You’re away from your desk - at a coffee shop, commuting, on the couch - and something is running on the machine back home: a long build, a test suite, a deployment, an AI coding agent. You want to check on it, type a command, or just watch the output. But the terminal is on that machine, and you’re not.
Here’s how people usually solve this, why most of those options hurt, and a cleaner pattern that needs no port forwarding at all.
The options people reach for (and the catch with each)
- Open port 22 / forward SSH. Exposes your machine to the public internet, invites brute-force attempts, and needs router and firewall changes you may not even control.
- Run a VPN (WireGuard, Tailscale, etc.). It works, but it adds a network layer to install and maintain on every device - and you still need an SSH client to actually get a shell.
- Dynamic DNS + firewall rules. Fiddly, fragile, and one more thing to babysit.
- VS Code tunnels. Fine if you live in VS Code, but it couples you to the editor and isn’t a plain terminal.
Every one of these makes you responsible for poking a hole into your home network.
A better shape: outbound-only agent + relay
Instead of opening an inbound port, flip the direction. A small agent on your machine makes an outbound connection to a relay - the same direction your browser uses to load a website, which firewalls already allow. Your phone connects to that relay too, and the relay brokers the session between them.
Your phone ──► Relay ◄── Agent on your machine
(browser) (broker) (outbound only)No inbound ports. No port forwarding. No VPN. Your machine reaches out; nothing reaches in.
Doing it securely on Windows
Remote Terminal Bridge is one implementation of this pattern for Windows:
- Install the bridge from the Microsoft Store. It lives in your tray and connects outbound to the relay - you can set it to autostart and autoconnect, so it’s always ready.
- Sign in with Microsoft Entra ID - required for both the bridge and the web terminal.
- Open a browser on any device, sign in, and you get a real PTY session: full color, mouse, status line, the works, rendered with xterm.js.
Because it’s a real pseudo-terminal, interactive TUIs behave exactly as they do at your desk - not a dumbed-down web shell.
The security model, specifically
- No inbound ports - the connection is outbound-only from your machine.
- Authenticated - Microsoft Entra ID sign-in is required on both the bridge and the browser.
- Encrypted - traffic flows over an encrypted connection.
What it’s good for
- Checking long builds, test suites, or ML training runs from anywhere
- Tailing logs while you’re out
- Watching and steering AI coding agents like Claude Code, Copilot CLI, and opencode
That last one is increasingly the killer use case - more on it in Keep Claude Code running while you’re away.
