MCP

In this guide, we demonstrate how to use the NoPorts Tunnel to securely access an MCP server running on a remote device, making it accessible via localhost:3000 on your local machine

Video Tutorial

Prerequisites

Before continuing, make sure that the following steps have been completed on the machine you’ll be using to remotely connect to your MCP server:

NoPorts Desktop is installed.
Your NoPorts atSigns are activated, and the associated keys are saved locally.
You are signed in with your device atSign and have recorded your authentication passcode by opening the Authenticator tab and noting the displayed OTP.

If these steps are not yet complete, please follow Steps 1 through 5.3 in the Quick Start guide for macOS or Windows then return to this page.

Step 1: Set up the MCP Server

Steps 1 through 4 are to be completed on the machine that your MCP server will be running on

In this example, the MCP server is implemented in Python using the FastMCP library. The reference code can be found at: https://gofastmcp.com/deployment/http

In this example, the server will be running locally at:

Host: 127.0.0.1
Port: 3000

You can choose whichever port number works best for you.

The MCP Server must be served over a TCP Protocol to function with NoPorts.

Step 2: Set up the NoPorts Daemon

Select the operating system running on the machine your MCP server is running on and follow the steps to install the NoPorts Daemon.

Download the installer from GitHub by running the following command:

curl -L https://github.com/atsign-foundation/noports/releases/latest/download/universal.sh -o universal.sh

To check if the installation downloaded correctly:

stat universal.sh

Make the script executable and run the script by running the command below:

chmod u+x universal.sh
./universal.sh

During installation, you’ll be prompted to enter the following items:

You may be asked to enter your password if your machine requires sudo privileges.

The install type

Enter device when prompted.

Your atSigns

Client atSign: e.g., @example01_np
Device atSign: e.g., @example02_np

Your device name

This should be the name of the machine you're currently installing on.

Download the installer from GitHub by running the following command:

curl -L https://github.com/atsign-foundation/noports/releases/latest/download/universal.sh -o universal.sh

To check if the installation downloaded correctly:

stat universal.sh

Make the script executable and run the script by running the command below:

chmod u+x universal.sh
./universal.sh

During installation, you’ll be prompted to enter the following items:

You may be asked to enter your password if your machine requires sudo privileges.

The install type

Enter device when prompted.

Your atSigns

Client atSign: e.g., @example01_np
Device atSign: e.g., @example02_np

Your device name

This should be the name of the machine you're currently installing on.

Step 3: Configure Permit‑Open on Localhost:3000

1. Edit the override configuration file:

sudo vim /etc/systemd/system/sshnpd.service.d/override.conf

2. Under “any additional command line arguments for sshnpd”, add the following line:

Environment=additional_args="--permit-open=\"localhost:3000,127.0.0.1:3000\""

3. Apply the changes by restarting and reloading the service:

sudo systemctl restart sshnpd.service
sudo systemctl daemon-reload

Step 4: Initiate an authorization request

Select the operating system running on the machine your MCP server is running on and follow the steps provided.

Run the following command to make an authorization request:

Be sure to replace the following values:

@<REPLACE>_np with your device atSign,

<PASSCODE> with the passcode generated in step 5 of the prerequisite instructions

@<REPLACE>_np_key with your device atSign,

<DEVICE_NAME> with the name of the machine you are on

~/.local/bin/at_activate enroll -a @<REPLACE>_np \
  -s <PASSCODE> \
  -p noports \
  -k ~/.atsign/keys/@<REPLACE>_np_key.atKeys \
  -d <DEVICE_NAME> \
  -n "sshnp:rw,sshrvd:rw"

Once you see this text, you're ready to continue to the next step.

Submitting enrollment request 
Enrollment ID: ---------------------
Waiting for approval; will check every 10 seconds

Run the following command to make an authorization request:

Be sure to replace the following values:

@<REPLACE>_np with your device atSign,

<PASSCODE> with the passcode generated in step 5 of the prerequisite instructions

@<REPLACE>_np_key with your device atSign,

<DEVICE_NAME> with the name of the machine you are on

~/.local/bin/at_activate enroll -a @<REPLACE>_np \
  -s <PASSCODE> \
  -p noports \
  -k ~/.atsign/keys/@<REPLACE>_np_key.atKeys \
  -d <DEVICE_NAME> \
  -n "sshnp:rw,sshrvd:rw"

Once you see this text, you're ready to continue to the next step.

Submitting enrollment request 
Enrollment ID: ---------------------
Waiting for approval; will check every 10 seconds

Run the following command to make an authorization request.

Be sure to replace the following values:

@<REPLACE>_np with your device atSign,

<PASSCODE> with the passcode generated in Step 4,

<USER> with your Windows username,

@<REPLACE>_np_key with your device atSign,

<DEVICE_NAME> with the name of the machine you are on

at_activate.exe enroll -a "@<REPLACE>_np" `
  -s <PASSCODE> `
  -p noports `
  -k C:\Users\<USER>\.atsign\keys\@<REPLACE>_np_key.atKeys `
  -d <DEVICE_NAME> `
  -n "sshnp:rw,sshrvd:rw"

Once you see this text, you're ready to continue to the next step.

Submitting enrollment request 
Enrollment ID: ---------------------
Waiting for approval; will check every 10 seconds

If you encounter a handshake exception, it usually means your root certificates are outdated. To refresh them, run the following command with administrator privileges:Install-Script -Name UpdateRootCertificates

Step 5: Approve the request

Steps 5 through 7 are to be coompleted on the machine you'll be using to remotely connnect to your MCP server.

1. Click on Requests and approve the pending request. The request will then move to the approved enrollments list.

2. After a few seconds, the request will also show as approved on the machine you are connecting to.

Step 6: Create the profile in the desktop app

Click on Connection and create a profile for your MCP connection. You will enter the following information

Profile Name - The name that will be displayed in the profile list.
Device atSign - Your device atSign (eg mcp_demo_02_np).
Device Name - The name of your remote device.
Relay - Select the relay sever closest to you for optimum speed.
Local Port - The port you will use on your local machine.
Local Host - The hostname or IP address to bind to on your local machine.
Remote Host - The hostname or IP address of the machine you are connecting to.
Remote Port - The port that will be used on the remote machine.

In this example, the we use details shown in the video. When following along, be sure to replace these with your own data.

Profile Name

mcp_demo

Device atSign

@mcp_demo_02_np

Device Name

mcp_demo

Relay

@rv_am

Local Port

3000

Local Host

Remote Host

127.0.0.1

Remote Port

3000

Step 7: Interact with the MCP Server via Witsy

Whitsy is an open‑source LLM client. Download and install it from https://witsyai.com.

1. Open Whitsy, select MCP, then click the + icon to add a new MCP server.

2. Set Type to streamable HTTP, choose any Label you like, and enter the following URL:

http://127.0.0.1:3000/mcp

Click Save and you should see a green checkmark.

3. Go to Chat, then open Customize and enable the process_data option.

4. To test, type the following:

process data using MCP "hello"

PreviousUse Cases NextSSH

Last updated 3 days ago