Reach your computers, servers, terminal, files, and code editor from any browser — through secure direct connections. Nothing listens on the public internet. No VPN to run. No port to forward.
Desktop, terminal, file transfer, and code editing — directly from your browser.
Pick up exactly where you left off — desktop, terminal, files — from any browser. No tunnels to babysit, no IP to remember.
Drag and drop files between your laptop, desktop, and servers. Transfers go directly, encrypted, at full local speed.
Open your projects in a full editor running against the real filesystem. No syncing, no remote IDE, no setup.
Built from the ground up for security, performance, and simplicity.
AES-256-SIV encryption between host and client with keys derived via HKDF-SHA256. The relay server is cryptographically excluded — your terminal data stays private whether routed via P2P or relay fallback.
After authentication, a direct P2P data channel is established via WebRTC data channels. Terminal data bypasses the relay server entirely for minimal latency.
Secure Remote Password protocol ensures no password is ever transmitted. Mutual proof exchange verifies both sides without exposing credentials.
Written in C with minimal dependencies. Low memory footprint, instant startup, and efficient binary protocol with sub-millisecond overhead.
Multiple concurrent PTY sessions over a single connection. Efficient resource usage with unique session routing and zero extra transport overhead.
Bidirectional chunked file transfer over P2P or relay. SHA-256 integrity verification, and full E2E encryption on every byte. A complete file manager API with a web client.
XShell does not rely on any single layer for protection. Transport, channel, application, and authentication each operate independently — compromising one does not weaken the others. Defense in depth by design.
All WebSocket connections secured with WSS. Server certificate verification and MITM protection.
WebRTC data channels secured with Datagram TLS. Signaling integrity protected by authenticated E2E channel.
Terminal data encrypted end-to-end using AES-256-SIV. Encryption keys are derived via HKDF-SHA256 from the SRP session key, combined with dual nonces (host + client) and host ID context, ensuring mutual freshness and preventing key prediction or replay.
Zero-knowledge password proof. Mutual verification without transmitting credentials in any form. No stored plaintext secrets. Resistant to passive and active interception.
Zero-Knowledge Relay: The relay server is cryptographically incapable of decrypting session data. Every encrypted packet includes a monotonic continuity counter for replay protection and authenticated message framing for tamper detection.
XShell is not a VPN, not an access proxy, and not a tunnel service. It is a purpose-built P2P terminal and file access solution with a fundamentally different security model.
| Feature | XShell | Tailscale | Teleport | CF Tunnel | WireGuard |
|---|---|---|---|---|---|
| Primary Model | Direct P2P terminal | Mesh VPN | Access proxy | Reverse tunnel | Layer-3 VPN |
| Requires VPN | No | Yes | No | No | Yes |
| Port Forwarding | Not needed | No | No | No | Depends |
| Direct P2P | Yes (preferred) | Yes | No | No | Yes |
| Relay Fallback | E2E preserved | DERP relay | N/A | Always proxied | No |
| Post-Transport E2E | AES-256-SIV | Transport only | Transport only | Transport only | Transport only |
| Zero-Knowledge Relay | Yes | Yes (DERP cannot decrypt) | No (proxy terminates TLS) | No (terminates at edge) | N/A |
| Zero-Knowledge Auth | SRP-6a | No (OIDC) | No (IdP/cert) | No | No |
| Attack Exposure Model | Single controlled execution channel (PTY) | Network-level access (subnet routing) | Proxy-mediated access control | Edge-proxied service exposure | Network-level access |
| Scope | Terminal / File | Full network | Infra platform | HTTP services | Full network |
Install XShell in seconds using your system package manager. Add the repository and install with a single command.
XShell is currently in active development.
# Add the XShell signing keycurl -fsSL https://pkg.xshell.online/keys/xshell.asc \ | sudo gpg --dearmor -o /usr/share/keyrings/xshell.gpg# Add the XShell repositoryecho "deb [signed-by=/usr/share/keyrings/xshell.gpg] https://pkg.xshell.online/apt stable main" \ | sudo tee /etc/apt/sources.list.d/xshell.list# Installsudo apt updatesudo apt install xshell# Add the XShell signing keysudo rpm --import https://pkg.xshell.online/keys/xshell.asc# Add the XShell repositorysudo tee /etc/yum.repos.d/xshell.repo >/dev/null <<'EOF'[xshell]name=XShellbaseurl=https://pkg.xshell.online/rpm/el/8/$basearchenabled=1gpgcheck=1repo_gpgcheck=0gpgkey=https://pkg.xshell.online/keys/xshell.ascEOF# Installsudo dnf install xshell# Add the XShell tapbrew tap xshelld/xshell# Installbrew install xshell# Log in to enroll your first device and start using the web client and workspaces
Sign in to access the web terminal, manage your devices, and start secure remote sessions.
Log In to XShell