Usage

The sshforward.net client makes your local SSH server reachable from the internet through an encrypted tunnel. VNC and RDP services are also supported — see Exposing Other Services below.

Quickstart

Create a free account and pick your handle (e.g. alice).

2. Download & Install

Download the client, then on the machine you want to reach:

Linux — extract the tarball and run the installer:

tar xzf sshforward.net.tgz
cd sshforward.net-*
sudo ./install.sh

This lays down the CLI, a tray app, and a systemd unit.

macOS — open the downloaded .pkg and follow the wizard. It installs the CLI and a tray app into /Applications/sshforward.net.app.

Then, on either platform, register the machine and start the service:

sudo sshforward.net activate-service

This logs you in, registers your machine, and starts the system service. Your machine gets a name like myserver.alice and stays online automatically — even after reboots.

Both platforms also ship a tray app as a GUI front-end for the same daemon — see Tray App below.

If you prefer a single binary without desktop integration, the Download page also offers a CLI-only build per architecture; drop it on your $PATH and run sudo sshforward.net activate-service.

3. Connect

From any other computer:

sshforward.net connect myserver.alice

That's it. Your machine is now reachable from anywhere.

Connecting to Your Machines

Once your machine is online, connect to it from anywhere:

sshforward.net connect remote-machine

Or using standard SSH with sshforward.net as a jump host:

ssh remote-machine -J sshforward.net

Or connect directly from your browser — open your machine's page in the dashboard and click Connect in Browser. No SSH client required. If the machine also exposes VNC, an additional Connect in Browser (RDX) button opens an in-browser remote desktop alongside it.

Connect Diagram

Secure Connect

By default, anyone who knows your machine's name can connect to it. Secure Connect restricts access so that only you and your team members can reach the machine.

When enabled, connections are restricted to authenticated users. You can reach the machine in two ways:

sshforward.net connect remote-machine — as usual, using your logged-in client
ssh remote-machine -J auth@sshforward.net — standard SSH with the authenticated jump-host variant. This requires an SSH public key uploaded in your account settings.

Unauthenticated or unauthorized connection attempts are rejected.

To enable it, open your machine's page in the dashboard and toggle Enable Secure Connect.

You can also enable Secure Connect by default for all newly registered machines in your account settings.

Dashboard

You can view running status and metrics of running logged in machines online:

Machine Info

Installation as a Service

You can install the client as a system service. It will start alongside the system and automatically reconnect when needed:

sudo sshforward.net activate-service

The installed service periodically checks for new versions and applies updates automatically. Run sudo sshforward.net upgrade to update now, or pass --disable-auto-updater at install time to opt out.

Or with disabled metrics:

sudo sshforward.net --no-metrics activate-service

Uninstalling

Use sudo sshforward.net disable-service to disable the service.

On macOS, use:

sudo sshforward.net uninstall-pkg

This command removes the installed package: it stops any running tray process, uninstalls the service, and deletes both the CLI binary and /Applications/sshforward.net.app.

On Linux, if you installed via the tarball, run:

sudo /opt/sshforward/uninstall.sh

This stops the service, removes the systemd unit, CLI, tray, desktop entry and icons, and deletes the /opt/sshforward directory.

Tray App

Both the macOS .pkg and the Linux tarball installer ship a tray app that acts as a GUI front-end for the same daemon the CLI manages — use whichever you prefer.

From the menu bar / tray icon you can:

Status… — see whether you're logged in, whether the service is running, the machine's registered hostname, the number of active connections, the GUI and daemon versions, and toggle autostart.
Login… / Logout — sign in or out without leaving the tray.
Install Service… / Uninstall Service — a wizard walks through logging in, picking which services to expose (SSH, VNC and RDP are auto-probed on their default local ports), and installing the system service. The same item flips to Uninstall Service once the service is running.
Uninstall sshforward.net… — runs the full package uninstall (equivalent to sudo sshforward.net uninstall-pkg on macOS or sudo /opt/sshforward/uninstall.sh on Linux): stops the service and removes everything the installer laid down.

macOS

The .pkg installs the tray at /Applications/sshforward.net.app; launch it from the Applications folder or Launchpad.

Linux

The tarball installer registers a .desktop entry for the tray, so it shows up in your desktop's application menu. To let the tray reach the daemon's IPC socket, your user needs to be in the sshforward group — after installing, run:

sudo usermod -aG sshforward $USER

then log out and back in once.

Ad-Hoc Connections (No Registration)

You can use sshforward.net without an account for quick, temporary connections.

Adhoc Usage Diagram

Start Client using sshforward.net adhoc -e which will print your name <remote>

Show

$ sshforward.net adhoc -e
Username for SSH-Server: user1
Password for SSH-Server: UrPpeDbquKmV
It works! you are now connected to sshforward.net
In order to reach your machine using, enter:
  sshforward.net connect remote
    or
  ssh remote -J sshforward.net

Now simply connect to it using sshforward.net connect <remote> or ssh <remote> -J sshforward.net

To use your system's SSH, omit the -e argument
For more options see sshforward.net adhoc --help

For a detailed walkthrough, see the ad-hoc connections guide.

Docker

Using the docker image, it's easy to create a permanent service running.

The client docker image is available as docker.sshforward.net/client

Anonymous Session:

sudo docker run --network=host -it --rm docker.sshforward.net/client adhoc

Starting a logged in Session

$ sudo docker run --network=host -it --name sshforward docker.sshforward.net/client run-logged-in
Username: < your username >
Password: < your password >
Hello client, you are logged in.
Logged in
# Running:
$ sudo docker start sshforward

Automatically starting service upon restart:

sudo docker update --restart=unless-stopped sshforward

Ephemeral Container
You may run it temporarily --rm, while maintaining a persistent state through a named volume.

Only the first time you run it, you'll be prompted to log in.

sudo docker run -v sshforward-config:/config --network=host -it --rm docker.sshforward.net/client

Running a Single Session

If you don't want to install a system service, you can run the client directly:

sshforward.net run

This starts a single session in the foreground — no sudo required. Your machine stays online as long as the process runs. Useful for quick access or testing before committing to a full install.

Exposing Other Services

SSH is exposed by default, but the client can tunnel VNC and RDP alongside it. Pass the services you want with --services:

sshforward.net run --services ssh,vnc,rdp

Each service defaults to its well-known local port (SSH 22, VNC 5900, RDP 3389). You can override any of them with type=host:port:

sshforward.net run --services ssh,vnc=localhost:5901,rdp

If you'd rather let the client figure it out, use --detect-services — it probes SSH, VNC, and RDP on their default local ports and exposes whichever are listening:

sshforward.net run --detect-services

Connecting to a non-SSH service

From the connecting side, pick the service with --service:

sshforward.net connect myserver.alice --service vnc

The command opens a local listener — localhost:6900 for VNC, localhost:6389 for RDP (or --port <n> to override) — that you then point your VNC viewer or RDP client at. SSH is still the default when --service is omitted.

Exposing VNC also exposes rdx, a compressed VNC transport. Connect to it with --service rdx (local listener localhost:6901); it is what the Connect in Browser (RDX) button uses, and gives a smoother picture over slow links. Point a normal VNC viewer at the listener — the compression happens inside the tunnel.

On Linux, if Remmina is installed, sshforward.net launches it automatically and points it at the local listener, so you don't need to open the viewer yourself. When you close the Remmina tab, the tunnel shuts down. Pass --no-viewer to skip the auto-launch and keep the listener open for multiple connections (for example, if you want to use a different viewer).

Embedded SSH Server

If the target machine doesn't have an SSH server, sshforward.net includes a built-in one. Just add -e:

sshforward.net run -e

A random password is generated on each run and only printed once. You can set one, using --embedded-ssh-password <password>.

Add -r to let sshforward.net use the last password.

The embedded SSH server also serves SFTP, so you can transfer files over the same tunnel — no separate daemon needed. Connect with any SFTP client against the SSH listener, e.g. sftp -P 6022 user@localhost. Pass --sftp-read-only to allow downloads only and forbid uploads, deletes, and renames.

For more configuration options, call sshforward run --help.

Options

Metrics

By default, system metrics (e.g. CPU Usage, Operating System Name, Free Disk Space) are sent to the backend. You can disable this by updating the setting:

sshforward.net --no-metrics persist

Metrics are shown upon Machines section if you log in, helping you to keep an eye on your machines.

How It Works

NAT and Dynamic IP Addresses

Inside a strict NAT network one can't simply connect to a client.

sshforward helps here out by acting as a link between two clients.

NAT Traversal Diagram

Firewalls

Firewall configurations may prevent an incoming and or outgoing connections on port 22.

Firewall Traversal diagram

If you use the connect method of sshforward, alls connections are done via HTTPS on Port 443, helping to avoid potential firewall issues.

Connect method diagram

Security

The connection between the client and our server is encrypted using TLS
The connection to your machine is end-to-end encrypted by SSH.
The browser terminal is also end-to-end encrypted — the SSH protocol runs entirely in your browser, so our server never sees your session.

FAQ

Are permanent connections available?

Permanent connections are possible using logged in sessions.

Do you need a running SSH Server?

No, it is recommended, but sshforward.net also contains an integrated one, however still limited.

Which services can I expose?

SSH is the primary and most mature. VNC and RDP are also supported — enable them with --services ssh,vnc,rdp (or --detect-services for auto-detection). See Exposing Other Services above.

Are other platforms (e.g. Windows) supported?

We are working on it.

Which ports are used?

We use port 443 (outgoing) for communication. The SSH Jump server is using port 22 for incoming connections. The connect method only uses 443.

How does sshforward compare to other tools?

See our detailed comparisons: