Access any servers, IoT devices, embedded systems, or workstations from anywhere using WebRTC peer-to-peer data channels with WebSocket signaling and end-to-end encryption. No VPN, no port forwarding, no exposed services — just a secure, direct connection.
XShell is a three-component system: a Host that spawns PTY sessions, a Signaling Server for connection brokering, and Clients that connect securely — via CLI or web browser.
Runs on the target machine. Spawns an interactive PTY shell, handles SRP authentication, and bridges encrypted I/O to the network.
Lightweight signaling relay. Pairs hosts and clients by ID, forwards encrypted traffic when P2P is unavailable, and relays WebRTC signaling.
CLI or web-based terminal. Connects via WSS, authenticates with SRP-6a, and establishes a direct WebRTC P2P channel for zero-relay device access.
Built from the ground up for security, performance, and simplicity.
AES-256-SIV encryption between host and client with keys derived via HKDF-SHA256. The relay server is cryptographically excluded — your terminal data stays private whether routed via P2P or relay fallback.
After authentication, a direct P2P data channel is established via WebRTC data channels. Terminal data bypasses the relay server entirely for minimal latency.
Secure Remote Password protocol ensures no password is ever transmitted. Mutual proof exchange verifies both sides without exposing credentials.
Written in C with minimal dependencies. Low memory footprint, instant startup, and efficient binary protocol with sub-millisecond overhead.
Multiple concurrent PTY sessions over a single connection. Efficient resource usage with unique session routing and zero extra transport overhead.
Bidirectional chunked file transfer over P2P or relay. SHA-256 integrity verification, and full E2E encryption on every byte. A complete file manager API with a web client.
After SRP-6a authentication, the client initiates a WebRTC peer-to-peer data channel. Once established, the relay server is completely removed from the data path.
All terminal I/O and file transfers flow directly between host and client via DTLS-secured WebRTC data channels. The relay server handles only initial signaling. E2E encryption remains active at the application layer.
If P2P negotiation fails (symmetric NAT, firewall) and the TURN is not configured, the system transparently falls back to the WSS relay path. E2E encryption is maintained regardless. No security downgrade, no key renegotiation exposure.
WebRTC signaling (SDP offers, answers, ICE candidates) is exchanged inside the E2E encrypted channel after authentication. The relay server cannot read or tamper with DTLS fingerprints or session descriptions.
XShell does not rely on any single layer for protection. Transport, channel, application, and authentication each operate independently — compromising one does not weaken the others. Defense in depth by design.
All WebSocket connections secured with WSS. Server certificate verification and MITM protection.
WebRTC data channels secured with Datagram TLS. Signaling integrity protected by authenticated E2E channel.
Terminal data encrypted end-to-end using AES-256-SIV. Encryption keys are derived via HKDF-SHA256 from the SRP session key, combined with dual nonces (host + client) and host ID context, ensuring mutual freshness and preventing key prediction or replay.
Zero-knowledge password proof. Mutual verification without transmitting credentials in any form. No stored plaintext secrets. Resistant to passive and active interception.
Zero-Knowledge Relay: The relay server is cryptographically incapable of decrypting session data. Every encrypted packet includes a monotonic continuity counter for replay protection and authenticated message framing for tamper detection.
XShell is not a VPN, not an access proxy, and not a tunnel service. It is a purpose-built P2P terminal and file access solution with a fundamentally different security model.
| Feature | XShell | Tailscale | Teleport | CF Tunnel | WireGuard |
|---|---|---|---|---|---|
| Primary Model | Direct P2P terminal | Mesh VPN | Access proxy | Reverse tunnel | Layer-3 VPN |
| Requires VPN | No | Yes | No | No | Yes |
| Port Forwarding | Not needed | No | No | No | Depends |
| Direct P2P | Yes (preferred) | Yes | No | No | Yes |
| Relay Fallback | E2E preserved | DERP relay | N/A | Always proxied | No |
| Post-Transport E2E | AES-256-SIV | Transport only | Transport only | Transport only | Transport only |
| Zero-Knowledge Relay | Yes | Yes (DERP cannot decrypt) | No (proxy terminates TLS) | No (terminates at edge) | N/A |
| Zero-Knowledge Auth | SRP-6a | No (OIDC) | No (IdP/cert) | No | No |
| Attack Exposure Model | Single controlled execution channel (PTY) | Network-level access (subnet routing) | Proxy-mediated access control | Edge-proxied service exposure | Network-level access |
| Scope | Terminal / File | Full network | Infra platform | HTTP services | Full network |
Install XShell in seconds using your system package manager. Add the repository and install with a single command.
XShell is currently in active development. Stable repositories will be published with the first production release.
# Add the XShell repository
echo "deb https://pkg.xshell.online/apt stable main" | sudo tee /etc/apt/sources.list.d/xshell.list
curl -fsSL https://pkg.xshell.online/gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/xshell.gpg
# Install
sudo apt update && sudo apt install xshell
# Add the XShell repository
sudo dnf config-manager --add-repo https://pkg.xshell.online/rpm/xshell.repo
# Install
sudo dnf install xshell
# Add the XShell repository
sudo yum-config-manager --add-repo https://pkg.xshell.online/rpm/xshell.repo
# Install
sudo yum install xshell
# Add the XShell tap
brew tap xshell-online/xshell https://pkg.xshell.online/homebrew
# Install
brew install xshell
# Generate host configuration interactively
sudo xshell -i
# Start the host service
sudo systemctl restart xshell
# Connect from another machine via CLI
xshcli -d <device_id>
# Or log in to use the web client and workspaces
Sign in to access the web terminal, manage your devices, and start secure remote sessions.
Log In to XShell