End-to-end encrypted
Commands, output, and exit codes are encrypted between host and client. The relay forwards ciphertext and sees only routing metadata, timing, and frame sizes.
Remote tool calls as if they were local Your agent's tool calls,
Your agent's tool calls,
on any machine.
OpenTunnel lets your AI agent run commands on remote machines as if it were sitting right there, through an ephemeral, end-to-end encrypted tunnel. No SSH, no accounts, no standing access. Ctrl+C and it's gone.
What is OpenTunnel?
Great agents, stuck on one machine.
Until now.
Section titled “Great agents, stuck on one machine.Until now.”Agents are brilliant on the machine they run on. The moment the task lives on another machine, they hit a wall of SSH keys, firewall rules, and standing credentials. Permanent infrastructure for a temporary need.
OpenTunnel is an ephemeral, end-to-end encrypted command tunnel built for exactly this moment. You start one foreground process on the remote machine and paste the printed prompt into your agent. From then on, the agent runs commands there like any other tool call: it sends a command, and stdout, stderr, and the real exit code come back as if the machine were local.
There is nothing to install and nothing to provision. No SSH keys to create and distribute, no inbound ports to open, no account to register. A relay routes the encrypted traffic between the two sides, but it cannot read it and it stores nothing. When the task is done, you press Ctrl+C: the session ends, the invite expires, and no trace of the access remains.
How it works
Three steps, zero infrastructure
Section titled “Three steps, zero infrastructure”-
Start a session on the remote machine.
Terminal window curl -fsSL https://opentunnel.sh | shA temporary CLI is downloaded, checksum-verified, and opens one foreground session.
-
Paste the generated prompt into your agent.
Your agent now has a remote shell as a tool. It runs commands and gets stdout, stderr, and exit codes back as if they were local tool calls.
-
Press Ctrl+C when you’re done.
The session ends, access is revoked, the temporary CLI is gone. Nothing persists, not on your machine and not on the relay.
Security
You don’t have to trust the relay.
Section titled “You don’t have to trust the relay.”The relay routes opaque, encrypted frames between your agent and the remote machine. It cannot read your traffic, so it doesn’t matter who operates it.
Nothing persisted
Only in-memory state for active connections. No sessions, invites, payloads, logs, or client metadata are ever stored.
Revocation is Ctrl+C
Access lives exactly as long as the foreground host process. Stop it, and the tunnel ceases to exist.
No accounts, no keys
No signup, no tokens to rotate, no SSH keys to distribute and forget. A session invite is the only secret, and it expires with the session.
Deployment
Use mine, or run your own
Section titled “Use mine, or run your own”Because the relay only ever sees ciphertext, the hosted relay is safe to use as-is. And because it needs no database, no accounts, and no persistent state, self-hosting is one command.
Hosted relay
Zero setup. Start tunneling right now through the official relay.
curl -fsSL https://opentunnel.sh | shSelf-hosted relay
One stateless container behind your reverse proxy. Full control over the origin your agents fetch from.
docker run -p 8080:8080 \ ghcr.io/akoenig/opentunnel:latest \ relay --public-url https://relay.example.comPhilosophy
Deliberately small
Section titled “Deliberately small”OpenTunnel keeps the access model temporary and narrow on purpose. That is the security model, not a missing feature list. No accounts, no daemons, no audit logs (because there is nothing to log), no PTY, no file transfer, one client, one command at a time.