VIGIL MESH

Documentation

SSH terminal and remote desktop in the browser

The Administration tab of the console opens an SSH terminal — then a Windows remote desktop — directly on a machine of the network, in the browser. Nothing to install, no port to open, no gateway that would see your credentials: the browser becomes a mesh node and a classic SSH client runs inside it.

Why

Zero exposure

The target machine opens no inbound port: its SSH server is only reachable through its overlay address, under the control of the ACLs.

Zero install

The workstation you act from only needs a browser: the console starts a classic VPN client there, right in the page.

Zero middlebox

The SSH client runs in your browser; the session is encrypted end-to-end to the machine. The relay only sees opaque packets.

Design goalOpen a terminal

In the console, pick the network then the Administration tab: every online machine offers the Terminal action (and, soon, Remote desktop).

Administration tab of the console: the list of online machines, each with a Terminal button and a Remote desktop button.
  1. The machine name, as it appears in the network inventory.
  2. Its overlay address: this is what the terminal reaches, never a public address.
  3. “Terminal” opens an SSH session on this machine; “Remote desktop” (RDP) follows.

Enter the user and password of the account on the machine, then connect. On first connection, the SHA-256 fingerprint of the server key is shown — verify it: it is what guarantees you are talking to the right machine.

Terminal panel: user and password fields, Connect button.
  1. User of the account on the target machine.
  2. Password: consumed by the SSH client in your browser, it never transits our servers.
  3. Connect opens the terminal — colors, full-screen apps, copy/paste.

Requirements: a standard SSH server running on the machine (the distribution's sshd is enough) and an ACL that allows your identity to reach its port 22 — see /en/docs/config-acl.

sudo apt install openssh-server
sudo systemctl enable --now ssh

Design goalWindows remote desktop

Remote desktop follows the same model: a classic RDP client in the browser, over an overlay connection to port 3389 of the machine. No gateway, no port exposed on the internet. The SSH terminal lands first; remote desktop will ride the same transport.

Security

  • Your credentials never transit our servers: they are consumed by the SSH client in your browser.
  • The session is doubly encrypted: SSH itself, carried inside the mesh's end-to-end encryption.
  • ACLs decide who can administer what, like any overlay traffic.
  • The browser device is ephemeral: its key vanishes with the tab — protect the account, see /en/docs/securite-mfa.
Do I need to open port 22 on the internet?
No, no inbound port. The SSH server is only reachable through the machine's overlay address; access is controlled by the ACLs.
Do my credentials go through your servers?
No. They are consumed by the SSH client running in your browser and only sent to the target machine, inside the end-to-end encrypted session.
Can I use it from a non-enrolled workstation?
Yes: after signing in, the browser becomes an ephemeral device of the network for the lifetime of the tab. Enable MFA on the account.
Read nextPolicies and ACLs