"Warning: The URL is the only authentication. Anyone with the link has full terminal access."
Could you make it so the URL is one-use only, such that once you've scanned it with your phone you can stop worrying because anyone else who uses it won't be able to start a session?
it is indeed disposable and the prefix is like your secure key. it is safe unless someone has access to your screen. I can add an option to permit a single session.
>it is safe unless someone has access to your screen
It's not, because the "secure key" is only in the domain name, which is transmitted in the clear via SNI. That means anyone along the network path can get the key, and therefore can get access in your terminal.
I can recommend tailscale for creating private networks. It has a generous free tier and would reduce the attack surface considerably compared to ngrok
Better yet would be setting up your own wireguard instance and not relying on free lunches. But as far as free lunches go tailscale would be my preferred option
What it provides is a opinionated configuration management - which is admittedly great which is why I use it as well, but it's nonsensical to say tailscale works in places where wireguard is blocked.
You're likely just noticing the preconfigured nat traversal which tailscale provides and never set one up yourself, as you'd need a static IP for that and it's unconfigured by default.
> it's nonsensical to say tailscale works in places where wireguard is blocked
I have two machines on my desk, I configure a wg service on both. I also configure tailscale on both. Everything works.
I move one machine to another network, at a friend's place.
Wg does not work anymore. Tailscale works. So this is very much sensible to say what GP said.
Now, you can have all kinds of explanations about why wg dos not work and ts does, you know STUN, DERP, ts using wg under the hood, and whatnot but the facts are cruel: I cannot wg to my machine, but I can ts.
Right, it’s that specific person’s Wireguard configuration, which is likely a typical one as a result of Wireguard‘s defaults. Tailscale‘s defaults work better, hence the surface-level impression that plain Wireguard does not work in cases in which Tailscale does.
As I said above - how would you set up plain Wireguard in a place without the possibility of exposing a port, or even that does not have a public IP - and initiate the connection from outside that place? I would love to learn something. Without rebuilding tailscale (or whatever other solutions with STUN or whatnot).
i think youre not hearing what - at least i - was saying.
I never said that running the same connectivity and NAT traversal via 2 nodes which are both inside of a NAT is possible.
Neither did I ever claim you dont need a static public IP which _isnt_ behind a NAT / has an open port.
With Tailscale, these are being provided to you by them.
Without them, you would have to maintain that yourself.
This is a significant maintenance burder, which is why I - as in my very first comment you yourself responded to - pointed out that the service theyre providing is great and that i use it myself for that as well.
Nonetheless, _if wireguard was blocked, tailscaile wouldn't work either_
But its not blocked. Hence tailscale works. Just like wireguard would work, if you configured NAT traversal in some way.
To get that working, you have multiple options, one of these being the STUN server.
Another being an active participants in the VPN which facilitates the connection (not just the initiation, which the STUN server would be doing). easier to configure and maintain, but less performant.
Tailscale themselves actually have an incredibly indepth article on how they've implemented it on their end, its a little aged at this point, but I suspect they havent changed much (if any) since
> even if he's proud of being such, as you seem to be
Of course on Internet nobody knows you are a dog. But hey, I may be someone who wrote a part of the Linux kernel in 1994, ran IT operations for a company that was big (big!) and then almost vanished (not my fault :)) and produces open source that you may have even used if you are "technical" as you say.
And set up WG in so many places, including a frontend that unfortunately did not get the worldwide success it should have :)
With this modest introduction - tailscale works where wireguard does not. I am not sure why my example was not obvious. You can reach the machine at my friend's with tailscale, not with plain wireguard.
Of course if you open ports in the right places then yes! And check a few more things.
Now - how would you set up plain Wireguard in a place without the possibility of exposing a port, or even that does not have a public IP - and initiate the connection from outside that place? I would love to learn something. Without rebuilding tailscale (or whatever other solutions with STUN or whatnot).
many times in public/hotel wifis. it's usually places which blanket ban UDP and allow TCP 80 and 443 exclusively. tailscale somehow manages to get a connection.
This is great. If you’re skeptical, vibe coding in the go is great because of how async the agentic coding workflows can be. Nothing like fixing a bug in the dentist office.
Lots of different technical solutions for how to do this, including the Claude and ChatGPT mobile apps nowadays. I use Tailscale. Choose what works best for you and enjoy.
Yes but that's boring. Look at this it has cool ASCII and a QR. At this point no typing, just vibe-voice ask to build the thing and fix the error. Then we can have some tea, earl grey, hot.
I don't know if "more convenient" would be the words I would use. Setup on this project is very easy, it has very straightforward instructions. Meanwhile, I did a quick 5 minute pressure test of what you suggested and found myself with more questions than answers. I am not saying one way is better than the other, I am just thinking that for those that don't breathe SSH/VPN/Wireguard/Terminal Emulators/etc.. this project is actually far easier to understand.
Also, funny enough on compatibility, but "Termux" is not on iOS, so it fails that basic check. But there's alternatives, of course. Just an observation.
Love it, I've been looking for something like this for a while now. But please add a password to it if you have the time. I might chip in by next if you're open to contributions.
I like this but I hate how everything has to be tied to AI now to get attention. “I wanted to vibe code-“ who cares? It’s a neat tool, do we have to force AI into it?
I’m also vibing from the iphone. Termius connects via ssh to remote server where I run claude code. Ssh connects also over a wireguard connection. So ports are not an issue because they are all available via wg in a secure way. Additionally I have code server running there automatically port forwards and giving me ssl. So when I run “pnpm dev” in tmux in ssh then I access it via https://3000.dev.mydomain.com which works great for development.
"Warning: The URL is the only authentication. Anyone with the link has full terminal access."
Could you make it so the URL is one-use only, such that once you've scanned it with your phone you can stop worrying because anyone else who uses it won't be able to start a session?
it is indeed disposable and the prefix is like your secure key. it is safe unless someone has access to your screen. I can add an option to permit a single session.
>it is safe unless someone has access to your screen
It's not, because the "secure key" is only in the domain name, which is transmitted in the clear via SNI. That means anyone along the network path can get the key, and therefore can get access in your terminal.
And the domain shows up in CT logs too.
I would argue that it should be the default option. Cool idea!
I can recommend tailscale for creating private networks. It has a generous free tier and would reduce the attack surface considerably compared to ngrok
Better yet would be setting up your own wireguard instance and not relying on free lunches. But as far as free lunches go tailscale would be my preferred option
Head scale is a good middle option - it uses Tailscale’s DNS system but you are able to control your network as you would with Wireguard
tailscale has a much better chance to work when you need it most. WireGuard is blocked by too much stuff.
Tailscale uses wireguard.
What it provides is a opinionated configuration management - which is admittedly great which is why I use it as well, but it's nonsensical to say tailscale works in places where wireguard is blocked.
You're likely just noticing the preconfigured nat traversal which tailscale provides and never set one up yourself, as you'd need a static IP for that and it's unconfigured by default.
> it's nonsensical to say tailscale works in places where wireguard is blocked
I have two machines on my desk, I configure a wg service on both. I also configure tailscale on both. Everything works.
I move one machine to another network, at a friend's place.
Wg does not work anymore. Tailscale works. So this is very much sensible to say what GP said.
Now, you can have all kinds of explanations about why wg dos not work and ts does, you know STUN, DERP, ts using wg under the hood, and whatnot but the facts are cruel: I cannot wg to my machine, but I can ts.
I was just pointing out that the statement wrt "wireguard being blocked while tailscale works" is nonsensical.
It remains nonsensical no matter how uninformed the user may be - even if he's proud of being such, as you seem to be.
This was not a discussion about what tool to use if the person doesn't know about networking and is generally ... "less technical".
Right, it’s that specific person’s Wireguard configuration, which is likely a typical one as a result of Wireguard‘s defaults. Tailscale‘s defaults work better, hence the surface-level impression that plain Wireguard does not work in cases in which Tailscale does.
As I said above - how would you set up plain Wireguard in a place without the possibility of exposing a port, or even that does not have a public IP - and initiate the connection from outside that place? I would love to learn something. Without rebuilding tailscale (or whatever other solutions with STUN or whatnot).
i think youre not hearing what - at least i - was saying.
I never said that running the same connectivity and NAT traversal via 2 nodes which are both inside of a NAT is possible. Neither did I ever claim you dont need a static public IP which _isnt_ behind a NAT / has an open port.
With Tailscale, these are being provided to you by them. Without them, you would have to maintain that yourself. This is a significant maintenance burder, which is why I - as in my very first comment you yourself responded to - pointed out that the service theyre providing is great and that i use it myself for that as well.
Nonetheless, _if wireguard was blocked, tailscaile wouldn't work either_
But its not blocked. Hence tailscale works. Just like wireguard would work, if you configured NAT traversal in some way. To get that working, you have multiple options, one of these being the STUN server. Another being an active participants in the VPN which facilitates the connection (not just the initiation, which the STUN server would be doing). easier to configure and maintain, but less performant.
Tailscale themselves actually have an incredibly indepth article on how they've implemented it on their end, its a little aged at this point, but I suspect they havent changed much (if any) since
https://tailscale.com/blog/how-nat-traversal-works
> even if he's proud of being such, as you seem to be
Of course on Internet nobody knows you are a dog. But hey, I may be someone who wrote a part of the Linux kernel in 1994, ran IT operations for a company that was big (big!) and then almost vanished (not my fault :)) and produces open source that you may have even used if you are "technical" as you say.
And set up WG in so many places, including a frontend that unfortunately did not get the worldwide success it should have :)
With this modest introduction - tailscale works where wireguard does not. I am not sure why my example was not obvious. You can reach the machine at my friend's with tailscale, not with plain wireguard. Of course if you open ports in the right places then yes! And check a few more things.
Now - how would you set up plain Wireguard in a place without the possibility of exposing a port, or even that does not have a public IP - and initiate the connection from outside that place? I would love to learn something. Without rebuilding tailscale (or whatever other solutions with STUN or whatnot).
I’ve never noticed wireguard be blocked by something, have you experienced this?
many times in public/hotel wifis. it's usually places which blanket ban UDP and allow TCP 80 and 443 exclusively. tailscale somehow manages to get a connection.
This is great. If you’re skeptical, vibe coding in the go is great because of how async the agentic coding workflows can be. Nothing like fixing a bug in the dentist office.
Lots of different technical solutions for how to do this, including the Claude and ChatGPT mobile apps nowadays. I use Tailscale. Choose what works best for you and enjoy.
> I wanted to vibe code from bed.
In this case, I think using Termux + SSH would be more convenient and compatible with all devices running sshd.
Yes but that's boring. Look at this it has cool ASCII and a QR. At this point no typing, just vibe-voice ask to build the thing and fix the error. Then we can have some tea, earl grey, hot.
I don't know if "more convenient" would be the words I would use. Setup on this project is very easy, it has very straightforward instructions. Meanwhile, I did a quick 5 minute pressure test of what you suggested and found myself with more questions than answers. I am not saying one way is better than the other, I am just thinking that for those that don't breathe SSH/VPN/Wireguard/Terminal Emulators/etc.. this project is actually far easier to understand.
Also, funny enough on compatibility, but "Termux" is not on iOS, so it fails that basic check. But there's alternatives, of course. Just an observation.
Also https://github.com/chriswritescode-dev/opencode-manager is getting there with a proper interface.
Love it, I've been looking for something like this for a while now. But please add a password to it if you have the time. I might chip in by next if you're open to contributions.
I actually thought about it. will be added in a future release.
uvx ptn -p for a one-time disposable pwd!
Genuine question here: How is this better than a mobile SSH client + something like Tailscale or Yggdrasil?
fast and disposable? (btw it also works like a tmux with UI)
Agreed. I already use Termux for Claude code via ssh in my phone, but I'm nevertheless excited to try this.
I wanted a secure solution, that still can be run in one command, and came up with this, https://gist.github.com/thomasht86/86f0f8f62db1839054abd8a7e...
This command:
Doesn't work for Linux Mint 22.2What you want is UBUNTU_CODENAME from /etc/os-release (in the case of Linux Mint 22.2, it's "noble")
EDIT: Actually, I'm not even sure you can do $(command) inside /etc/apt/sources.list.d/*
Try again. I don't have mint instance to test, but should work now.
I had already fixed the sources file manually, but the "any" distro should probably work as well (I put "noble" when I did the manual edit).
Thanks though for the fix.
I like this but I hate how everything has to be tied to AI now to get attention. “I wanted to vibe code-“ who cares? It’s a neat tool, do we have to force AI into it?
It’s the tool‘s use case, which provides valuable background information about its technical choices.
Normally we get a few "but why would you make this?" comments. Maybe let's not discourage people who actually give us the answer upfront.
Very cool, indeed.
One nit-pick: Terminus requiring a lot of setup work:
Terminus is trivial to use with a rented VPS. But, ptn solves a different problem
I’m also vibing from the iphone. Termius connects via ssh to remote server where I run claude code. Ssh connects also over a wireguard connection. So ports are not an issue because they are all available via wg in a secure way. Additionally I have code server running there automatically port forwards and giving me ssl. So when I run “pnpm dev” in tmux in ssh then I access it via https://3000.dev.mydomain.com which works great for development.
Can you speak more to the code server and domain set up? How do you get it to auto provision subdomains?
Sure, code-server is a web version of vscode, like the github spaces thing only selfhosted.
I have acme.sh creating the certs using let’s encrypt. I have a reverse proxy (haproxy) in front of code server. This handles ssl.
The port forwarding and mapping to a subdomain is automatic - it’s a feature of code server: https://coder.com/docs/code-server/guide
From the docs: code-server --proxy-domain <domain>
Thanks for the details!
Love it.
Laziness - the mother of (most) invention.
Further information concerning tunneling protocols, sshd/ ssh is accessible in the man site:
[1]:https://man.openbsd.org/sshd.8
[2]:https://man.freebsd.org/cgi/man.cgi?ssh