New session
Creates a fresh rmux session and enables a local Web Share.
shell
rmux web-shareShare a terminal in one command
Web Share creates browser links for an rmux pane or session. The shell (PTY) stays on your machine; the browser only renders end-to-end encrypted frames.
What opens in the browser
Roles and PIN pairing
Create separate operator and spectator links, then require the matching pairing PIN before a browser connection opens.
Operator and spectator links, printed in your terminal
Open Web Share beyond localhost
Choose how Web Share is reached from the internet: private Tailnet, public tunnel, or your own ingress. Tunnels only carry encrypted frames. They cannot read your terminal.
Choose the exposure
Recommended
Private Tailnet
rmux web-share --tunnel-provider tailscale-serve Access stays inside your Tailnet. Nothing is exposed publicly.
Public fallback
SSH tunnel preset
rmux web-share --tunnel-provider localhost-run Creates a public reverse tunnel when Tailnet access is not possible.
Bring your own
Existing ingress
rmux web-share --tunnel-url https://terminal.example.com Use Cloudflare, Caddy, nginx, or another reverse proxy you already run.
shell
rmux web-share --tunnel-provider tailscale-serve
rmux web-share --tunnel-provider localhost-run
rmux web-share --tunnel-url https://terminal.example.com Built-in tunnel providers
Tailscale keeps shares private when possible. The SSH presets are public fallbacks outside your Tailnet.
| Preset | Exposure | Underlying command | Prerequisites |
|---|---|---|---|
tailscale-serve recommended Reachable only by devices in your own Tailnet. Nothing is exposed publicly. | Private | tailscale serve --yes {port} | Tailscale + operator rights |
tailscale-funnel recommended Publishes on your *.ts.net name without opening any firewall port. | Public | tailscale funnel --yes {port} | Tailscale + Funnel enabled |
| Zero-setup public URL over an SSH reverse tunnel (*.lhr.life). | Public | ssh -R 80:{host}:{port} [email protected] | OpenSSH client |
serveo Public URL over SSH (*.serveousercontent.com). | Public | ssh -R 80:{host}:{port} serveo.net | OpenSSH client |
sandhole Public URL over SSH (*.demo.sandhole.com.br). | Public | ssh -R 80:{host}:{port} demo.sandhole.com.br | OpenSSH client |
srv-us Public URL over SSH (*.srv.us). | Public | ssh srv.us -R 1:{host}:{port} | OpenSSH client |
Share over Tailscale
Use tailscale-serve for private Tailnet access. Use tailscale-funnel when you intentionally want a public *.ts.net link.
shell
rmux web-share --tunnel-provider tailscale-serve
rmux web-share --tunnel-provider tailscale-funnelInstall Tailscale in one line
brew install tailscalewinget install --id tailscale.tailscalecurl -fsSL https://tailscale.com/install.sh | sh- Start it and sign in:
sudo tailscale up - Let rmux drive the tunnel:
sudo tailscale set --operator=$USER - Share privately:
rmux web-share --tunnel-provider tailscale-serve - Go public instead: enable Funnel in the admin console, then run with
--tunnel-provider tailscale-funnel.
tailscale-serve — private
- Reachable only by devices in your own Tailnet; nothing is exposed to the public internet.
- rmux web-share --tunnel-provider tailscale-serve
tailscale-funnel — public
- Publishes the share on your *.ts.net name without opening any local firewall port.
- Requires Funnel enabled for the node. rmux web-share --tunnel-provider tailscale-funnel
Host your own frontend
Serve the static web client from your own domain. share.rmux.io is open source and ships only static files — no server, no PTY.
shell
git clone https://github.com/Helvesec/rmux-web-share
cd rmux-web-share
npm install
npm run build
rmux web-share --frontend-url https://share.example.comManage shares from the CLI and SDK
Create, list, inspect, and tear down shares from the command line, or drive the whole thing from Rust.
shell
rmux web-share -t work
rmux web-share -t work --spectator-only
rmux web-share -t work --pin-operator 481516 --pin-spectator 234200
rmux web-share -t work --max-operators 1 --max-spectators 20
rmux web-share -t work --ttl 3600
rmux web-share -t work --tunnel-provider tailscale-serve
rmux web-share list
rmux web-share lookup <share-id>
rmux web-share stop <share-id>
rmux web-share off
rmux web-share configRust SDK Integration
rust
use std::time::Duration;
let share = pane
.share()
.operator_pin("481516")
.spectator_pin("234200")
.ttl(Duration::from_secs(3600))
.await?;
if let Some(url) = share.spectator_url() {
println!("spectator: {url}");
}
if let Some(pin) = share.operator_pairing_code() {
println!("operator PIN: {pin}");
}
share.stop().await?;Create-time flags
- Targeting: -t <pane|session>, --operator-only, --spectator-only, --max-operators, --max-spectators.
- Pairing: --pin-operator, --pin-spectator, --no-pin. Expiry: --ttl, --expires-at, --kill-session-on-expire.
- Reach & look: --tunnel-provider, --tunnel-url, --frontend-url, --theme, --hide-viewers, --no-navbar, --no-disclaimer.
Lifecycle commands
- rmux web-share list — show active shares. lookup <share-id> — one share with the token redacted.
- rmux web-share stop <share-id> (or disconnect <share-id>) — revoke one share without stopping the daemon.
- rmux web-share off — stop every active share. config — print the current daemon defaults.
Security model
Web Share keeps execution local, encrypts every terminal frame, and treats tunnels as blind transport.
What is protected
The shell stays on your machine
The PTY, processes, scrollback, panes, windows, and sessions stay inside the local rmux daemon. The browser only renders encrypted updates.
share.rmux.io has no terminal backend
share.rmux.io serves HTML, JS, and the crypto WASM. It does not host shells, PTYs, or WebSocket tunnels.
Tunnels carry ciphertext
Tailscale, SSH reverse tunnels, and custom ingress only forward encrypted WebSocket frames. They cannot read keystrokes or terminal cells.
WASM single source of truth
Browser crypto comes from the Rust crate rmux-web-crypto. CI rebuilds the production WASM from source, checks it against provenance, and the browser loads it with an integrity pin.
4afdfc60c95d497a17b6cb3dd89f10cb32aa2673bc4524498a9e2c4e6a99fad6 Controls
Hybrid E2EE
X25519,ML-KEM-768, and the share token feedHKDF-SHA256.- The exact handshake transcript is bound into the keys.
ChaCha20-Poly1305protects terminal frames per connection.- Sequence numbers are strict. Replay and reorder fail closed.
Tokens and PINs
- Operator tokens are 256-bit random secrets.
- The token lives in the URL
#fragment, so browsers do not send it to the host. - The daemon stores a derived token id, not the raw token.
- PINs are checked after encrypted key agreement, with constant-time comparison.
Origin hardening
- Origin is required and compared against an allowlist.
- HTTPS is required outside loopback.
- Punycode, credentials, paths, query strings, and fragments are rejected.
share.rmux.ioships with a deny-by-default CSP, no-referrer, nosniff, and a restrictive Permissions Policy.
Abuse resistance
- Pre-auth connections are capped and timed out.
- Handshake failures collapse to the same close code with a uniform delay.
- Backoff escalates from short waits to temporary and lifetime locks.
- Authenticated clients, role leases, operator actions, input size, and outbound backlog are bounded.
Role enforcement
- Spectator links are read-only at the server.
- Operator actions are rejected unless the role matches.
- Operator and spectator PINs are separate.
- Shares can expire, be revoked, or stop when their target disappears.
Build and release gates
- Crypto tests include RFC, NIST, and fixed transcript vectors.
- WebSocket parsing is fuzzed.
unsafeis forbidden in the crypto crate.- CI checks dependency policy, runtime network behavior, platform boundaries, and WASM provenance.
Trust boundary
Tunnels are not trusted. The browser page is. Use the audited share.rmux.io build, or self-host the static frontend when you want to own that boundary too.
End-to-end encryption
A hybrid post-quantum handshake derives per-connection ChaCha20-Poly1305 keys in the browser. The tunnel never sees your terminal, and the frontend is just static files.
Handshake inputs
Ephemeral X25519
Browser and daemon exchange short-lived curve keys.
ML-KEM-768
Post-quantum key material is mixed into the same transcript.
Share token
The URL fragment adds a secret that is never sent to the tunnel.
HKDF-SHA256
All inputs are bound to the handshake transcript.
ChaCha20-Poly1305 frames
Per-connection keys encrypt terminal frames between browser and daemon.
Key schedule
X25519
ML-KEM-768
URL token
HKDF-SHA256 · transcript-bound
ChaCha20-Poly1305 session keys
Encrypted frames · browser ⇄ daemon
Both ends derive the same session keys from these three inputs. Hybrid encryption means an attacker would need to defeat both X25519 and ML-KEM to recover session keys. Without the URL token, the tunnel cannot derive keys.
The tunnel can't read the terminal
Tunnels carry ChaCha20-Poly1305 frames, not terminal data. They cannot read or tamper with a single keystroke or cell.
The frontend is static
share.rmux.io ships only HTML, JS and the WASM crypto — no server, no PTY. It just renders frames the browser decrypts locally.
The shell stays home
The PTY runs only on your local daemon, and the token lives in the URL #fragment — browsers never send it to the host or the tunnel.
The handshake
- Each connection mixes ephemeral X25519, ML-KEM-768, and the share token, bound to the transcript via HKDF-SHA256.
- Keys are per-connection and never stored: recorded traffic stays unreadable even if the token leaks later (forward secrecy).
- Hybrid encryption means an attacker would need to defeat both X25519 and ML-KEM to recover session keys. Without the token, the tunnel cannot derive keys.
What the network sees
- The token lives in the URL #fragment — browsers never send it to the host or the tunnel.
- Tunnels only carry encrypted frames. They cannot read your terminal.
- The frontend serves static files only; the shell (PTY) runs solely on your daemon.