TCP & SSH Tunneling Core
Forward any TCP protocol — SSH, databases, RDP, custom protocols — through a secure gRPC tunnel. Access remote machines via native SSH or directly from your browser with the built-in terminal.
How TCP Tunneling Works
TCP tunneling wraps raw TCP connections inside NFLTR's encrypted gRPC transport. The agent listens on a local TCP port (e.g., SSH port 22) and relays all traffic through the tunnel. From the remote side, you use nfltr tcp-connect to establish a local listener that forwards to the remote service.
SSH Tunneling — Three Ways
1. Native SSH Proxy
Use NFLTR as an SSH ProxyCommand. This integrates seamlessly with your existing SSH configuration — agent forwarding, keys, configs all work normally:
# On the remote machine
nfltr tcp 22 --name raspberry-pi
# On your laptop — connect via native SSH
ssh -o ProxyCommand="nfltr ssh-proxy --name %h" pi@raspberry-pi2. Browser SSH Terminal
Open the NFLTR dashboard, find the agent, and click ▶ Term. A full xterm.js terminal opens in your browser — no SSH client, no keys, no configuration needed. Learn more →
3. Port Forwarding
Forward any remote TCP port to a local port on your machine:
# On the remote server
nfltr tcp 5432 --name db-server
# On your laptop — PostgreSQL appears on localhost:5432
nfltr tcp-connect db-server 5432 --listen :5432
psql -h localhost -p 5432 -U myuser mydbSupported Protocols
| Protocol | Remote Command | Local Access |
|---|---|---|
| SSH | nfltr tcp 22 --name myhost | ssh -o ProxyCommand="nfltr ssh-proxy --name %h" user@myhost |
| PostgreSQL | nfltr tcp 5432 --name db | nfltr tcp-connect db 5432 --listen :5432 |
| MySQL | nfltr tcp 3306 --name mysql | nfltr tcp-connect mysql 3306 --listen :3306 |
| Redis | nfltr tcp 6379 --name redis | nfltr tcp-connect redis 6379 --listen :6379 |
| RDP | nfltr tcp 3389 --name desktop | nfltr tcp-connect desktop 3389 --listen :3389 |
| Kubernetes API | nfltr tcp 6443 --name k8s | nfltr tcp-connect k8s 6443 --listen :6443 |
| Any TCP | nfltr tcp <port> --name svc | nfltr tcp-connect svc <port> |
SSH Config Integration
Add NFLTR as a permanent SSH proxy for specific hosts in ~/.ssh/config:
# ~/.ssh/config
Host raspberry-pi
HostName raspberry-pi
User pi
ProxyCommand nfltr ssh-proxy --name %h
Host office-server
HostName office-server
User admin
ProxyCommand nfltr ssh-proxy --name %hNow ssh raspberry-pi works from anywhere — no VPN, no port forwarding.
Security
- Encrypted transport — All TCP traffic is wrapped in TLS via the gRPC tunnel
- Authentication required — Both sides must authenticate with an API key or fleet token
- No exposed ports — The agent connects outbound; no inbound ports are opened
- Audit logging — Every TCP connection is logged with timestamp, source, and destination
Since NFLTR acts as a transparent TCP proxy, scp and sftp work with the same ProxyCommand. The dashboard also generates ready-to-use SCP commands for each connected agent.
Ready to tunnel TCP?
Forward SSH, databases, or any TCP protocol in seconds.
Download Agent Browser SSH →