Browser Client - Web-based Remote Access

NetBird's Browser Client enables secure remote access to SSH and RDP resources directly from your web browser, without requiring any client software installation. This feature runs a NetBird peer as WebAssembly (WASM) in your browser, establishing secure connections through your existing NetBird network.

Overview

The Browser Client provides instant, secure remote access through your browser:

  • No installation required - Works directly in your browser without any software downloads
  • SSH and RDP support - Access Linux and Windows machines with complete protocol implementations
  • Secure by design - All connections are encrypted end-to-end with WireGuard®
  • True peer-to-peer - Runs a complete NetBird peer as WebAssembly in your browser
  • Works anywhere - Access your resources from any device with a modern web browser

Prerequisites

Before using the Browser Client, ensure:

  1. Admin privileges - You must be logged into the NetBird dashboard with an admin account (required for temporary ACL creation)
  2. Protocol requirements:
    • For SSH: The NetBird SSH server must be enabled on the target peer
    • For RDP: The RDP server must be enabled on the target machine
  3. Modern browser - You're using an up-to-date version of Chrome, Firefox, Edge, or Safari with WebAssembly support

Accessing Machines via the Browser Client

Quick Access from the Peers List

The easiest way to connect is directly from the Peers dashboard:

  1. Navigate to the Peers section in your NetBird dashboard
  2. Find the peer you want to access
  3. In the Remote Access section, click the SSH or RDP button

peer-list-view

SSH Connection

When connecting via SSH:

  1. Click the SSH button for your target peer
  2. A credentials modal will appear

ssh-credentials-modal

  1. Adjust the SSH username in the credentials modal if required
  2. Click Connect
  3. A terminal window will open in your browser with your SSH session

ssh-terminal-connected

RDP Connection

For RDP access:

  1. Click the RDP button for your target machine
  2. A new window will open with a credentials modal - enter your RDP server credentials:

rdp-credentials-modal

  • Username: Your username (can include domain: DOMAIN\username)
  • Password: Your password for the RDP server
  1. Click Connect
  2. In the same window, a certificate warning dialog will appear - review the certificate details

rdp-certificate-modal

  1. Click Accept and Continue to proceed with the connection
  2. The remote desktop will load in the window

rdp-connected-session

Connection Management

Active Sessions

While connected through the Browser Client:

  • Session persistence: Sessions remain active as long as the browser tab is open
  • Multiple connections: Open multiple tabs for concurrent sessions to different peers
  • Clipboard support: Copy and paste text between host and RDP in both directions

Session Security

The Browser Client maintains NetBird's security standards:

  • End-to-end encryption: All traffic is encrypted using WireGuard®
  • Temporary access: Uses NetBird's temporary access mechanism that:
    • Creates short-lived peers with WireGuard keys generated in the browser
    • Establishes temporary ACL rules (TCP/22, TCP/3389)
    • Automatically removes the peer and ACLs when the session ends
  • No data persistence: Keys and credentials exist only in browser memory

Troubleshooting

Common Connection Issues

"Failed to initialize WASM"

  • Clear your browser cache and cookies
  • Ensure JavaScript is enabled
  • Check if your browser supports WebAssembly
  • Try using a different browser

"Connection timeout"

  • Check that the SSH/RDP services are running on the target

"Authentication failed"

  • For RDP, try including the domain in the username (e.g., DOMAIN\username)

Known Limitations

RDP Compatibility

  • Windows 11 and Windows Server 2025 are currently not supported for RDP connections
  • Use Windows 10 or earlier Windows Server versions for RDP access

Browser Client Constraints

  • Relay-only connections: No direct P2P connections (may increase latency)
  • Advanced features: Some SSH/RDP features are not available (SFTP, sound, file shares, etc.)
  • Concurrent connections: Browser resource limits may affect multiple simultaneous sessions
  • RDP resolution changes: Require reconnection (not seamless)

Technical Implementation

For technical details on the Browser Client architecture, see the Browser Client Technical Architecture documentation.

SSH Requirements

For SSH access through the Browser Client:

  • NetBird SSH must be enabled on the target peer
  • The browser generates WireGuard keys and pre-registers the peer via the temporary access endpoint
  • Authentication uses the pre-generated WireGuard key pair (bypassing the usual OIDC or setup key flow)
  • The WASM NetBird client handles SSH connections internally

RDP Technology Stack

The RDP implementation is 100% client-side using:

  • IronRDP: High-performance Rust RDP client (Apache 2.0/MIT licensed)
  • RDCleanPath proxy: IronRDP's rdp proxy reimplemented to make use of NetBird
  • Both components are compiled to WebAssembly and run entirely in the browser

Security Considerations

When using the Browser Client:

  1. Always connect from trusted devices - The browser environment should be secure
  2. Use incognito/private mode on shared computers to ensure no session data persists
  3. Log out properly - Close the browser tab to ensure the session ends
  4. Keep your browser updated to receive the latest security patches
  5. Be cautious with browser extensions that might interfere with or monitor your sessions

The Browser Client provides a convenient, secure way to access your network resources without installing software, perfect for quick access from any device or when working from temporary workstations.