certificate:

# Agent side — E2EE enabled automatically
nfltr tcp 5432 --name my-db

# Client side — connect normally
nfltr tcp-connect my-db 5432 --listen :5432
psql -h localhost -p 5432 -U myuser mydb

Bring Your Own Certificate

Supply your own TLS certificate for E2EE termination:

nfltr tcp 5432 --name my-db \
  --e2ee-cert /path/to/cert.pem \
  --e2ee-key /path/to/key.pem

Auto Let's Encrypt via ACME

Obtain a valid certificate automatically from Let's Encrypt:

nfltr tcp 5432 --name my-db \
  --acme-domain db.example.com

Disabling E2EE

If your protocol already handles its own encryption (e.g., SSH), you can disable the extra TLS layer:

nfltr tcp 22 --name my-ssh --e2ee=false

Security

• End-to-end encryption — E2EE enabled by default; the server never sees plaintext traffic
• Encrypted transport — All TCP traffic is additionally wrapped in TLS via the gRPC tunnel
• Authentication required — Both sides must authenticate with an API key or fleet token
• No exposed ports — The agent connects outbound; no inbound ports are opened
• Audit logging — Every TCP connection is logged with timestamp, source, and destination