Documentation
SSH terminal and remote desktop in the browser
The Administration tab of the console opens an SSH terminal — then a Windows remote desktop — directly on a machine of the network, in the browser. Nothing to install, no port to open, no gateway that would see your credentials: the browser becomes a mesh node and a classic SSH client runs inside it.
Why
Zero exposure
The target machine opens no inbound port: its SSH server is only reachable through its overlay address, under the control of the ACLs.
Zero install
The workstation you act from only needs a browser: the console starts a classic VPN client there, right in the page.
Zero middlebox
The SSH client runs in your browser; the session is encrypted end-to-end to the machine. The relay only sees opaque packets.
Design goalOpen a terminal
In the console, pick the network then the Administration tab: every online machine offers the Terminal action (and, soon, Remote desktop).

- The machine name, as it appears in the network inventory.
- Its overlay address: this is what the terminal reaches, never a public address.
- “Terminal” opens an SSH session on this machine; “Remote desktop” (RDP) follows.
Enter the user and password of the account on the machine, then connect. On first connection, the SHA-256 fingerprint of the server key is shown — verify it: it is what guarantees you are talking to the right machine.

- User of the account on the target machine.
- Password: consumed by the SSH client in your browser, it never transits our servers.
- Connect opens the terminal — colors, full-screen apps, copy/paste.
Requirements: a standard SSH server running on the machine (the distribution's sshd is enough) and an ACL that allows your identity to reach its port 22 — see /en/docs/config-acl.
sudo apt install openssh-server
sudo systemctl enable --now sshDesign goalWindows remote desktop
Remote desktop follows the same model: a classic RDP client in the browser, over an overlay connection to port 3389 of the machine. No gateway, no port exposed on the internet. The SSH terminal lands first; remote desktop will ride the same transport.
Security
- Your credentials never transit our servers: they are consumed by the SSH client in your browser.
- The session is doubly encrypted: SSH itself, carried inside the mesh's end-to-end encryption.
- ACLs decide who can administer what, like any overlay traffic.
- The browser device is ephemeral: its key vanishes with the tab — protect the account, see /en/docs/securite-mfa.