Outbound-Only Agent • No Open Ports

    Phirepass

    Access any machine securely, without opening a port.

    No VPN. No inbound firewall rules. No client software.

    Install a lightweight agent on any machine — behind NAT, a home router, or CG-NAT — and get a full SSH terminal, an SFTP file browser, and browser access to its local HTTP services, relayed securely to any web browser. The agent only ever dials out.

    Browser-Based
    Zero-Install for Clients
    Outbound-Only Agent
    WebSocket-Powered

    One outbound connection. Zero inbound ports.

    The agent calls out to the relay and holds the connection open. Your browser talks to the relay too — it matches the two up and forwards traffic between them.

    Browser

    Any device, any OS. Opens a WebSocket to the relay — no client software to install.

    Relay

    Authenticated proxy that looks up which node you're targeting and forwards framed traffic to it.

    Agent

    A small binary on the target machine. Dials out only — never accepts an inbound connection.

    Local service

    SSH, SFTP, or a local HTTP service (Grafana, an admin panel, an API) — never exposed publicly.

    Instant Productivity

    A full xterm.js terminal over a real SSH session, plus a visual SFTP file browser — no client install

    phirepass — ssh session
    $ phirepass-agent login --from-stdin
    Registering node, generating Ed25519 keypair...
    ✓ Node registered. Starting agent.
    Open the node in your browser to connect.
    $ ssh session opened via relay
    Last login: Thu Jan 02 10:24:31 2026 from relay
    Welcome to Ubuntu 24.04.1 LTS
    admin@production:~$

    Everything you need to reach a machine

    Terminal, files, and internal web services — all through the same secure tunnel

    Full SSH terminal in the browser

    A real xterm.js terminal backed by a real SSH session — PTY allocation, window resize, paste, the works. The agent opens the SSH connection locally via a pure-Rust SSH implementation and streams it back over the relay.

    Visual SFTP file browser

    Browse, upload, and download files over the same tunnel. Transfers are chunked in both directions, so large files and slow links don't block the connection.

    Reach internal HTTP services

    Open a dashboard, admin panel, or internal API running on a node directly in your browser — streamed through the relay, with no extra reverse proxy and no public DNS record pointing at it.

    One dashboard, every node

    See every connected node, its last-seen heartbeat, and its status in one place. Revoke a node's access instantly — it can't reconnect without re-enrolling.

    No static secrets. Ever.

    Every credential in the system is short-lived, cryptographically bound to the node, and can be revoked instantly

    Outbound-only, always

    The agent makes a single outbound WebSocket connection and holds it open. Nothing listens for inbound traffic on the machine it runs on.

    One-time bootstrap token

    A scoped Personal Access Token registers the node exactly once. After that, the token is never used again.

    Ed25519 node identity

    Each agent generates its own keypair on first run. The private key never leaves the device; the public key becomes its permanent identity.

    Short-lived session tokens

    Every reconnect goes through a fresh challenge-sign-verify exchange and gets a JWT that expires in minutes, not days.

    Built for Your Team

    Any team that manages private infrastructure and can't open inbound ports

    DevOps & SRE teams

    Shell access to a server fleet without keeping port 22 open to the internet.

    Home labs & self-hosters

    Reach a Pi or NAS behind CG-NAT with no static IP, no port forwarding, no DDNS.

    MSPs & IT consultants

    Onboard a client machine without asking anyone to touch a firewall rule.

    Education & research labs

    Give students access to shared lab servers without handing out network changes.

    Support teams

    Jump onto a customer's or colleague's machine for a session, then walk away — nothing left listening.

    Everything You Need,
    Nothing You Don't

    Phirepass is purpose-built for reaching private machines. No bloated features, no complex identity management — just fast, secure access to SSH, SFTP, and local HTTP services.

    Browser-based SSH terminal
    Visual SFTP file browser
    Browser access to internal HTTP services
    Outbound-only agent — works behind NAT/CG-NAT
    Ed25519 node identity + short-lived JWTs
    Home Assistant add-on available
    SSH TerminalFull xterm.js
    SFTP BrowserChunked transfer
    HTTP ProxyInternal dashboards
    Node DashboardOne view, every node

    Ready to Simplify Server Access?

    Install the agent, connect your node, and access it from any browser in minutes.