DEV Community

Javier Leandro Arancibia
Javier Leandro Arancibia

Posted on

I replaced ssh -L with one CLI command. No SSH keys, no VPN, no open ports.

If you manage servers, you've done this a thousand times:

ssh -L 5432:localhost:5432 user@prod-server
Enter fullscreen mode Exit fullscreen mode

It works. But it requires SSH keys, an open port 22, a VPN if you're behind NAT, and a running SSH daemon on the target. Every one of those is a maintenance burden and an attack surface.

I just shipped rcmd tunnel — port forwarding through a WebSocket relay. No SSH, no VPN, no open ports.

How it works

Your laptop ──wss──► Relay ──wss──► Target daemon ──► localhost:5432
Enter fullscreen mode Exit fullscreen mode

The target runs a tiny daemon (~6 MB Go binary) that connects outbound to a relay. Your client connects to the same relay. The relay routes TCP data between them. That's it.

Both sides connect outbound. No inbound ports. Works behind NAT, firewalls, corporate proxies.

The command

rcmd tunnel --target prod --local 5432 --remote localhost:5432
Enter fullscreen mode Exit fullscreen mode

Now localhost:5432 on your machine tunnels to prod:5432. You can connect with psql, redis-cli, a browser dashboard — anything that speaks TCP.

What you can tunnel

  • PostgreSQL--local 5432 --remote localhost:5432
  • Redis--local 6379 --remote localhost:6379
  • Debug dashboards--local 8080 --remote localhost:8080
  • Jupyter notebooks running on a remote GPU box
  • Internal admin panels behind a firewall
  • Any TCP service — if it speaks TCP, rcmd tunnels it

But wait, I already have SSH

So did I. Here's why I built this:

  1. SSH requires port 22 open. Every server with an open SSH port is a brute-force target. rcmd's daemon connects outbound — zero inbound ports.
  2. SSH key management is a tax. Rotate keys, distribute them, revoke them, deal with known_hosts pollution. rcmd uses per-target tokens, auto-generated, no files to manage.
  3. SSH doesn't work behind NAT. If your server is behind a corporate firewall or NAT, you need a VPN just to reach it. rcmd works from anywhere — both sides connect outbound to the relay.
  4. SSH isn't built for automation. Parsing SSH output in scripts is fragile. rcmd returns structured JSON for every command — stdout, stderr, exit code, duration. Built for AI agents and CI/CD pipelines.

It's also a remote execution tool

Tunneling is just one feature. rcmd also does:

# Execute a command on a remote machine
rcmd exec --target prod --cmd 'docker ps' --timeout 10

# Run the same command across 10 servers at once
rcmd exec --targets web1,web2,web3,db1 --cmd 'uptime' --format table

# Check fleet health
rcmd list-targets

# Copy files
rcmd cp --target prod --src ./app.tar.gz --dst /opt/app/
Enter fullscreen mode Exit fullscreen mode

Every command returns JSON:

{
  "ok": true,
  "stdout": "CONTAINER ID   IMAGE   ...",
  "exit_code": 0,
  "duration_ms": 42
}
Enter fullscreen mode Exit fullscreen mode

No parsing. No guessing. No wasted tokens when an AI agent uses it.

Self-hosted or hosted

Two ways to run it:

  • Free (OSS): Self-host the relay on any VPS. Unlimited targets, all features. MIT licensed.
  • Pro (€5/mo): We host the relay at rcmd.intrane.fr. Automatic TLS, no infrastructure to manage.

Same binary, same features. The hosted version just means you don't run the relay yourself.

Install

curl -sSL https://rcmd.intrane.fr/install.sh | sh
Enter fullscreen mode Exit fullscreen mode

Then either self-host a relay or rcmd signup --email you@company.com for the hosted version.

What's next

Tunnel is the first of three SSH-killer features:

  1. Port forwarding — shipped today
  2. Scheduled commandsrcmd cron add --target prod --cmd 'docker restart app' --schedule '0 3 * * *'
  3. Interactive shell — full PTY sessions, rcmd exec --target prod --pty

The goal is simple: make SSH optional for the 80% of server access that doesn't require a full interactive session.


Links: rcmd.intrane.fr · GitHub (OSS) · Install

Made in France. MIT licensed. Built for AI agents first, humans second.

Top comments (0)