I opened an OpenTunnel session for you.
Run commands on my host with:
curl -fsSL https://opentunnel.sh/cli | OPENTUNNEL_INVITE='ot1_example-invite' sh -s -- exec \
-- '<COMMAND>'
Start with:
curl -fsSL https://opentunnel.sh/cli | OPENTUNNEL_INVITE='ot1_example-invite' sh -s -- exec \
-- 'hostname && uname -a && pwd'
Commands execute without per-command approval while this foreground session is running.
Always ask me to confirm before running anything destructive or irreversible, for example deleting files or directories, overwriting data, changing system, package, or network configuration, or moving data off the machine.
Treat the invite as bearer-secret material. Do not copy it into shared logs, tickets, summaries, or long-lived notes. The host owner can revoke access with Ctrl+C.
Notes:
- For shared machines, prefer --invite-stdin or shell-history controls because typed environment assignments can still be saved by your shell.
- Use non-interactive commands.
- No PTY or interactive stdin is available in the first major version.
- Avoid sudo unless it is passwordless and non-interactive.
- Avoid long-running commands unless necessary.
- Only one client can connect to this tunnel at a time.
- Only one command runs at a time.
- The temporary OpenTunnel CLI is cached in the system temp directory during the session.Illustration only. Your machine prints this with a unique invite when you run the command. Paste that output into your agent, not this example.
What is OpenTunnel?
Agents are brilliant on the machine they run on. The moment the task lives on another machine, they hit a wall of SSH keys, firewall rules, and standing credentials. Permanent infrastructure for a temporary need.
OpenTunnel is an ephemeral, end-to-end encrypted command tunnel built for exactly this moment. You start one foreground process on the remote machine and paste the printed prompt into your agent. From then on, the agent runs commands there like any other tool call: it sends a command, and stdout, stderr, and the real exit code come back as if the machine were local.
There is nothing to install and nothing to provision. No SSH keys to create and distribute, no inbound ports to open, no account to register. A relay routes the encrypted traffic between the two sides, but it cannot read it and it stores nothing. When the task is done, you press Ctrl+C: the session ends, the invite expires, and no trace of the access remains.
The machine has to be exposed to the outside, and it stays that way.
It works from a private network, behind any firewall, exposing nothing.
What if your agent could work directly on the remote machine?
How it works
Start a session on the remote machine.
curl -fsSL https://opentunnel.sh | shA temporary CLI is downloaded, checksum-verified, and opens one foreground session.
Paste the generated prompt into your agent.
Your agent now has a remote shell as a tool. It runs commands and gets stdout, stderr, and exit codes back as if they were local tool calls.
Press Ctrl+C when you’re done.
The session ends, access is revoked, the temporary CLI is gone. Nothing persists, not on your machine and not on the relay.
Security
The relay routes opaque, encrypted frames between your agent and the remote machine. It cannot read your traffic, so it doesn’t matter who operates it.
End-to-end encrypted
Commands, output, and exit codes are encrypted between host and client. The relay forwards ciphertext and sees only routing metadata, timing, and frame sizes.
Nothing persisted
Only in-memory state for active connections. No sessions, invites, payloads, logs, or client metadata are ever stored.
Revocation is Ctrl+C
Access lives exactly as long as the foreground host process. Stop it, and the tunnel ceases to exist.
No accounts, no keys
No signup, no tokens to rotate, no SSH keys to distribute and forget. A session invite is the only secret, and it expires with the session.
Deployment
Because the relay only ever sees ciphertext, the hosted relay is safe to use as-is. And because it needs no database, no accounts, and no persistent state, self-hosting is one command.
Hosted relay
Zero setup. Start tunneling right now through the official relay.
curl -fsSL https://opentunnel.sh | shSelf-hosted relay
One stateless container behind your reverse proxy. Full control over the origin your agents fetch from.
docker run -p 8080:8080 \ ghcr.io/akoenig/opentunnel:latest \ relay --public-url https://relay.example.comPhilosophy
OpenTunnel keeps the access model temporary and narrow on purpose. That is the security model, not a missing feature list. No accounts, no daemons, no audit logs (because there is nothing to log), no PTY, no file transfer, one client, one command at a time.