Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
How to quickly install and use NoPorts on both macOS and Windows devices.
Go to noports.com and sign up for a 30-day free trial.
Download the NoPorts desktop app using one of the links below:
Launch the NoPorts desktop app and click Get Started.
Enter your client atSign into the text field (e.g., @pluto83_client), leave the root domain as is, and then click Next.
A one-time password (OTP) will be sent to you via email. Enter this OTP into the app and then click Confirm.
Your atKeys (cryptographic keys) will be used to pair your atSign with this and other devices in future. You can learn more about these keys here.
Click on Save atKeys
Select a location on your device and save your keys.
Download the NoPorts test connection profile. This is a json file containing connection details for a test profile we have created.
Return to the NoPorts app Dashboard.
Click Import and select the test connection profile that you just downloaded.
Click the Connect Icon ▶️ to establish a connection.
Open a web browser and navigate tohttp://localhost:8080.
Congratulations! You're connected to a hidden webpage via NoPorts!
How to install NoPorts on macOS. Guides for desktop app, CLI, and device installation.
Welcome to the NoPorts documentation site.
Before you can use NoPorts, you need to have it installed! All of our installation guides can be found here:
NoPorts has endless use-cases. We've provided a list of the most common ones:
If you don't understand how something works, or want to see the full configuration options, checkout the usage section:
Video and written directions for installing the NoPorts desktop app
Launch the NoPorts desktop app and click 'Get Started'.
Enter your client atSign into the text field (e.g., @pluto83_client), leave the root domain as is, and then click 'Next'.
A one-time password (OTP) will be sent to you via email. Enter this OTP into the app and then click 'Confirm'.
Your atKeys (cryptographic keys) will be used to pair your atSign with this and other devices in future. You can learn more about these keys here.
Click on the Settings Icon in the top right corner of the app.
Click on 'Back Up Your Keys' in the left navigation panel.
Select a location on your device and save your keys.
Return to the Dashboard
Click the 'Add New' button to create a new Profile
Enter the details for the new profile
Or, connect using our test profile.
Download the NoPorts test connection profile. This is a json file containing connection details for a test profile we have created.
Return to the NoPorts app Dashboard.
Click 'Import' and select the test connection profile that you just downloaded.
Open a web browser and navigate tohttp://localhost:8080to confirm you successfully connected to our hidden webpage.
On this page you will find instructions on how to get started with NoPorts and set up secure remote access. Installation guides are also provided for each Operating System. Let's get started!
To complete an installation of NoPorts and set up remote access from a client to a remote device, we must perform an installation on both the client and device machines. We will also obtain two atSigns during registration: one client atSign and one device atSign. Once we have the client and device atSigns, we are ready to begin installation.
Obtain your NoPorts license from noports.com You can start with a 30-day evaluation license, no credit-card required
Install NoPorts software on your devices
Install the NoPorts client typically on your desktop
Activate both management keys on your desktop
Install the NoPorts daemon onto the device(s) you want to connect to, repeat for each device
Use our enrollment tool to activate your device
Use NoPorts!
Reach out to us We want to hear about your use-cases. We take all feedback into consideration, it helps us make the best tool we possibly can.
The Client is defined as the machine where we are launching the remote access from. The Device is defined as the remote device that we are connecting to.
Client installation has two options: Desktop App or CLI
Device installation is CLI only
In summary, Installing and using NoPorts consists of the following steps:
Obtain NoPorts License and atSigns
Install the NoPorts Client on the client machine
Register the client atSign
Register device atSign
Install the NoPorts Daemon on the remote device
Repeat for multiple devices
Once NoPorts is installed you will be able to utilize it for any TCP connections such as remote access via SSH and RDP etc! Please see the complete instructions below:
To begin, you will need a NoPorts subscription or Free Trial
Start by exploring the use-cases available in the side bar such as SSH, RDP, SFTP, Web Server, and SMB. We also provide in-depth usage information here:
We have additional installation guides below if you are looking for more advanced/custom installations, or installing NoPorts as part of creating a new virtual machine.
These are supplementary guides, which involve some manual work.
These guides will show you how to install NoPorts as part of creating a new VM.
Choose the operating system which is running on your CLIENT machine:
Video and written directions for installing the NoPorts desktop app
Launch the NoPorts desktop app and click 'Get Started'.
Enter your client atSign into the text field (e.g., @pluto83_client), leave the root domain as is, and then click 'Next'.
A one-time password (OTP) will be sent to you via email. Enter this OTP into the app and then click 'Confirm'.
Click on the Settings Icon in the top right corner of the app.
Click on 'Back Up Your Keys' in the left navigation panel.
Select a location on your device and save your keys.
Return to the Dashboard
Click the 'Add New' button to create a new Profile
Enter the details for the new profile
Or, connect using our test profile.
Return to the NoPorts app Dashboard.
Click 'Import' and select the test connection profile that you just downloaded.
Open a web browser and navigate tohttp://localhost:8080to confirm you successfully connected to our hidden webpage.
This guide walks you through installing NoPorts on Windows machines.
Launch the NoPortsInstaller.exe program and allow it administrative permissions:
Start the connection by pressing for the profile you just created
Click the Connect Icon to establish a connection.
If you've already activated the device atSign skip to step 2.
To check if the installation downloaded correctly:
Make the script executable and run the script.
This command activates your atSign and prompts you to enter an OTP. This is only done during the setup of a brand new atsign.
at_activate will pause and wait for the input of a one time pin (OTP) sent to your email or phone number.
Once activated, the management keys will be saved in ~/.atsign/keys.
To check if the installation downloaded correctly:
Make the script executable and run the script.
Run the following command. It should output a 6-character passcode.
If you've already activated the device atSign skip to step 2.
To check if the installation downloaded correctly:
Make the script executable and run the script.
This command activates your atSign and prompts you to enter an OTP. This is only done during the setup of a brand new atsign.
at_activate will pause and wait for the input of a one time pin (OTP) sent to your email or phone number.
Once activated, the management keys will be saved in ~/.atsign/keys.
To check if the installation downloaded correctly:
Make the script executable and run the script.
Run the following command. It should output a 6-character passcode.
Run the following command
If you've already activated the device atSign skip to step 2.
If you haven't already done so, download the installer from GitHub. Then unzip the file.
Open the installer and click Activate atSign
Enter the device atSign and click Submit
A one-time password will be sent to your registered email address. Enter the OTP and then click Generate
Once activated, the keys will be saved in ~\.atsign\keys. You can go back to the installer home screen.
To check if the installation downloaded correctly:
Make the script executable and run the script.
Open the installer and click on Manage Keys.
Enter the device atSign and click Next.
Click New OTP.
Wait a few seconds for the OTP to appear then proceed to the next step.
Run the following command on your remote device.
Click Refresh and the new request will appear
If the request looks incorrect, then click "Deny" to deny it, and start the process again.
If the request looks correct, then click "Approve" to approve it.
Once the request has been approved, it should disappear from the list in the installer. The enrollment will complete on the remote device in a few seconds.
Your atKeys (cryptographic keys) will be used to pair your atSign with this and other devices in future. You can .
Start the connection by pressing for the profile you just created
Download theThis is a json file containing connection details for a test profile we have created.
Click the Connect Icon to establish a connection.
Download the installer . Then unzip the file.
If you've activated your client atSign on another device already, this step will not work. Instead, follow this guide:
Download the installer . Then unzip the file.
If you've activated your client atSign on another device already, this step will not work. Instead, follow this guide:
If you've already activated the device atSign skip to .
To check if the installation downloaded correctly:
Make the script executable and run the script.
This command activates your atSign and prompts you to enter an OTP. This is only done during the setup of a brand new atsign.
at_activate will pause and wait for the input of a one time pin (OTP) sent to your email or phone number.
Once activated, the management keys will be saved in ~/.atsign/keys.
To check if the installation downloaded correctly:
Make the script executable and run the script.
Run the following command. It should output a 6-character passcode.
Run the following command
To check if the installation downloaded correctly:
Make the script executable and run the script.
This command activates your atSign and prompts you to enter an OTP. This is only done during the setup of a brand new atsign.
at_activate will pause and wait for the input of a one time pin (OTP) sent to your email or phone number.
Once activated, the management keys will be saved in ~/.atsign/keys.
To check if the installation downloaded correctly:
Make the script executable and run the script.
Run the following command. It should output a 6-character passcode.
Run the following command
This command activates your atSign and prompts you to enter an OTP. This is only done during the setup of a brand new atsign.
at_activate will pause and wait for the input of a one time pin (OTP) sent to your email or phone number.
Once activated, the management keys will be saved in ~\.atsign\keys.
To check if the installation downloaded correctly:
Make the script executable and run the script.
Open the installer and click on Manage Keys.
Enter the device atSign and click Next.
Click New OTP.
Wait a few seconds for the OTP to appear then proceed to the next step.
Run the following command on your remote device.
Click Refresh and the new request will appear
If the request looks incorrect, then click "Deny" to deny it, and start the process again.
If the request looks correct, then click "Approve" to approve it.
Once the request has been approved, it should disappear from the list in the installer. The enrollment will complete on the remote device in a few seconds.
If you've already activated the device atSign skip to .
If you've already activated the device atSign skip to .
If you haven't already done so, download the installer . Then unzip the file.
Follow these two steps to install the NoPorts daemon so you can install your own background service
Change directories into the unpacked download:
Then run the installer:
This will install the binaries to ~/.local/bin.
Instead, if you'd like to install the binaries to /usr/local/bin, run the installer as root:
Change directories into the unpacked download:
Then run the installer:
This will install the binaries to ~/.local/bin.
Instead, if you'd like to install the binaries to /usr/local/bin, run the installer as root:
You are on your own for setting up the background service to start sshnpd. See our other options if you need help setting this up.
You can now proceed to installing your client, or if you've already done that, checkout our usage guide.
When you activate an atSign, you are doing a handful of steps to prepare the atSign for use. One of these steps is cutting a unique set of cryptographic keys.
The first time you activate, this set of keys that gets generated is a set of management keys. These keys have full permissions to your atServer, the personalized service which powers your atSign.
We recommend cutting the management keys on the client for a few reasons:
It's extremely important that you don't lose these keys:
They are less likely to get lost on your client machine than on your device.
If a device is stolen you still have your management keys to recover from the theft.
For each device we can issue it's own set of cryptographic keys which has a few perks:
This allows us to limit the permissions of those keys to the bare minimum required for NoPorts.
If a device gets compromised, we can safely revoke that set of cryptographic keys, and limit the impact to your other devices.
Follow these five steps to set up the NoPorts daemon as a systemd unit background service
First, change directories into the unpacked download:
Then run the installer:
This installer must be run as root.
Not available for macOS
After installing the systemd unit, we must configure it. This requires root privileges.
You'll then be greeted with a file that looks like this:
Replace <username> with the running sshnpd (we suggest creating service account not running as root)
Replace <@device_atsign> with the
Replace <@manager_atsign> with the
Replace <device_name> with your own for this device. You will need this value later, so don't forget it.
Add any additional config to the end of the line where sshnpd is run, some useful flags you should consider adding:
-u : "unhide" the device, sharing the username and making it discoverable by sshnp --list-devices
-s : "ssh-public-key", allow ssh public keys to be shared by sshnp and automatically authorized by sshd, saves you from dealing with ssh public key management. If multiple people use the device, we recommend leaving this off and managing ssh public keys yourself.
To see the rest of the available options run sshnpd to see the usage.
If you don't own a pair of noports addresses, please visit the registrar before continuing.
We will now activate the device address, you only need to activate the device address now. The client address will be activated later during the client installation.
Now that you have at_activate installed, you can invoke the command with the name of the address you would like to activate:
Now that you have at_activate installed, you can invoke the command with the name of the address you would like to activate:
The application will pause and wait for the input of a one time pin (OTP) before you can continue. You should receive this pin to the contact information associated with the registration of your noports address (i.e. email or text message).
***If you are using a gmail.com account we have seen that sometimes the OTP gets stuck in the SPAM or PROMOTIONS folder. If you do not see the OTP check those folders.
Once you receive the message, enter the pin into the application and press enter to continue. The application should proceed to create the cryptographic keys and store them at ~/.atsign/keys/@my_noports_device_key.atKeys.
An address can only be activated once, to install this address to future devices, you must copy this file to the device (see 3.b.).
If you have activated the device address before, you must copy the address from another machine where it's been activated.
The address will be located at ~/.atsign/keys/@my_noports_device_key.atKeys. Copy this file from your other machine to the same location on the machine that you are installing sshnpd on.
Using systemctl we can enable and start the sshnpd service.
If you need to verify the status of the service:
If you want to follow the logs of the service you can with
There are a number of fiddly things to get in place for ssh to work. The first is the ~/.ssh/authorized_keysfile of the user being used to run the systemd unit.
The file needs to owned by the user running the systemd unit. Currently there is a bug in the script and this sets the user to root, which needs to be corrected if not running as root. You can do this with the following command substituting debain for your username and group.
The file also needs to be only writable by the owner, else the sshd will not allow logins. This can be checked with ls -l and corrected with the chmod command.
Once complete it should look like this.
If you decided to use the root user in the service setup you have a futher couple of steps.
Then you need to make sure that the root user is allowed to login via sshd. Whist this is not recommended you can get it working by editing the /etc/ssh/sshd_config file and removing the # on this line.
Once removed you will need to restart the sshd daemon. How to do this varies from distribution/OS so check on how to do it or reboot.
Your systemd service is ready to go, you can now proceed to installing your client, or if you've already done that, checkout our usage guide.
Begin with the three steps below
The NoPorts daemon (a.k.a. sshnpd) is installable as a background service in many ways. Choose the best option for your environment. The service may be installed as a systemd unit, docker container, tmux session, or as a background job using cron and nohup. The binaries can also be installed standalone so that you can install your own custom background service.
On windows, we strongly recommend sticking to our automated installation process on Windows. This is because properly installing NoPorts as a Windows service requires making entries in the registry. If you want to create a custom installer for your organization, please speak to us directly at info@noports.com.
You can download a release from GitHub, or see the table below to download the latest release for your platform.
Alternatively, if you want to download from the command line, you can do so with curl.
x64:
arm64:
arm:
risc-v:
x64 (intel):
arm64 (apple):
If you downloaded from GitHub, the file name may be slightly different.
See the links in the table below to continue with the installation process.
You are on Linux and have root access. (Recommended)
You have tmux installed, or can install it. (Deprecated)
If you do not have root access and cannot install tmux (Deprecated)
You want to manually setup the background service after downloading the binaries. (roll your own)
Follow these four steps to install the NoPorts daemon in a headless environment
It is important to note that the log files of the headless job have the potential to grow infinitely. We recommend implementing a logrotate cron job to prevent this.
Change directories into the unpacked download:
Then run the installer:
This will install the binaries to ~/.local/bin.
Instead, if you'd like to install the binaries to /usr/local/bin, run the installer as root:
Change directories into the unpacked download:
Then run the installer:
This will install the binaries to ~/.local/bin.
Instead, if you'd like to install the binaries to /usr/local/bin, run the installer as root:
After installing the startup script, we must configure it.
You'll then be greeted with a file that looks like this:
Replace $user with the running sshnpd
Replace $device_atsign with the
Replace $manager_atsign with the
Replace $device_name with your own for this device. You will need this value later, so don't forget it.
Add any additional config to the end of the line where sshnpd is run, some useful flags you should consider adding:
-u : "unhide" the device, sharing the username and making it discoverable by sshnp --list-devices
-s : "ssh-public-key", allow ssh public keys to be shared by sshnp and automatically authorized by sshd, saves you from dealing with ssh public key management. If multiple people use the device, we recommend leaving this off and managing ssh public keys yourself.
To see the rest of the available options run sshnpd to see the usage.
This service does not do log rotations of the logs stored at $HOME/.sshnpd/logs.
It is recommended that you implement a cron job which handles log rotations.
If you don't own a pair of noports addresses, please visit the registrar before continuing.
We will now activate the device address, you only need to activate the device address now. The client address will be activated later during the client installation.
Now that you have at_activate installed, you can invoke the command with the name of the address you would like to activate:
Now that you have at_activate installed, you can invoke the command with the name of the address you would like to activate:
The application will pause and wait for the input of a one time pin (OTP) before you can continue. You should receive this pin to the contact information associated with the registration of your noports address (i.e. email or text message).
***If you are using a gmail.com account we have seen that sometimes the OTP gets stuck in the SPAM or PROMOTIONS folder. If you do not see the OTP check those folders.
Once you receive the message, enter the pin into the application and press enter to continue. The application should proceed to create the cryptographic keys and store them at .
An address can only be activated once, to install this address to future devices, you must copy this file to the device (see 3.b.).
If you have activated the device address before, you must copy the address from another machine where it's been activated.
The address will be located at . Copy this file from your other machine to the same location on the machine that you are installing sshnpd on.
The headless service will automatically be started by the cron @reboot directive when your machine restarts. If you would like to start it immediately, note that you must make sure to disown the process so that it doesn't hangup when you logout.
Run the following command to start it immediately:
The service should already be running in the background, to observe the logs:
Your headless job is ready to go, you can now proceed to installing your client, or if you've already done that, checkout our usage guide.
Follow these four steps to run the NoPorts daemon within a tmux session
First, ensure tmux is installed on your machine:
If tmux is not available, a quick web search of Install tmux for <your distro> should help you easily install it. Most distros include the tmux package in their repository.
Change directories into the unpacked download:
Then run the installer:
This will install the binaries to ~/.local/bin.
Instead, if you'd like to install the binaries to /usr/local/bin, run the installer as root:
First, ensure tmux is installed on your machine:
If tmux is not available, the recommended way to install tmux on macOS is with homebrew.
Change directories into the unpacked download:
Then run the installer:
This will install the binaries to ~/.local/bin.
Instead, if you'd like to install the binaries to /usr/local/bin, run the installer as root:
After installing the startup script, we must configure it, with nano or vi depending on your preference.
or
You'll then be greeted with a file that looks like this:
Replace $user with the running sshnpd
Replace $device_atsign with the
Replace $manager_atsign with the
Replace $device_name with your own for this device. You will need this value later, so don't forget it.
Add any additional config to the end of the line where sshnpd is run, some useful flags you should consider adding:
-u : "unhide" the device, sharing the username and making it discoverable by sshnp --list-devices
-s : "ssh-public-key", allow ssh public keys to be shared by sshnp and automatically authorized by sshd, saves you from dealing with ssh public key management. If multiple people use the device, we recommend leaving this off and managing ssh public keys yourself.
To see the rest of the available options run sshnpd to see the usage.
If you don't own a pair of noports addresses, please visit the registrar before continuing.
We will now activate the device address, you only need to activate the device address now. The client address will be activated later during the client installation.
Now that you have at_activate installed, you can invoke the command with the name of the address you would like to activate:
Now that you have at_activate installed, you can invoke the command with the name of the address you would like to activate:
The application will pause and wait for the input of a one time pin (OTP) before you can continue. You should receive this pin to the contact information associated with the registration of your noports address (i.e. email or text message). ***If you are using a gmail.com account we have seen that sometimes the OTP gets stuck in the SPAM or PROMOTIONS folder. If you do not see the OTP check those folders.
Once you receive the message, enter the pin into the application and press enter to continue. The application should proceed to create the cryptographic keys and store them at .
An address can only be activated once, to install this address to future devices, you must copy this file to the device (see 3.b.).
If you have activated the device address before, you must copy the address from another machine where it's been activated.
The address will be located at . Copy this file from your other machine to the same location on the machine that you are installing sshnpd on.
The tmux service will automatically be started by the cron @reboot directive when your machine restarts. If you would like to start it immediately, note that you must make sure to disown the tmux process so that it doesn't hangup when you logout.
Run the following command to start it immediately:
You can use regular tmux commands to observe the service:
Your tmux session is ready to go, you can now proceed to installing your client, or if you've already done that, checkout our usage guide.
Typing is less fun after a few devices.
This is an engineering guide, not a definitive solution, as every production environment is different. Feel free to borrow what is useful and ignore what is not. If you have better ideas or ways, please let us know!
Each atSign has a reasonable maximum of 25 devices that it can manage, so keep that in mind as you use this script to roll out devices. By default, the hostname is used as the -dDEVICE_NAME. Your hostnames may not match the requirements of the DEVICE_NAME flag.
Lowercase Alphanumeric max 15 Characters Snake Case before version 5.0.3
Case insensitive Alphanumeric max 36 Chars Snake Case from version 5.0.3 onwards.
allows UUID snake cased device names.
Cut and paste this script and tailor it to your needs. Do not forget to chmod 500 or else it will not run! More details below on how to set things up, and a demo run, too, using Docker.
Each atSign has its own set of keys that are "cut" with at_activate. This will cut the keys for the atSign and place them in ~/.atsign/keys. Each machine requires the atKeys file to run sshnpd, so, we need to have a way to get them to each device. It is possible to ssh/scp them, but that becomes very cumbersome at scale. Instead, we encrypt the keys with AES256 and place them on a webserver. When the install script is run, it knows both the URL and the encryption password and can pull the atKeys file to the right place.
The steps are to (1) get the atKeys file as normal using at_activate, then (2) encrypt them using a command like this:
This command will ask you for a password which you will put in the install.sh file as ATKEY_PASSWORD.
You can then set up a simple http (the file is encrypted) server to serve the keys with. For example, a Python single line of code:
python3 -m http.server 8080 --bind 0
Alternatively, you can put the keys file on filebin.net and it will locate the file in a random URL which you can put into the install.sh file. For example:
https://filebin.net/s2w5r6gwemmz5kvi/_ssh_1_key.atKeys.aes
It is worth noting that the @ gets translated to a _ but that does not effect the script. Using this site has the advantage that the URL is hidden, and it uses TLS—plus you can delete the files once completed.
At this point you can derive the URL of the encrypted atKeys file and put it in the install.sh file headers.
The other variables should be straightforward enough.
The other variables set up the atSigns for the manager and device and for the device name itself. The device name by default uses the hostname using the shell command $(hostname) , but that only works if the hostname is compliant with the -d format of sshnpd. You can pick another way to identify the host or just make sure the hostname is compliant.
This is a simple matter now of getting the install.sh to the target device and running it. The needed files will be installed, the username name created, cronjobs put in place, and the 'sshnpd' will be started.
How you get the install.sh file to the target machine is going to vary depending on your environment. Using scp is a good option, as is using ssh or curl and pulling the file (using the same encryption method perhaps).
The install.sh script works fine on individual machines, but if you want to install on, say, 25 machines, this is how you do it.
First, you need to have ssh root access to the machines you want to install on. This SSH access will be removed as you do the install with this line uncommented:
If you pass 8 arguments into the install.sh they will be used rather than the hardcoded values. This allows you to pass in the values needed as the script is run QED.
For example:
./install.sh ubuntu changeme https://raw.githubusercontent.com/cconstab/sshnpd_config/main/config/sshnpd.sh http://192.168.1.61:8080/@ssh_1_key.atKeys.aes helloworld @cconstab @ssh_1 $(hostname)
Using Docker is the simple way to test any options first before moving to production.
Something like this will mount the script and start a basic Linux build:
docker run -it -v ./install.sh:/root/install.sh debian:trixie-slim
You can then cd and run the install.sh script. For example:
After the install has completed, you can su - to the USERNAME you chose and see tmux/sshnpd running.
On another machine, you can log in to the container using the select MANAGER_ATSIGN, remembering to give the daemon a ssh key and the username.
You are now logged into the container. If you need root access, you can use the password you chose to sudo -s
Feel free to adapt this outline to your specific needs and share your improvements back with the community.
Upgrading to the latest version of sshnpd is identical to the installation process.
To check the current version of sshnpd installed on your machine simply execute the binary:
After upgrading the sshnpd binary, we must restart the sshnpd service so that it runs using the new version. How you proceed is dependent on the original installation method you used:
The universal.shinstaller script will automatically restart the sshnpd.serviceunit.
Any existing config will be preserved.
The installer automatically restarts your tmux session, no other steps required!
To safely restart the headless service, we must be slightly more careful with the headless installation. First we must grab the process id of sshnpd:
You should get a single number as output, this is the process ID of the sshnpd process.
Example:
Before we continue, it is good practice to make sure that we have the correct ID:
Example:
As you can see, under CMD we have /home/atsign/.local/bin/sshnpd -a @atsign_device -m @atsign_client -d mydevice -suv. This is the command inside our sshnpd.sh service which used to start sshnpd. This is the correct process that we want to kill in order to restart sshnpd.
Now that we have retrieved and verified the process ID, we can use the kill command to kill the process:
Example:
Use the same verification command from before:
Example:
As you can see, there are no entries anymore. This means process 289 has been killed, sshnpd should automatically restart under a new process ID.
The SSH No Ports client (a.k.a. sshnp) is available as a command line application or desktop application (alpha). This guide is for installing the command line application, the desktop application installation guide will be made available upon official release.
If you downloaded from GitHub, the file name may be slightly different.
First, change directories into the unpacked download:
Then run the installer:
This will install the binaries to ~/.local/bin.
Instead, if you'd like to install the binaries to /usr/local/bin, run the installer as root:
First, change directories into the unpacked download:
Then run the installer:
This will install the binaries to ~/.local/bin.
Instead, if you'd like to install the binaries to /usr/local/bin, run the installer as root:
Windows doesn't have a dedicated installer at this time.
You can find sshnp.exe in the unpacked archive, you may move this binary to wherever you like.
This step is optional, but highly recommended.
If you chose not to install as root, you will need to add ~/.local/bin to your PATH.
Add the following line to your shell's rc file:
If you chose not to install as root, you will need to add ~/.local/bin to your PATH.
Add the following line to your shell's rc file:
We will now activate the client address, you only need to activate the client address now. The device address should be activated during the device installation.
Now that you have at_activate installed, you can invoke the command with the name of the address you would like to activate:
Now that you have at_activate installed, you can invoke the command with the name of the address you would like to activate:
The application will pause and wait for the input of a one time pin (OTP) before you can continue. You should receive this pin to the contact information associated with the registration of your noports address (i.e. email or text message).
***If you are using a gmail.com account we have seen that sometimes the OTP gets stuck in the SPAM or PROMOTIONS folder. If you do not see the OTP check those folders.
Once you receive the message, enter the pin into the application and press enter to continue. The application should proceed to create the cryptographic keys and store them at ~/.atsign/keys/@my_noports_client_key.atKeys.
An address can only be activated once, to install this address to future devices, you must copy this file to the device (see 3.b.).
If you have activated the client address before, you must copy the address from another machine where it's been activated.
The address will be located at ~/.atsign/keys/@my_noports_client_key.atKeys. Copy this file from your other machine to the same location on the machine that you are installing sshnpd on.
Upgrading to the latest version of sshnp is identical to the installation process.
To check the current version of sshnp installed on your machine simply execute the binary:
If you continue to get an old version number, it's likely that there's an old binary which wasn't replaced on the machine. Try the following to debug your binary location:
How to deploy NoPorts on Oracle Cloud Infrastructure using a cloud-init script
When starting a VM on OCI first click the Show advanced options button having selected the usual options above that.
Then (in the Management tab) select Paste cloud-init script
And paste your customised script into the Cloud-init script box:
The VM is now ready for Create
After a few minutes the APKAM key can be approved:
If the VM isn't quite ready you'll see:
Waiting a little longer and retrying should produce a successful approval:
The VM is now ready for connection with the NoPorts client.
How to deploy NoPorts on Azure using a cloud-init script
In the Azure Portal select Virtual machines and hit the + Create button.
Choose your preferred options for each sub-page of the Create a virtual machine process.
On the Advanced sub-page there's a Custom data and cloud init section where your customised script can be pasted:
It should look like this:
Once that's complete the VM is ready for Review + create then if all looks well hit Create
After a few minutes the APKAM key can be approved:
If the VM isn't quite ready you'll see:
Waiting a little longer and retrying should produce a successful approval:
The VM is now ready for connection with the NoPorts client.
How to deploy NoPorts on Amazon Web Services using a cloud-init script
When launching an instance on EC2 choose settings as usual for the instance type etc.
A security group with no external ports open can be created or reused.
Expand the Advanced details section at the bottom of the Launch an Instance page:
Scroll down to the User data - optional box and paste in your customised YAML e.g.:
Which will end up looking something like this:
The VM config should now be ready for Launch instance
After a few minutes the APKAM key can be approved:
If the VM isn't quite ready you'll see:
Waiting a little longer and retrying should produce a successful approval:
The VM is now ready for connection with the NoPorts client.
Installation of sshnpd on the IPFire.org firewall
IPFire provides a solid Firewall and uses a base Linux OS. The installation of the OS itself is well documented at ipfire.org. X64 and Arm devices like Raspberry PI's are well supported.
Make sure to configure the network interfaces and ensure you can get to the Web Interface on
SSH No Ports relies on the SSH daemon and so the first step is to enable it on the IPFire Web interface, under System.
We will also need to add the TMUX package via the web interface under the IPFire section click Pakfire, then add TMUX.
IPFire only has a root user after installation so the first step is to set up a non privileged account in this example we will use atsign but feel free to pick your own. Login to the console or via SSH as root and type:
The next step is su to the user you just created and setup the directories sshnpd will need
Using sudo allows you to get access to the root account if you need it but keep at a non root shell when you do not, its a good practice but optional.
As root you will need to edit the /etc/sudoers file and uncomment the line below as show by removing the #. Note you may need to use w! in vi to force the update of the file.
Once done then you can add the sudo group and then add the username atsign to the group with the following commands as root.
Then add a password to the atsign account again as root
Once completed then check everything is working by su - to atsign the using sudo -s to get back to root.
As atsign (not root!) download the SSH No Ports software, which we can do with curl and then unpack the archive with tar. The curl command below brings in the x64 CPU architecture file if you are using Arm/Arm64 then curl down the right option by picking the right link from:-
To install the software just cd and run the install command
You will see some errors at this stage as IPFire uses fcron not cron which needs root powers to install fcron jobs which we will handle soon.
The sshnpd is started via a script and that script and that script needs some simple edits. You will need to know your atSign for the device (_device) and manager (_client). to edit use nano/vi on this file.
Then edit the lines as below with your details.
IPFire has non standard base certificates but we can install the latest versions from Mozilla so the sshnpd daemon can use TLS, by using these commands.
If you have not got your atKeys file you will need to use at_activate to get them as explained in the the advanced installation guide. If you do have the keys for your device then they need to be in the ~/.atsign/keys directory. You can scp them over for instance. Its a good idea to chmod them to 600.
As mentioned above fcron is used not cron so a couple of extra steps are required. First add your username to the /etc/fcron.allow file.
Then add your username ours looks like this
Once that is completed then you can add an entry to atsign's fcron, this can only be done as root and uses vi to edit by default.
Then you will need to add the following line
That's it you are done!
To test you can reboot or as atsign run the command below and try and log in using sshnp
At this point you will be able to log in remotely using sshnp. The first time you will need to specify a ssh key using the -i and -s arguments. This will put the public key into the authorized_hosts file on the IPFire machine. In my case I would use.
your will look like something similar depending on your SSH Key pair (you can generate one if you do not have one with ssh-keygen) and your client/device atsigns.
When you get logged in you can remove the -s and the -i flags and login on subsequent logins as the public key will be in place on the IPFire machine. You will have to put the keys you want to use in ~/.ssh/config also on the machine you are ssh'ing from, in my case I use a single line.
Remember to keep your SSH and Atsign keys safe and make a copy offline.
You are now able to login from anywhere as long as the firewall and you have Internet access. Congrats!
If you would like to remove the ssh daemon from the GREEN side as well then you can edit the /etc/ssh/sshd_config file to only bind on localhost but updating this line.
to
and then reboot or restart the sshd daemon.
How to install NoPorts as part of creating a new VM
The NoPorts daemon can be installed on a Linux cloud virtual machine (VM) using a cloud-init script of the form:
Some clouds, such as Azure and Oracle Cloud will take the script pretty much as presented above. Other clouds, including AWS and GCP need alternate formatting or additional customisation.
In all cases the variables in the first section of the script should be changed to match the atSigns being used, the desired device name, the Linux username and the one time password (OTP) or semi-permanent passcode (SPP) being used. e.g.:
Once the VM is started (which will generally take a few minutes) the NoPorts daemon will be waiting for an APKAM key in order to start up. That key can be approved using at_activate:
How to deploy NoPorts on Google Cloud Platform using a cloud-init script
Navigate to Compute Engine > VM instances and hit the + CREATE INSTANCE button as usual, then select Name, Region, Machine configuration etc.
Expand Advanced options at the bottom of the page:
Then scroll down and expand Management:
In the Automation section paste in your customised startup script like:
NB this script is creating a new user noports to deal with the fact that GCP images don't have default usernames.
Once filled, the box should look something like:
The VM is now ready for Create
After a few minutes the APKAM key can be approved:
If the VM isn't quite ready you'll see:
Waiting a little longer and retrying should produce a successful approval:
The VM is now ready for connection with the NoPorts client.
"Old machine" is the machine that has the original set of cryptographic keys that were generated. "New machine" is the device you want the new set of cryptographic keys on.
Choose the operating system that is running on your old machine.
Choose the operating system that is running on your new machine.
Choose the operating system that is running on your old machine.
Make sure to replace <client_device_name> with the device name from Step 2
If the request looks incorrect, then press "Deny" to deny it, and start the process again.
If the request looks correct, then press "Approve" to approve it.
These guides cover our most commonly asked NoPorts installation questions
Steps for client and device atSigns
Example client atSign
Example device atSign
(1) Run the at_activate command for the client atSign
(2) Enter the One Time Password (OTP) & Check your SPAM/PROMOTIONS folders
at_activate will pause and wait for the input of a one time pin (OTP) before you can continue. You should receive this pin to the contact information associated with the registration of your noports address (i.e. email or text message).
If you are using a gmail.com account we have seen that sometimes the OTP gets stuck in the SPAM or PROMOTIONS folder. If you do not see the OTP check those folders.
Once you receive the message, enter the pin into the application and press enter to continue. The application should proceed to create the cryptographic keys and store them in the ~/.atsign/keys/ directory with a filename that includes the atSign.
1) Run the at_activate command for the device atSign
2) Enter the One Time Password (OTP) & Check your SPAM/PROMOTIONS folders
Again, at_activate will pause and wait for the input of a one time pin (OTP) before you can continue. You should receive this pin to the contact information associated with the registration of your noports address (i.e. email or text message).
If you are using a gmail.com account we have seen that sometimes the OTP gets stuck in the SPAM or PROMOTIONS folder. If you do not see the OTP check those folders.
Once you receive the message, enter the pin into the application and press enter to continue. The application should proceed to create the cryptographic keys and store them in the ~/.atsign/keys/ directory with a filename that includes the atSign.
A review of two available methods
You can:
A. Generate a new set of cryptographic keys (Recommended)
B. Copy the cryptographic keys from the machine where it's been activated in the past (Not recommended)
To generate a new set of cryptographic keys, there are three main steps. They occur from two different machines, so pay careful attention to which machine you perform each step on.
"Old machine" is the machine that has the original set of cryptographic keys that were generated. "New machine" is the device you want the new set of cryptographic keys on. These new keys will have restricted permissions that only work with NoPorts, and cannot be used for generating other keys.
[Old machine] Generate a Passcode
[New machine] Enroll the new key pair (send a request for keys from the new machine)
[Old machine] Approve the request
For detailed instructions, follow this guide:
The atSign keys file will be located at ~/.atsign/keys/ directory with a filename that will include the atSign. Copy this file from your other machine to the same location on the machine that you are installing SSH No Ports on, using scp or similar.
Why don't we recommend this approach?
When you use method A, it creates a new set of cryptographic keys. These keys can be disabled individually, which means if a device's keys are compromised, you can disable those keys without affecting your other devices.
Each device atSign can be used for multiple devices and so each device needs a unique name.
Example snake case device names
Includes stable and beta releases
We recommend choosing a release from stable, if there's one available that's supported on your platform.
Our dedicated desktop app is preferred in most cases.
This includes all binaries for NoPorts.
These releases are subject to potential instability or breaking changes as we mature the product-line.
Using ssh-keygen
SSH uses keys to authenticate as well as having a fallback of using passwords, but using keys is easier and more secure than "mypassword!". If you already are a seasoned user of SSH then you might have keys already, but if not, then on the client machine you can create a key pair using ssh-keygen.
Example ssh-keygen command to create SSH Key Pair
Learn how to use NoPorts. This guide covers some of the things you can run via NoPorts, as well as how to set up the NoPorts Tunnel (npt).
If you have a specific use case, we may already cover the steps you need to take. Check out these guides.
If your primary use case involves more than just SSH, start here, or check out some of our use cases below.
If your primary use case is SSH, start here. We also recommend the ssh config integration for a seamless experience.
This guide covers the basics to understanding the parameters of npt and invoking npt.
The NoPorts Tunnel or npt for short, provides an end to end encrypted TCP Tunnel without the need for inbound port rules on client or device machines.
This argument is the client address, a.k.a. the from address, since we are connecting from the client.
This argument is the device address, a.k.a. the to address, since we are connecting to the device.
This argument is the device name, which works in tandem with --to to allow multiple devices to run sshnpd under a single device name. By default, this value is "default", so unless you named your sshnpd device the same thing, you will need to include this parameter. For example:
This argument is the address of the socket rendezvous used to establish the session connection. Atsign currently provides coverage in 3 regions, use whichever is closest to you:
Americas
Europe
Asia-Pacific
This argument is the port you are connecting to on the device side.
This argument is mandatory.
It is important to make sure the port you are connecting to is included in the list of permitted ports on the device side. (--permit-open, --po)
This argument is the port you are connecting to on the client side.
This argument is optional, but suggested.
It is important to make sure the port you are connecting to is not a restricted port.
An example of a complete command might look like this:
Here are some guides where we demonstrate how to use the NoPorts Tunnel to run some common TCP Services without opening any ports.
This argument is the remote host. It is NOT required, this options defaults to localhost.
This argument, forks the srv when connected.
This argument defaults to true. It is used for when you want to run only one client at a time.
This argument defaults to ~/.atsign/keys, where your keys are stored.
Please see the to proceed.
Or if you installed as root:
The first line of output should contain the version information:
Or if you installed as root:
The first line of output should contain the version information:
You can , or see the table below to download the latest release for your platform.
x64:
arm64:
arm:
risc-v:
x64 (intel):
arm64 (apple):
x64:
If you don't own a pair of noports addresses, please visit before continuing.
sshnp is ready to go, you can now proceed to , or if you've already done that, checkout our .
Please see the to proceed.
The first line of output should contain the version information:
The first line of output should contain the version information:
The first line of output should contain the version information:
First, use this command to locate the sshnp binary:
The command should output the location of the binary which is on the PATH. Try deleting this binary then rerunning the installer.
First, use this command to locate the sshnp binary:
The command should output the location of the binary which is on the PATH. Try deleting this binary then rerunning the installer.
Since Windows doesn't include a dedicated installer, upgrading should be as simple as moving the new binary to wherever you installed the previous one.
This is a generic cloud-init guide, we also have some below
Make sure to replace <REPLACE_client> with your client atSign
Make sure to replace the appropriate values:
<REPLACE_client> with your client atSign
<client_device_name> with a unique name for the device
<PASSCODE> with the passcode from Step 1
NoPorts software needs to be installed on both the machine you are going to connect to (device) and the machine you are going to connect from (client). NoPorts uses as addresses and you will need two, one for the client and one for the device
If you don't own a pair of atSigns/addresses, please visit before continuing.
The device name is limited to alphanumeric (lowercase alphanumeric separated by _ ) up to 36 characters.
In most cases, you will want to see our page. Here, we've provided a list of all of our releases for visibility, but these links do not provide installation information.
If your use case is primarily SSH, we recommend using sshnp from the section.
x64
sshnp-macos-x64.zip (intel)
arm64
sshnp-macos-arm64.zip (apple)
arm
risc-v
Windows
MacOS
Linux
x64
sshnp-macos-x64.zip (intel)
arm64
sshnp-macos-arm64.zip (apple)
arm
risc-v
Windows CLI Client / Device Installer
-f, --from
The client address, a.k.a. the from address, since we are connecting from the client.
-t, --to
The device address, a.k.a. the to address, since we are connecting to the device.
-r, --rvd
The address of the socket rendezvous used to establish the session connection. Atsign currently provides coverage in 3 regions, use whichever is closest to you: (@rv_am for Americas, @rv_eu for Europe, @rv_ap for Asia/Pacific)
-d, --device
Allows multiple devices to run sshnpd under a single device name.
-p, --rp
The port you are connecting to on the device/remote side. This port must be included in the --permit-open list. Read more about --permit-open.
-l, --lp
0
The port you are connecting to on the client/local side. Defaults to any unused port.
-h, --remote-host, --rh
localhost
Used if you want to bind to another host on the remote machine.
-x, --exit-when-connected
false
Instead of running the srv in the same process, fork the srv, print the connected local port to stdout, and exit the program.
--[no-]pss, --[no-]per-session-storage
true
Use ephemeral local storage for each session. It enables you to run multiple local clients concurrently. However: if you wish to run just one client at a time, then you will get a performance boost if you negate this flag.
-k, --key-file, --keyFile
~/.atsign/keys
Path to this client's atsign key file.
NoPorts daemon `sshnpd` additional configuration
Specify the .atKeys file for the -a, --atsign atSign if it's not stored in ~/.atsign/keys
When set, will update authorized_keys to include public key sent by manager.
Hides the device from advertising its information to the manager atSign. Even with this enabled, sshnpd will still respond to ping requests from the manager. (This takes priority over the [now deprecated] -u / --un-hide flag).
More logging
What to use for outbound ssh connections.
[openssh (default), dart]
atDirectory domain
(Defaults to "root.atsign.org")
The name of this device's group. When delegated authorization is being used then the group name is sent to the authorizer service as well as the device name, this daemon's atSign, and the client atSign which is requesting a connection
(Defaults to "__none__")
Port on which sshd is listening locally on localhost
(Defaults to "22")
When --sshpublickey is enabled, will include the specified permissions in the public key entry in authorized_keys
(Defaults to "")
The permissions which will be added to the authorized_keys file for the ephemeral public keys which are generated when a client is connecting via forward ssh e.g. PermitOpen="host-1:3389",PermitOpen="localhost:80"
(Defaults to "")
Use RSA 4096 keys rather than the default ED25519 keys
[ssh-ed25519 (default), ssh-rsa]
Directory for local storage.
(Defaults to $HOME/.atsign/storage/$atSign/.npd/$deviceName/)
Comma separated-list of host:port to which the daemon will permit a connection from an authorized client. Hosts may be dns names or ip addresses.
(Defaults to "localhost:22,localhost:3389")
NoPorts client `sshnp` additional configuration
Specify the .atKeys file for the -f, --from atSign if it's not stored in ~/.atsign/keys
More logging.
The local port which will be forwarded to the remote sshd port. If this is set to "0", it defers to to the OS to assign an ephemeral port. (Defaults to "0")
The remote port which we expect sshd to be running on.
(Defaults to "22")
The username to use in the ssh session on the remote host.
(a.k.a. the user you want to sign in as)
The username to use for the initial ssh tunnel.
(a.k.a. the user running sshnpd)
Identity file to use for the ssh connection.
Passphrase for identity file.
Send the ssh public key to the remote host for automatic authorization.
Number of seconds after which inactive ssh connections will be closed
(Defaults to "15")
Additional ssh options which are passed to the ssh program.
Enable this flag to pass the -o, --local-ssh-options to the initial ssh tunnel instead of the ssh session.
Which ssh-client to use, openssh (default) or dart.
Request is to a legacy (< 4.0.0) noports daemon.
Output the ssh execution command instead of executing it.
Pass command line arguments via an environment file.
List devices which have discovery (-u) enabled.
How to integrate NoPorts into your native Linux and macOS ssh configuration
This guide will help you setup NoPorts in your ssh configuration. Once setup, you will be able to ssh to machines using NoPorts the same way you would for a normal ssh host. As this is integrated with the SSH configuration, it will also work with other applications that support SSH proxying.
Once you've setup your configuration, you will be able to SSH over NoPorts just like any other host, using your own custom hostnames for devices.
For example, with a device called my_lab:
The following is a template for adding an sshnp connection to your ssh config for ease of use:
You need to replace the values surrounded with <> on lines 1 & 7 with your own values.
host is any valid hostname you would like, this is what you will use to invoke your ssh command, so make sure it's easy to remember and type.
username is the username on the remote machine you wish to login as.
The rest of the values are the normal arguments you would invoke with sshnp, see here for more info.
This example shows the configuration for the following equivalent sshnp command:
When you want to connect to this device, this is what you would type:
alice_device maps the the Host alice_device line.
You can add any additional ssh config to the file as you normally would, for example a TCP forwarding:
You can also add any additional flags to the ssh command, for example a TCP forwarding:
If you want to understand each line of the template, and what it does, read on.
<host> is the "nickname" you would use to connect to, e.g. ssh <host>.
Line 2 is mandatory due to the nature of how sshnp works, sshnp must connect over the loopback interface where the NoPorts tunnel was created.
Tell ssh to automatically add the ssh keys to the agent when we load them (we will load them on line 6)
Don't cache the connection to known hosts, since sshnp uses ephemeral ports, it is pointless to do so.
Because we are using ephemeral ports, it is useful to suppress strict host key checking.
The ssh key you would like to load and authenticate with (this is equivalent to ssh -i).
A proxy command, which first executes sshnp to determine the ssh proxy command which will be executed, fill in the arguments on this line as you would normally.
See sshnp Usage to learn more about filling in this line.
ControlMaster and ControlPath tell ssh to try to reuse existing ssh connections if you start up multiple. This means only the first connection will setup sshnp, the rest of the connections will use the tunnel that is already there!
This guide covers the basics to understanding the parameters of and invoking sshnp.
This argument is the client address, a.k.a. the from address, since we are connecting from the client. This argument is mandatory, in the form of an atSign. For example:
This argument is the device address, a.k.a. the to address, since we are connecting to the device. This argument is mandatory, in the form of an atSign. For example:
This argument is the device name, which works in tandem with --to to allow multiple devices to run sshnpd under a single device name. By default, this value is "default", so unless you named your sshnpd device the same thing, you will need to include this parameter. For example:
This argument is the address of the socket rendezvous used to establish the session connection. Atsign currently provides coverage in 3 regions, use whichever is closest to you:
In addition to the four main parameters, it is important to ensure that the appropriate SSH authentication keys are in place.
If you already have an SSH public key installed on the device, use -i to specify it. For example:
If you don't have an SSH public key installed on the device, and -s is enabled for the device, then sshnp can extract the SSH public key from the SSH private key, and send it to the daemon for you. This will automatically authorize your SSH private key. For example:
If you don't have any SSH public keys in place, you must install them yourself. Copy the SSH public key to ~/.ssh/authorized_keys on the remote device. For example:
Then use the associated private key, as mentioned under Pre-existing keys in place:
An example of a complete command might look like this:
*Note if the username on the remote machine is different than your local machine you will have to also use the -u flag and the -U flag with the remote username. For example, if the remote username is bocbc. If you used the -u flag when running the sshnpd daemon then you can safely omit the -U flag.
The rest of the configuration for sshnp is contained in a separate guide:
The NoPorts Tunnel (NPT) can carry a wide variety of TCP based protocols such as SFTP, RDP, SMB and HTTP(S).
How to manage tons of NoPorts SSH connections with Putty
This guide will help you setup some very minimal Python scripts to manage connections with NoPorts. In most cases only 4-5 lines of python will be required to setup a new device.
Python (version 3)
OpenSSH (acts as a proxy between NoPorts & PuTTY)
Once you've setup your configuration, you will be able to SSH over NoPorts by double clicking a simple shortcut. It will first launch NoPorts, then once NoPorts is started, it will setup your PuTTY session.
The base configuration contains all of the core logic for starting a PuTTY session over NoPorts. Copy this to the folder where you want to store all of your device configurations, name the file noports_base.py.
To setup a new device, create a new python (.py) in the same folder where you created noports_base.py. Then copy the following file:
If you have a bunch of devices that all use the same configuration values, then you'd want to put that in the noports_base configuration. However, there may be a few devices where you want to use a different value. You can simply override the value from your device profile:
Because all of the profiles need to be in the same directory as the noports_base.py file, you can't easily move those files around to organize them. To work around this, simply create shortcuts of all the device profiles, then you can move and rename those shortcuts around freely.
sshnpd is the daemon that runs on a device to facilitate access using NoPorts.
These mainly mirror the parameters from sshnp but there's one fewer as the socket rendezvous is only ever set by the client.
This argument is the device address, a.k.a. the to address, since this is the address that the device is associated with. This argument is mandatory, in the form of an atSign. For example:
This is the address of the client(s) that will be allowed to connect to the device. For example:
As an alternative to defining a list of managers a policy manager can be used, and the policy defined on that manager will describe which clients are allowed to connect. For example:
The device name. This is used to associate multiple devices with the same atSign. By default the value is default so unless you want that as the device name you will need to include this parameter. For example:
An example of a complete command might look like this:
The daemon should normally be run as a service so that it starts up automatically and can be restarted if it should fail.
Most mainstream Linux distributions use systemd to manage services, and we provide a systemd unit file that's configured by the universal installer. That file can be edited after installation to customize or add additional options. For distributions such as OpenWrt we provide config and init files that can be customized with a text editor or configured through the web admin interface.
The rest of the configuration for sshnpd is contained in a separate guide:
In this guide, we demonstrate how to use SSH NoPorts to SSH to a remote machine.
The command should look like:
Example:
If you don't have an ssh key uploaded on the remote machine, you can upload one by adding -s to the command:
Note: this feature can be disabled in sshnpd. If you get an error when using -s, it is likely that the administrator disabled this feature for security reasons.
In this guide, we demonstrate how to use the NoPorts Tunnel to mount a SMB share on a remote machine on 192.168.1.90 to localhost:9000 so we can access the SMB share service locally.
This guide covers usage of NoPorts with webpages or APIs.
Using sshuttle and SSH built in SOCKS proxy.
SSH is a hugely versatile tool for command line access, but what if you want a full IP tunnel, like a VPN?
SSH has you covered, with the use of two tools: the first is a built in SOCKS proxy; the second is an open source piece of code called sshuttle. With these two tools you can use your sshnp service as your own VPN.
Once you have SSH No Ports up and running, you will be able to connect to your device from anywhere on the Internet. You will notice that you did not have to open any ports to the Internet in order to connect. There is no access to the device from the Internet and yet you can connect.
To use sshuttle, we need to make sure that the SSH command itself can log in without any complex arguments. This requires two steps:
Create SSH keys: First, make sure that you have created SSH keys.
Place public keys on the remote device: Next, either:
Manual placement: Place the public keys directly on the remote device.
sshnpdflag: Or, use the -s flag of sshnp to place them on the remote sshnpd. That requires the -s flag to be enabled on the sshnpd service/config file.
Once the SSH keys are in place, you can put an entry in ~/.ssh/config to let SSH know which key to use to log into localhost. For example:
The next thing to do is install sshuttle on your machine. The GitHub page details this very well for both Linux and OSX machines.
Once sshuttle is installed, let's use it !
This is a two step process:
Connect to the device using sshnp: Add the -x flag. This flag prints out the SSH command that you can cut and paste to log into the remote device.
Establish the VPN: In another terminal window, run the sshuttle command to connect to the remote device. You'll need to tweak your IP routing to use this connection as a VPN. The important part is to use the port number that the -x flag gave you in the sshuttle command.
With this example, you can see that port 63155 was used in the sshuttle command. You do not need to SSH into the machine—you can just get the port number and use sshuttle. The choice is yours.
This can get a bit tedious to do every day so feel free to script for your environment. Here is an example bash script that does just that!
If you are using Windows, this is likely your best option unless you are comfortable setting up a virtual machine and using sshuttle.
All you need to do is add an option to the normal sshnp command and that will set up a local SOCKS proxy: -o "-D 1080" That's it!
This will set up a local SOCKS proxy on your machine that will forward requests to the remote device. In effect, you will be at home whilst away. To use this SOCKS proxy, you need to tell your browser or your Operating System. The Firefox browser is the simple choice, and in settings you can configure it as shown below:
Once you have setup Firefox, you can browse as if you were at home! On Windows and Mac, you can configure your SOCKS proxy in directly in the OS in settings. This works, but you have to remember to remove the setting once you have disconnected from the sshnpd session.
A flexible suite of policy management tools. Use a standalone database to store and manage policies using our administration interface, or integrate it with your existing policy database or service.
Common questions about NoPorts
Everything is in your control. There are no Web Interfaces or centralized control by us, as we never want to be an attack surface for your infrastructure. SSH No ports does not connect "networks," but provides on demand encrypted TCP connectivity to existing SSH daemons.
SSH No Ports is focused on providing end-to-end encrypted and authenticated access to a remote ssh daemon, bound to localhost.
SSH No Ports does not require any open (listening) ports on external interfaces, so there is no network attack surface on devices using SSH No Ports.
SSH No ports provide relays like Ngrok, but connections are authenticated then connected. Once connected, the connection is encrypted with ephemeral (AES256) keys that the relay never has or needs.
SSH No ports abstracts away the TCP/IP layer, so whilst IP address on the client or device may change, the command you use never does.
The relay ensures that connections from client and server are always outbound, removing the need for listening ports, firewall rules, and network attack surfaces on devices.
SSH No ports uses TCP sockets to communicate. "Hole punching" can work sometimes, but we decided to never do that. Using the relay, you know that SSH No Ports will always work and is friendly to both network admins and firewall rules.
For most customers our relay service is robust and placed regionally. The relay code is open and the binaries are part of the distribution, so you can place your own relay where it makes sense for your network.
In the unlikely event that a bad actor takes down an relay, the tool will indeed fail. Fortunately, we run multiple relays, so if one is down or unavailable, you can easily switch to another.
You do not need to open any inbound ports to connect out to the relay. However, the outbound traffic to the relay server does need to be open. Outbound access is, in most situations, automatically allowed so things just work. If you work in a location where outbound access is also controlled, then please contact us as we have options for for your IT team.
These costs are included in the SSH No Ports subscription.
SSH No Ports is similar to a reverse tunnel in that it has the remote device start an outbound SSH session. What makes SSH No Ports better than a reverse SSH tunnel is that you don’t need access to the device to initiate it. This means you don’t need to leave open ports when not in use (i.e. there are no network attack surfaces).
Yes. SSH No Ports uses the atProtocol which runs on TCP. In order for SSH No Ports to reach the device, the device must have an IP address. However, it does not need to be a static IP address, and SSH No Ports doesn't even need to know what the IP address is. So, even though it runs over TCP/IP, it does away with all the pain of finding and managing IP addresses.
To close port 22, edit /etc/ssh/sshd_config remove any lines containing ListenAddress and then add ListenAddress localhost on a new line. Then restart your sshd service (this varies by operating system, a quick web search will help you figure how to do it for your device).
If you have a question that needs answering, please do one of the following:
This guide provides information on the technical aspects of NoPorts, including its architecture, protocols, and security mechanisms.
There are four atSigns involved - one for each of
the noports daemon program (sshnpd) which runs on the device you want to ssh to
the noports client programs (sshnp/npt) which you run on the device you want to ssh from
the noports tcp rendezvous program (sshrvd)
if required a policy engine
The programs communicate via the atProtocol and the atClient SDKs; as a result, the payloads of the messages the programs send to each other are all end-to-end encrypted.
In brief
The client (sshnp/npt) creates a unique guid for the session
and sends a request notification to the sshrvd for a port1/port2 pair for this sessionId
The sshrvd
finds a pair of available ports
opens server sockets for both of them
Note: rvd will allow just a single client socket to connect to each server socket
and will bridge them together
sends response to the client
The client
receives the response notification from sshrvd (rv_host, rv_port_1, rv_port_2)
and sends a request notification to the sshnpd including the sessionId and the rv_host:rv_port_1 and a new ephemeral AES 256 key
The daemon (sshnpd)
opens a socket to the rv_host:rv_port_1 and authenticates
and opens a socket to its local sshd port
and bridges the sockets together whilst also encrypting data towards the rv_host
and sends a response notification to the sshnp client
The client
Listens on a specified port and on connection encrypts traffic received with the AES key and forward on to the rv_host
The client displays a message to the user that they may now ssh -p $local_port $username@localhost, i.e. ssh -p 58358 gary@localhost in the example above, and exits
This high-level flow is visualized in the diagrams below.
NB Requests from unauthorized client atSigns are ignored. Note that one may also completely prevent requests from any other atSigns ever even reaching the daemon by using the atProtocol's config:allow list feature.
In the personal edition of noports, a daemon may have only a single authorized client atSign.
The Team and Enterprise editions will allow for multiple authorized client atSigns, controlled not by the daemon but by a separate noports authorization controller process, with its own atSign.
At any point the sshnpd or the srvd software rather than using a local configuration to manage access rights, can forward those questions to another atSign. That atSign can in turn pass those queries to a policy engine and reflect the answer back to the asking atSign. In the example above @relay and/or @server could ask if @client is allowed to access the service. This allows decisions to be made at the Policy plane level and provides operational segregation of duties.
In the following sequence diagram, atServer address lookup flows, authentication flows, key exchange flows, precise encryption mechanics and notification transmission flows are not covered in detail; those details are provided in the links provided in the "Further Details" section below.
Since the full details are provided in those other links, the client_1 -> atServer_1 -> atServer_2 -> client_2 message flows are abbreviated to @atSign_1 -> @atSign_2 in the sequence diagram. Thus, for example, sshnp (@client) encapsulates both the sshnp program and the sshnp atServer
Once the interactions above have completed
the sshnpd nor the sshnp programs are no longer involved
there is a new sshrv process running on the device host which pipes i/o between requested server:port and $rv_host:$rv_port_1
there is a client process running on the client host which provides the local port forwarding tunnel
User may now type "ssh -p $local_port username@localhost" or use a client application like and RDP client with traffic flowing
client ssh program <===>
$client_localhost:$local_port <===> bridged by client-side ssh tunnel to
$rv_host:$rv_port_2 <===> bridged by sshrvd to
$rv_host:$rv_port_1 <===> bridged by device-side sshrv to
$device_host:22 <===>
device sshd program
In the sections above, we referred to "authentication", "sending notifications" and "receiving notifications", and we made the statement that "the payloads of the messages the programs send to each other are all end-to-end encrypted"
Here are some links to detailed diagrams covering
NoPorts connection establishment and architecture
How does this technology work? In the simplest explanation, NoPorts utilizes the atPlatform and atSigns to create an encrypted connection between devices over TCP/IP. An intriguing part of this technology is that TCP ports are not open on the endpoints, and the connection is completely invisible to prying eyes with no entry-point for cybersecurity attacks. Any device or application sitting behind NoPorts has no open ports, no static IP address required, and cannot be digitally hacked! This a huge leap forward in cybersecurity as there are no other solutions that can provide this level of system security. Pretty awesome right? We think so too! To further our understanding of how zero trust security is established via NoPorts, let’s briefly discuss the function of an atSign. Then, we can explore the connectivity process with easy to follow diagrams. An atSign is a resolvable address assigned to a device, person, an entire organization, or anything you like. For example, @alice could be an atSign for a person named Alice. An atSign is used to securely exchange information without any chance of surveillance, impersonation, or theft.
Now, let’s look at a diagram of a completed atSign/NoPorts connection between two devices.
In the diagram, you can see two devices connected with atSigns (@PointA and @PointB). The connection is established without having any open external ports on the client or remote machine and any TCP application can be setup to utilize a NoPorts connection. Because all ports are closed, the atSign encrypted tunnel is set up with outbound requests only which are sent to an atServer.
Now, let’s discuss what an atServer is and how it functions as part of the overall atPlatform topology. An atServer is responsible for managing identity and maintaining the key-value data store for each atSign. It performs cryptographic identity validation to ensure that each entity is who they claim to be, supporting secure interactions. It serves as a secure repository and only holds data that is either explicitly made public or data that is encrypted. The atServers cannot decrypt or view any encrypted data as they do not hold the keys to decrypt it. Each atSign utilizes a separate atServer, and the atServers complete the negotiation for setting up the connection between the endpoints.
Since we now have a basic understanding of atSigns and atServers we can take a look at a more comprehensive diagram and discuss further details about the atPlatform.
Connection Establishment
So, how exactly does a NoPorts connection get established and what are the steps? Let's look at a summary overview of each step in a NoPorts connection:
NoPorts Client @pointA sends a request to NoPorts Relay service @relay to ask for an IP address and a pair of ports to rendezvous with Remote Machine @pointB.
NoPorts Relay receives the request, allocates a pair of ports on the host it is running on, responds with its IP address and the pair of ports.
Client receives response from Relay
Client sends request to the Remote Machine to connect which includes session information, the client’s intent (such as destination TCP port 3389 on localhost), and the generated public key from an ephemeral asymmetric key-pair.
NoPorts Daemon on Remote Machine sends request to NoPorts Policy service @policy to determine whether or not @pointA is permitted to connect to @pointB on the specified localhost port.
Policy service looks up information accordingly and sends response back to the daemon on Remote Machine.
If request is not allowed, the daemon will not respond to the client, or send a not permitted response.
If request is allowed, the daemon generates a symmetric encryption key and a socket connection to the Relay IP address and port 2. Response is sent to the Client for ‘session started’ and includes the symmetric encryption key which is encrypted with the ephemeral public key which was previously sent by the Client.
NoPorts daemon on Remote Machine sends response to Client as ‘session started’.
Client receives response and creates a socket to the Relay IP address and port 1.
The Relay verifies the authentication strings and joins the authenticated sockets from the Client and Remote Machine.
NoPorts connection established.
And that's it! At this point, the real client application (e.g. RDP) can connect to a local port on the Client to be sent over the NoPorts connection for secure remote access to the Remote Machine.
To follow this guide, you will need to set up an SSH No Ports device (sshnpd)on your home network. For this, you could use a Raspberry Pi, an old PC running Linux, a virtual machine, or even a docker container—the choice is yours. You can get your No Ports free trial account and follow the to get started.
If you are happy with command line access only, great; but you might want to now use your SSH connection as a VPN and have a full IP tunnel. For this, is the perfect tool. However, if you are using Windows, then you will have to set up a local VM/Container. (If that sounds like too much, skip down to the section below on using SOCKS.)
The NoPorts Policy Service is currently in alpha status. with one of our engineers to become an alpha tester.
Additional encryption protects the request and rendezvous information (on the relay) that is sent from the client device to the remote device’s atServer and ultimately to the client. Without encryption, this information could be intercepted, and a bad actor could meet the client device at the socket rendezvous. This is precisely how the works. Using SSH No Ports mitigates any man-in-the-middle attacks like Terrapin.
You can use SSH No Ports (as it is) to RDP right now! While it is still not its own "RDP No Ports" product, you can run an SSH No Ports session in the background and append the -L SSH flag using the -o sshnp flag to forward the local RDP port 3389 on your desktop to a local port on your client. Here's a for more details. We are working on other No Ports products that will not be reliant on SSH.
Create a new
Join and post to our 📑|forum channel
(including how keys are exchanged)
What is NoPorts? NoPorts is a zero trust security tool that uses Atsign's atPlatform to initiate connections without opening ports on either of your devices. It creates a privacy-first environment, and completely removes network attack surfaces. NoPorts is already being used in the field to do things like , and enable .
If you've activated your client atSign on another device already, this step will not work. Instead, follow this guide: Reuse your client atSign on another machine
This command activates your atSign and prompts you to enter an OTP. This is only done during the setup of a brand new atsign.
at_activate will pause and wait for the input of a one time pin (OTP) sent to your email or phone number.
Once activated, the master keys will save at ~/.atsign/keys.
Run the following command
The following sequence diagram covers the "Happy path" for the startup of a NoPorts session. When a step fails with an error, then the client halts the process, all existing connections automatically timeout and shutdown after a short period of time.
Make the script executable and run the script.
Make the script executable and run the script.
To check if the installation downloaded correctly:
To check if the installation downloaded correctly:
This command activates your atSign and prompts you to enter an OTP. This is only done during the setup of a brand new atsign.
at_activate will pause and wait for the input of a one time pin (OTP) sent to your email or phone number.
Once activated, the management keys will be saved in ~/.atsign/keys.
How to install NoPorts onto an OpenWrt router.
First download the latest packages for your chosen architecture from our releases page.
We've created packages for x86_64, aarch64_cortex-a53, ramips and mips_siflower; but if your chosen architecture isn't there please let us know by opening an issue.
With the packages ready to go, sign into the web interface for your router and go to System> Software in the menu. Click on Upload Package and Browse to the csshnpd package you downloaded. Click Open then Upload and Install. Repeat that process with the luci-app-csshnpd package.
For the new menu to appear you'll need to Log out then sign in again.
You can now go to Network>NoPorts and fill out the config tab with your device atSign, manager atSign, device name and the OTP for key generation. Click the Enabled box then hit Save & Apply.
No go to the NoPorts Enrollment tab and follow the instructions there to generate a device key.
With the key in place navigate to System>Startup and Start the sshnpd service.
The releases page includes instructions for command line installation, though these may need to be edited to suit your system architecture.
Those command line snippets set some variables for the RELEASE number and PACKAGE name then use wget to download the package from GitHub.
Packages are installed using opkg install for OpenWrt 24.10 and earlier releases that use .ipk type packages, or apk add for newer OpenWrt which uses .apk packages.
For example, to install c1.0.3 on a Teltonika RUTX10 device, which uses the arm_cortex-a7_neon-vfpv4 architecture:
Now edit /etc/config/sshnpd to use your atSigns, device name and device atSign OTP:
Run at_enroll.sh on the device. It will ask you to approvement the enrollment on your client (where you previously activated the atSigns and generated the OTP):
On the device you should see a message saying enrollment is complete, and that the .atKeys file has been written.
Now start the sshnpd service:
And you should be ready to connect to the device:
