If you manage servers, you've done this a thousand times:
ssh -L 5432:localhost:5432 user@prod-server
It works. But it requires SSH keys, an open port 22, a VPN if you're behind NAT, and a running SSH daemon on the target. Every one of those is a maintenance burden and an attack surface.
I just shipped rcmd tunnel — port forwarding through a WebSocket relay. No SSH, no VPN, no open ports.
How it works
Your laptop ──wss──► Relay ──wss──► Target daemon ──► localhost:5432
The target runs a tiny daemon (~6 MB Go binary) that connects outbound to a relay. Your client connects to the same relay. The relay routes TCP data between them. That's it.
Both sides connect outbound. No inbound ports. Works behind NAT, firewalls, corporate proxies.
The command
rcmd tunnel --target prod --local 5432 --remote localhost:5432
Now localhost:5432 on your machine tunnels to prod:5432. You can connect with psql, redis-cli, a browser dashboard — anything that speaks TCP.
What you can tunnel
-
PostgreSQL —
--local 5432 --remote localhost:5432 -
Redis —
--local 6379 --remote localhost:6379 -
Debug dashboards —
--local 8080 --remote localhost:8080 - Jupyter notebooks running on a remote GPU box
- Internal admin panels behind a firewall
- Any TCP service — if it speaks TCP, rcmd tunnels it
But wait, I already have SSH
So did I. Here's why I built this:
- SSH requires port 22 open. Every server with an open SSH port is a brute-force target. rcmd's daemon connects outbound — zero inbound ports.
-
SSH key management is a tax. Rotate keys, distribute them, revoke them, deal with
known_hostspollution. rcmd uses per-target tokens, auto-generated, no files to manage. - SSH doesn't work behind NAT. If your server is behind a corporate firewall or NAT, you need a VPN just to reach it. rcmd works from anywhere — both sides connect outbound to the relay.
- SSH isn't built for automation. Parsing SSH output in scripts is fragile. rcmd returns structured JSON for every command — stdout, stderr, exit code, duration. Built for AI agents and CI/CD pipelines.
It's also a remote execution tool
Tunneling is just one feature. rcmd also does:
# Execute a command on a remote machine
rcmd exec --target prod --cmd 'docker ps' --timeout 10
# Run the same command across 10 servers at once
rcmd exec --targets web1,web2,web3,db1 --cmd 'uptime' --format table
# Check fleet health
rcmd list-targets
# Copy files
rcmd cp --target prod --src ./app.tar.gz --dst /opt/app/
Every command returns JSON:
{
"ok": true,
"stdout": "CONTAINER ID IMAGE ...",
"exit_code": 0,
"duration_ms": 42
}
No parsing. No guessing. No wasted tokens when an AI agent uses it.
Self-hosted or hosted
Two ways to run it:
- Free (OSS): Self-host the relay on any VPS. Unlimited targets, all features. MIT licensed.
- Pro (€5/mo): We host the relay at rcmd.intrane.fr. Automatic TLS, no infrastructure to manage.
Same binary, same features. The hosted version just means you don't run the relay yourself.
Install
curl -sSL https://rcmd.intrane.fr/install.sh | sh
Then either self-host a relay or rcmd signup --email you@company.com for the hosted version.
What's next
Tunnel is the first of three SSH-killer features:
- Port forwarding — shipped today
-
Scheduled commands —
rcmd cron add --target prod --cmd 'docker restart app' --schedule '0 3 * * *' -
Interactive shell — full PTY sessions,
rcmd exec --target prod --pty
The goal is simple: make SSH optional for the 80% of server access that doesn't require a full interactive session.
Links: rcmd.intrane.fr · GitHub (OSS) · Install
Made in France. MIT licensed. Built for AI agents first, humans second.
Top comments (0)