DevOps & Remote Access

SSH into machines behind NAT, stream logs remotely, monitor services, and create WireGuard VPN tunnels — no port forwarding required.

1. Remote SSH Access

Access any machine behind NAT/firewall without configuring port forwarding or a VPN. Two approaches:

Option A: Embedded SSH (no sshd required)

# On the remote machine — start embedded SSH server
nfltr shell --password mySecret123 --name prod-server

# On your laptop — connect via SSH
nfltr ssh-config prod-server --user admin
ssh prod-server

The embedded SSH server runs entirely in the nfltr agent — no OpenSSH or sshd needed. Supports password auth, public key auth, and SCP/SFTP.

Option B: TCP tunnel to existing sshd

# On the remote machine — tunnel the existing SSH port
nfltr tcp 22 --name prod-ssh

# On your laptop — connect through the tunnel
nfltr tcp-connect prod-ssh 22 --listen :2222
ssh -p 2222 admin@localhost

Browser-based terminal

# Quick web terminal (xterm.js) — accessible from any browser
nfltr terminal --basic-auth admin:secret --name prod-term

Open https://nfltr.xyz/browse/prod-term/ in any browser — full terminal with no client software.

💡 shell vs terminal

nfltr shell — use when you need SCP, SFTP, port forwarding, or your existing SSH client/config.
nfltr terminal — use when you want a one-click browser shell with a shareable URL.

2. Remote Log Streaming

# Stream a log file — accessible via share URL
nfltr tail /var/log/app.log --name prod-logs

# Show last 200 lines, password-protected
nfltr tail --lines 200 --basic-auth ops:secret /var/log/nginx/access.log

# Curl-friendly plain text
curl https://<share-url>/raw

The web UI includes search, pause, and auto-scroll. The /stream endpoint provides Server-Sent Events for programmatic consumption.

3. Live Command Monitoring

# Monitor Kubernetes pods remotely
nfltr watch "kubectl get pods" --name k8s-pods

# Disk usage with 5-second refresh
nfltr watch --interval 5s "df -h" --name disk-usage

# Docker container status
nfltr watch "docker ps --format 'table {{.Names}}\t{{.Status}}'" --name containers

Share the URL with your team — everyone sees live-updating output via Server-Sent Events.

4. WireGuard VPN Tunnel

Create a full Layer 3 VPN tunnel between machines. Runs in userspace — no root, no kernel modules.

Set up the VPN

# On the remote machine — start WireGuard server
nfltr wg serve --name office-vpn

# On your laptop — connect via SOCKS5 proxy
nfltr wg socks5 office-vpn --listen :1080

# Access remote services through the tunnel
curl --proxy socks5://localhost:1080 http://192.168.1.100:8080
curl --proxy socks5://localhost:1080 http://internal-dashboard:3000

Browser configuration

Configure your browser's SOCKS5 proxy to localhost:1080 for full network access to the remote LAN:

Firefox: Settings → Network Settings → Manual proxy → SOCKS Host: localhost, Port: 1080
Chrome: Use a proxy extension or start with --proxy-server="socks5://localhost:1080"

💡 WireGuard is always E2EE

WireGuard uses Curve25519 key exchange and ChaCha20-Poly1305 encryption. The nfltr server relays opaque WireGuard packets — it never has access to the session keys or plaintext IP traffic.

5. TCP Tunneling (Databases, Redis, etc.)

# On the database machine
nfltr tcp 5432 --name prod-db

# On your laptop — connect through the tunnel
nfltr tcp-connect prod-db 5432 --listen :15432
psql -h localhost -p 15432 -U admin mydb

# Redis
nfltr tcp 6379 --name prod-redis
nfltr tcp-connect prod-redis 6379 --listen :16379
redis-cli -p 16379

# MySQL
nfltr tcp 3306 --name prod-mysql
nfltr tcp-connect prod-mysql 3306 --listen :13306
mysql -h 127.0.0.1 -P 13306 -u root -p

E2EE for database tunnels

# Agent terminates TLS — server can't see database queries
nfltr tcp 5432 --name prod-db --e2ee

6. Remote Command Execution

# Expose a command as an HTTP endpoint
nfltr command -- kubectl get pods --name k8s-cli

# Interactive AI assistant on a remote machine
nfltr ai claude --basic-auth admin:secret --name remote-claude

# Expose any CLI tool as a service
nfltr command jq . --name json-formatter

7. Fleet Management

Use labels and fleet tokens to manage groups of agents:

# Start agents with labels
nfltr shell --no-auth --name server-1 --labels env=prod,role=web
nfltr shell --no-auth --name server-2 --labels env=prod,role=api
nfltr shell --no-auth --name server-3 --labels env=staging,role=web

Fleet tokens with label selectors control which agents can connect and which groups they belong to. See Fleet Management for details.

Cheat Sheet

Task	Command
SSH (embedded)	`nfltr shell --password pass`
SSH (existing sshd)	`nfltr tcp 22 --name my-ssh`
Browser terminal	`nfltr terminal --basic-auth user:pass`
Stream logs	`nfltr tail /var/log/app.log`
Monitor command	`nfltr watch "kubectl get pods"`
WireGuard VPN (server)	`nfltr wg serve --name vpn`
WireGuard VPN (client)	`nfltr wg socks5 vpn --listen :1080`
Database tunnel	`nfltr tcp 5432 --name db`
Remote AI CLI	`nfltr ai claude --basic-auth user:pass`

Next Steps

Browser SSH & Terminal — shell vs terminal comparison
TCP/SSH Tunneling — full TCP tunnel reference
Log Streaming — tail, watch, SSE endpoints
Fleet Management — labels, fleet tokens, group policies