Burrowee Docs

Appearance

What is Burrowee

Burrowee is an end-to-end-encrypted remote-access service. You run a small gateway program on a machine you own — a home workstation, an office box, a server. The gateway dials out through Burrowee's relay network and becomes a private doorway into that machine. From anywhere else, you reach back through that doorway with the CLI or a browser. The relays in the middle move encrypted bytes they cannot read.

There is nothing to port-forward, no firewall to open, and no VPN to configure. The gateway only ever makes outbound connections.

The five components

Gateway

The gateway is the piece you install on the machine you want to reach. It connects outward to a relay and stays connected. When you ask for something on that machine — a web app, an SSH login — the gateway decrypts your request, talks to the local service, and encrypts the reply. It is the only component that ever sees your traffic in the clear. It also runs a small local web console on the machine itself, where you manage what is exposed.

Relay

A relay is a forwarder that both sides connect to. Your client connects in, your gateway is already connected out, and the relay matches them up and shuttles bytes between them. Burrowee operates a shared fleet of relays, so you never need a public address of your own. A relay forwards ciphertext only — it cannot read what passes through it.

Edge

An edge is a relay you host yourself. You run it on your own server (or even a machine on your LAN), bind it to your account, and your gateways and clients use it instead of — or alongside — the shared fleet. That lets you serve traffic from your own domain, keep data on your own hardware, or get fast local-network paths. It stays coordinated by the console but carries only your own gateways.

CLI

burrowee is the command-line client. It pairs once with a gateway, then forwards local TCP ports through the relay to services behind that gateway. burrowee connect gives any local program — a browser, a database client — a plain local port that secretly tunnels to the remote machine, and burrowee ssh drops you straight into an SSH session through the tunnel.

Console

The console at console.burrowee.com is the control plane: your account, your gateways, your sessions and domains, all in one dashboard. It coordinates the pieces — it mints the setup blobs that enrol gateways, assigns relays, and signs the credentials everything else verifies. It never carries your traffic.

The security model, in plain words

Everything between your client and your gateway is end-to-end encrypted. The two ends agree on keys directly with each other, through the relay, and the relay never holds them.

  • Only your gateway can decrypt. Requests are sealed on your client and opened on your gateway. Nothing in between can read them.
  • Relays forward blind. A relay — shared fleet or your own edge — sees that bytes are flowing and how many, but the bytes themselves are ciphertext.
  • The console coordinates and signs, but never sees traffic. It approves accounts, enrols gateways and issues signed credentials. It is not on the data path; your gateway is the one that verifies who may connect.

Pairing is deliberate, too. A new gateway or client is set up by pasting a one-time blob plus a short PIN, and a new CLI pairing must be approved by the gateway's operator. Nothing connects to your machine without your say-so.

CLI or browser session?

Use whichever fits the service:

  • Browser sessions suit web things. If the target is a web app — a dev server on port 3000, an internal dashboard — mint a session in the console and open it in any browser. You can share the session link, set an expiry, and revoke it.
  • The CLI suits everything that speaks TCP. SSH, databases, anything a local program needs a port for. Pair once, then burrowee connect --svc <name> or burrowee ssh --svc ssh whenever you need it.

Both routes go through the same encrypted tunnel to the same gateway.

When would I run an edge relay?

The shared relay fleet works out of the box. Run your own edge when you want:

  • Your own domain — serve your tunnelled web services from app.example.com rather than a Burrowee address.
  • Your own hardware on the path — traffic between your clients and gateways crosses only servers you operate. (It is ciphertext either way; an edge removes even the blind middleman you do not own.)
  • LAN speed — an edge on your local network gives clients on the same network a direct, fast path to the gateway, no internet round-trip.

Ready to try it? The quickstart takes you from sign-up to your first open session.